When DC is unavailable

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

It is a good practice to logon to workstations with domain accounts and to avoid local accounts. Most companies make the decision from a managability perspective. There are also significant security advantages to using domain logons. An issue you have to face is what behavior you want when a domain controller can not be contacted. Windows 2000 Professional makes a decision for you. By default, Windows 2000 suppresses error messages and logs on the user with cached credentials when the domain controller can not be contacted. A common situation when a laptop user is traveling but it happens occasionally to workstations on the LAN due to temporary networking issues.

Many users would not even be aware there was a problem. But there are issues. The PC brings up the users' desktop and enables the user to work on the PC but the logon scripts were not run, the home directory on the server is probably not available, and group policies were not applied. This is the default behavior and it may be what you want done. For it to work:

I prefer informing and training. I would not suppress the error message but train users concerning its meaning and implication. Your choice.

A higher security choice would be to display the error message and block logons to the workstation with cached credentials. Not workable in some environments. A variation on the theme is to display the message and have your users logon to the workstation using a local workstation account. I like this option least. You have to maintain duplicate accounts, domain and local, and the local account is rarely used and to be workable has a password that does not change. Not good. But again it depends on your organizations operational and security needs. I do not recommend this option.

To find out whether you were logged on to the domain:

  • Type set at a commandline.
  • Check the LOGONSERVER environmental entry.
If it is set to the name of your computer, you were logged on using cached domain credentials. If you were validated by a DC, the LOGONSERVER value would be set to the name of a DC. You can use the echo command:

echo USERNAME %logonserver%

to get a quick look at the logonserver.

If you have rights to view the event log, check the System log. If you were logged on using cached credentials, you see the following event:

Event ID 5719

No Windows NT or Windows 2000 domain controller is available for domain domain_name the following error occurred: There are currently no logon servers available to service the logon request.

See Also

Featured Links