Question : Domain controller can't authenticate local LAN user accounts when WAN link lost

Both my domain controllers aren't behaving properly....

I have two domain controllers at my facility that are apart of a multi-site, multi-domain forest....mine are named similar to this: toledo01.parentdomain.com and toledo02.parentdomain.com.  Well last week the company in charge of the management of our WAN had to do some routine maintenance and we lost our WAN link for during the maintenance window (expected).  But during the time our WAN link was down something really strange happened.... all of a sudden local domain user accounts could no longer authenticate (unexpected).  They weren't able to begin authenticating again till our WAN link came back up.

The router that manages our WAN is not in anyway shape or form doing the internal routing for our LAN and should not be involved in local domain authentication.  The fowarders for our DNS server point to another DNS server on our WAN...but they shouldn't be involved in local authentication right?  Unless my dns server isn't doing its job...  hmm  I promoted one of my domain controllers to a 'Global Catalog' server...but again that shouldn't effect local authentication.

Weird things in the Directory Services Event logs(they seem to be related to me promoting the server to host a Global Catalog) and these messages have been continually repeating themselves:

The Knowledge Consistency Checker (KCC) failed to update the replication topology for the local domain controller. The KCC will attempt to update the replication topology at the following scheduled interval.
User Action:  If this continues to occur, restart the local domain controller.
Additional Data
Error value:  8409 A database error has occurred.
Internal ID:  f0405c8

The Knowledge Consistency Checker (KCC) could not run successfully because the attribute on the following object did not have enough values.
Object:
CN=NTDS Settings,CN=COEX_AD1,CN=Servers,CN=ca-Coextec,CN=Sites,CN=Configuration,DC=decoma,DC=com
Attribute name:  hasMasterNCs%
An attempt to replicate this attribute will be tried again at the next scheduled replication.
User Action
If this condition continues, verify that replication is working correctly.

The local domain controller has been selected to be a global catalog. However, the domain controller does not host a read-only replica of the following directory partition.
Directory partition:
DC=polybrite,DC=decoma,DC=com
A precondition to becoming a global catalog is that a domain controller must host a read-only replica of all directory partitions in the forest. This event might have occurred because a Knowledge Consistency Checker (KCC) task has not completed or because the domain controller is unable to add a replica of the directory partition due to unavailable source domain controllers.
An attempt to add the replica will be tried again at the next KCC interval.  

   

Answer : Domain controller can't authenticate local LAN user accounts when WAN link lost

I think the reason it isn't working is that you need to setup and configure Sites and their associated subnets AND figure out why the communication with the main FSMO role holders isn't occurring properly.

You must allow domain communication through your firewall(s).