Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Problems with Active Directory and DNS

Posted on 2008-11-05
22
Medium Priority
?
283 Views
Last Modified: 2010-03-17
Everyday I have this same issue on different computers. when the users log in a home directory is mapped. 70% everything works right. the rest either make the home drive, but are denied access or it doesn't even apply the login script.

In the event logs, I get these errors.

Event ID: 1054; Event Source: Userenv;


Microsoft Product: Windows Operating System Version: 5.2 Event Source: Userenv Event ID: 1054
Windows cannot obtain the domain controller name for your computer network. (%1). Group Policy processing aborted.


Event ID: 15; Event Source: AutoEnrollment;


Microsoft Product: Windows Operating System Version: 5.2 Event Source: autoenrollment Event ID: 15
Automatic certificate enrollment for %1 failed to contact the active directory (%2). %3 Enrollment will not be performed.


Event ID: 5719; Event Source: NETLOGON;


Microsoft Product: Windows Operating System Version: 5.0 Event Source: NetLogon Event ID: 5719
This computer was not able to set up a secure session with a domain controller in domain %1 due to the following: <BR>%2 <BR>This may lead to authentication problems&#046; Make sure that this computer is connected ...



I have about 150 computers, with 2 servers. 80 computers are on a WLAN, the rest are wired. I get these errors on both the wireless and wired.

The problem is fixed if they just log off and log back on again.


This is starting to become a major problems as half the staff stores there .pst file on there home drive. and when they cannot access the drive, they create another damn .pst file which is compounding the problem.

I have tried applying a gpo to wait for network. I have tried disabling media sense. And also tried the numerous KB articles. all lead me back to the same problem.
0
Comment
Question by:Con366
  • 11
  • 6
  • 3
  • +1
22 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1000 total points
ID: 22889838
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 22890703
Dariusq: If there was a problem with the secure channel, a log off/log on -> problem solved, would not be possible.

> "Windows cannot obtain the domain controller name for your computer network"...

If the clients don't have a working DNS to "guide" them through the resources in the domain, they can't get a hold of the resources. They can log on if cached credential is used, but their home directory will not be mapped.

1. How many domain controllers do you have?
2. Are all DC running DNS (AD integrated?) and are all clients using these as their DNS?
3. On a host that failes: Can the host resolve the name of i.e. your fileserver?
4. On a host that failes: cmd -> set | find "logonserver" . Is this a DC?


SG

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22890735
Even with a logon and log off would fix the issue. I just had this same issue less then a month ago. There was still on PC that wouldn't take the netdom reset right so I renamed the actual computer name and had no issues after that.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Con366
ID: 22890813
ya I tried the first solution, but it's a no go.


To answer the second question

1. 1 DC
2. YES
3. Yes
4. It shows the correct DC server
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 22893072
0
 

Author Comment

by:Con366
ID: 22894567
I'll try this one her in about a hour.

I managed to get one machine corrected by reinstalling the network card drivers. the machine have SP3 on them, so hopefully the reg entries are still the same.

I also tried reinstalling the wireless drivers in another machine. I'll see today if that corrects it.
0
 

Author Comment

by:Con366
ID: 22898627
managed to keep the error to stop after reinstalling the nic, moving the machine to a WG, deleting the account in AD, resetting the SID, then rejoining it to the domain.


But the wireless is still giving a problem.
0
 
LVL 2

Assisted Solution

by:Compuzed
Compuzed earned 1000 total points
ID: 22898654
Have you tried physically making an entry in the lmhosts file?
follow this link:  

http://support.microsoft.com/kb/150800

IN specific, this part....

Domain Browsing with LMHOSTS
Without WINS, you need special LMHOSTS entries that designate who all the domain controllers are. This is done in the following convention:
199.199.199.1  ComputerName   #PRE  #DOM:DomainName
                              
When a computer is booted, it reads these entries and store them permanently in the NetBIOS name cache until the computer is powered down. (Because of this, it is best that these entries are last in the LMHOSTS file, for subsequent LMHOSTS parsing efficiency.) All computers in the domain needs one of these entries for each domain controller (in the local domain), as well as one for the PDC. Also note the exact order of #PRE #DOM, and that they are capitalized. The other names are not case sensitive.


-********************
I had this problem at a number of sites for no reason, and hard coding the DC info always worked.  It may not be recommended, but whatever,......it worked for me.
0
 

Author Comment

by:Con366
ID: 22899510
I assume the 199.199.199.1 should be the computers IP? how does this affect it if the computer uses DHCP?


199.199.199.1  ComputerName   #PRE  #DOM:DomainName


The computers IP                    Computer name                     Domain name
0
 
LVL 2

Expert Comment

by:Compuzed
ID: 22899716
that is correct.  It does not affect DHCP in terms of obtaining IP, I just makes the DC easier to find.

c:\windows\system32\drivers\etc

199.199.199.1      Computername      #PRE      #DOM:domain_name

for this simple entry, you can just add at the end of the file, after all the #'s in the sample file, which are just comments.  They recommend that you empty the file out, but I never do.

DHCP entries in scope still take effect if you are using DHCP from server, or if from Router, then DNS just goes through.   No changes at all happen other than this lets the PC resolve the DC address quicker.  IF this works, there is definitely a problem with your DNS.  You could try adding the DNS server to the IP properties of the NIC as well.  Both *should* accomplish the same thing.

Let me know if I can help further.
0
 

Author Comment

by:Con366
ID: 22899737
Okay i will try it.

also i wanted to note. I have fixed alot of the wired computers problems. whats remaining is the wireless computers
0
 
LVL 2

Expert Comment

by:Compuzed
ID: 22899789
should be the same thing, providing you are obtaining same subnet from DHCP.  
0
 

Author Comment

by:Con366
ID: 22899962
What I don't understand is. After loggin the second time, everything works. If DNS was the problem why would it not affect all the machines
0
 
LVL 2

Expert Comment

by:Compuzed
ID: 22900454
hmmmmm.  not sure
0
 

Author Comment

by:Con366
ID: 22952281
The solution to the problem was because of a rouge DHCP server. Once I locate this, and took it off the network the errors stopped.


Thank you everyone for the help
0
 
LVL 2

Expert Comment

by:Compuzed
ID: 22952549
yup.  that will do it.  Did somebody try and use a router as a switch without disabling the DHCP Server function?  I had somebody do that here once and it took me 3 days to find it, because apparently nobody did anything to the network......  :)
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22952606
That would cause the problem. I'm surprise there wasn't other errors.
0
 

Author Comment

by:Con366
ID: 22952789
Yep they put in a d-link router and forgot to turn of dhcp.

Took me a little, but after sniffing the network, I was able to get the mac address which linked it to the d-link. From there i started going office to office. Got lucky on the 3rd office. Once that damn thing was gone, it was like night and day.


Oh and darusg, there were other errors. But mainly the one I overlooked for the tcp/ip error. I assumed it was just a dack sent from my dhcp server to that the ip was taken. Once I look at the error closer, I found it was trying to give a weird dns address.
0
 

Author Comment

by:Con366
ID: 22952815
Also after all this I still have 4 computers that are given me the 1054 and 15 errors.

I have reset the sid. Took it off the domain, delete the account and rejoined it. But the error still comes up.

In the event log I can see a tcp/ip error where it couldn't get a ip. But it has a ip that is registered in dns correctly.


Any ideas?
0
 

Author Comment

by:Con366
ID: 22952823
Also with this. Each of these are clones. But I figured resetting the sid would have taken care of this
0
 
LVL 2

Expert Comment

by:Compuzed
ID: 22952863
not sure about the SID.....used to use ghost walker to deal with this under NT4, but not since.....  wierd DNS is also how I found my router/switch issue as well.....

0
 

Author Comment

by:Con366
ID: 22954042
Nevermind. Fixed another stupid problems. Seems my previous installed Vista network drivers instead of the XP ones. Disk looks exactly the same, so I will give him a little credit.

Bot would connect. But the Vista ones would not connect at startup.


Anyways I split the points between you two. thanks for the help
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question