Logon Server not available but could ping it

Hi, we have a mystery to solve.  Couple of our domain joined computers are having this issue.  This issue will occur when the computer is remote and when they use Cisco VPN, and it only happens in once in a blue moon.  The computer will have the following issue:
- cannot connect to the exchange server even if can be ping-ed
- going to any authorized network share will prompt for network credential (once manually typed, it will let you access)
- try to login any new account to the computer, it will give error: "There are currently no
logon servers available to service the logon request"

The following will fix this issue:
- joing the computer to the workgroup and rejoin the computer back to the domain
- or if the computer is within the office building directly on our LAN, it will authenticate correctly

Since this happens once every couple of months to the same machine, we really need to know why this is happening.

To farther troubleshoot, following are some of the facts that might be a help:
- the dns setting on the problematic machines are exactly same as other machines on the network (they are also remote users)
- already tried changing the MTU size
- tried different settings for NetBios (tried NetBios over TCP\IP and Default)
- only thing that might seem related on the error log is SCECLI 1202 0x4b8

What do you think is causing this and how can we prevent this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It would usually mean the vpn has not established a connection to the network before they login and the user is using cached credentials of the local machine, that would be why you are being asked for credentials on the domain network.
  I have a few questions.
 1. Are there different users and computers involved or is it related to a single user?
 2.  Do you have anything in the hosts file ?
 3. Where is this machine getting its time ? Do you have an ntp server and how is your pdc getting its time.
 4. What are the OS', of your server and clients ?

 Since you said dns was the same among all the machine I am assuming it must be an issue with the machine account secure channel. This can be effected by incorrect time. See the following for resetting the secure channel



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ensure that your Cisco VPN client allows proper communication with all your domain controllers and there is no firewall blocking access to them through the VPN.  Also ensure that the Cisco VPN server is configured with the DNS servers.

Also see this article for further troubleshooting SCECLI errors:  http://support.microsoft.com/kb/324383  It will show you how to enable fruther debugging which may assist with resolving the issue.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

esi_se_parkAuthor Commented:
This is very interesting.  Since it can ping the exchange server, dc, and dns server, I think you’re right; it has to do with the time.  Time server is the DC, but something is blocking its communication partially.  The DC is Server 2003 and the client is Windows 7 Enterprise.  When I try nltest /dsgetdc:domain /timeserv, it says Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I also cannot run the command net time \\dc /set.
Also whey I type in gpupdate \force, it gives error “The processing of Group Policy failed because of lack of network connectivity to a domain controller”.  But I can ping the DC.

I’m leaning towards firewall in combination with something else.  
When I turn the firewall off, I get the same gpupdate error but the connection restores after one reboot.  I can also run the net time \\dc /set command successfully.

So what’s the requirement on the client’s firewall to make this work?  I don’t want to leave the firewall off as a solution.  And what’s the relationship between this issue and this following fact: “if the computer is rejoined to the domain, everything start to work again”.
We have over 200 machines on the network, but this ONE computer is having this issue every couple of days.  The other two machine that had the issue were fixed after rejoining them to the domain.  But of course!  The one that I cannot permanently fix is our president’s machine….
Thank you so much.  You guys are great.
esi_se_parkAuthor Commented:
After numerous trial and error, it turns out that the user belongs to too many security groups.  We had to increase his max token size: http://support.microsoft.com/kb/842019
esi_se_parkAuthor Commented:
Thank you everyone.
esi_se_parkAuthor Commented:
Of course soon as I am about to close this case, it happened again.  Increasing the token size fixed the network share access problem.  Outlook on the other hand is still not fixed.  Joining to WORKGROUP and rejoining the computer to the network connects Outlook again.  So what does that really entail?  What happens during joining the computer back to the domain fixes Outlook from being disconnected?
Erik BjersPrincipal Systems AdministratorCommented:
What DNS are your VPN clients getting when they connect to the VPN?

If they are using the Anyconnect client you should disable split DNS on your connection profile so that all DNS requests go to your internal servers.

On a computer that is connected to the VPN and having problems connecting to the exchange server please run:
Nslookup name.of.exchange.server

Does this return the internal IP of your exchange server?  Does it get a response form your internal DNS or a public DNS?

Davis McCarnOwnerCommented:
Or, an oldie; but, still goodie is that, if they are connecting wirelessly, they may need to wait a full minute at the login screen for the wireless to come ready and get connected.  Most Intel wireless software now has an option to wait for that connection; but, on most others, if they login without waiting, they never establish the connection to the server, use their local credentials, and are a mess with everything you describe.
That's funny, that was my original comment :-).
But I agree that the newer drivers give you the option to select a persistant connection, I just worked on this the other day with a client. The only gotcha was when she actually took the laptop offsite and then came back. The workaround I gave her was logon the first time with the cached credentials log back off and then back on once that happened everything was hunky dorie. Not perfect, but works.
kadadi_vIT AdminCommented:
Please RUN  Ipconfig/flushdns

Can you reinstall that network Driver software...?
And also configured the static IP address for that problem PC .
Is there any Antivirus Integrated firewall is installed...? if yes then configure the Trusted IP range in network settings.

This problem PC operating system is fresh installation or restored an image from backups..?
But i think Its DNS Server Problem. Before you rejoin this PC in domain did you delete the record  from DNS server Management console...?

esi_se_parkAuthor Commented:
Thank you for your comments.  I am leaning towards trying a static IP address.  He was in the office this time, and he was having the same issues in the office.  This throws out the VPN possibility.  Nslookup to the DNS and exchange server works perfectly when he is having the issue.  I also did not delete his computer account from AD when I joined it to the workgroup and joined back in (this fixes it every time).  I don’t think it’s driver related since I tested this over Ethernet and wireless, and both did not work (we have a wifi AP for our LAN).  So while I try the static IP, please let me know if you have any other suggestions.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.