Logon Server not available but could ping it

Posted on 2010-03-27
Medium Priority
Last Modified: 2012-08-13
Hi, we have a mystery to solve.  Couple of our domain joined computers are having this issue.  This issue will occur when the computer is remote and when they use Cisco VPN, and it only happens in once in a blue moon.  The computer will have the following issue:
- cannot connect to the exchange server even if can be ping-ed
- going to any authorized network share will prompt for network credential (once manually typed, it will let you access)
- try to login any new account to the computer, it will give error: "There are currently no
logon servers available to service the logon request"

The following will fix this issue:
- joing the computer to the workgroup and rejoin the computer back to the domain
- or if the computer is within the office building directly on our LAN, it will authenticate correctly

Since this happens once every couple of months to the same machine, we really need to know why this is happening.

To farther troubleshoot, following are some of the facts that might be a help:
- the dns setting on the problematic machines are exactly same as other machines on the network (they are also remote users)
- already tried changing the MTU size
- tried different settings for NetBios (tried NetBios over TCP\IP and Default)
- only thing that might seem related on the error log is SCECLI 1202 0x4b8

What do you think is causing this and how can we prevent this?
Question by:esi_se_park

Expert Comment

ID: 28857826
It would usually mean the vpn has not established a connection to the network before they login and the user is using cached credentials of the local machine, that would be why you are being asked for credentials on the domain network.
LVL 11

Accepted Solution

sfossupport earned 1000 total points
ID: 28895587
  I have a few questions.
 1. Are there different users and computers involved or is it related to a single user?
 2.  Do you have anything in the hosts file ?
 3. Where is this machine getting its time ? Do you have an ntp server and how is your pdc getting its time.
 4. What are the OS', of your server and clients ?

 Since you said dns was the same among all the machine I am assuming it must be an issue with the machine account secure channel. This can be effected by incorrect time. See the following for resetting the secure channel



Expert Comment

ID: 28904510
Ensure that your Cisco VPN client allows proper communication with all your domain controllers and there is no firewall blocking access to them through the VPN.  Also ensure that the Cisco VPN server is configured with the DNS servers.

Also see this article for further troubleshooting SCECLI errors:  http://support.microsoft.com/kb/324383  It will show you how to enable fruther debugging which may assist with resolving the issue.
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.


Author Comment

ID: 29000450
This is very interesting.  Since it can ping the exchange server, dc, and dns server, I think you’re right; it has to do with the time.  Time server is the DC, but something is blocking its communication partially.  The DC is Server 2003 and the client is Windows 7 Enterprise.  When I try nltest /dsgetdc:domain /timeserv, it says Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
I also cannot run the command net time \\dc /set.
Also whey I type in gpupdate \force, it gives error “The processing of Group Policy failed because of lack of network connectivity to a domain controller”.  But I can ping the DC.

I’m leaning towards firewall in combination with something else.  
When I turn the firewall off, I get the same gpupdate error but the connection restores after one reboot.  I can also run the net time \\dc /set command successfully.

So what’s the requirement on the client’s firewall to make this work?  I don’t want to leave the firewall off as a solution.  And what’s the relationship between this issue and this following fact: “if the computer is rejoined to the domain, everything start to work again”.
We have over 200 machines on the network, but this ONE computer is having this issue every couple of days.  The other two machine that had the issue were fixed after rejoining them to the domain.  But of course!  The one that I cannot permanently fix is our president’s machine….
Thank you so much.  You guys are great.

Author Comment

ID: 32696086
After numerous trial and error, it turns out that the user belongs to too many security groups.  We had to increase his max token size: http://support.microsoft.com/kb/842019

Author Comment

ID: 32696124
Thank you everyone.

Author Comment

ID: 32700528
Of course soon as I am about to close this case, it happened again.  Increasing the token size fixed the network share access problem.  Outlook on the other hand is still not fixed.  Joining to WORKGROUP and rejoining the computer to the network connects Outlook again.  So what does that really entail?  What happens during joining the computer back to the domain fixes Outlook from being disconnected?
LVL 23

Expert Comment

by:Erik Bjers
ID: 32706077
What DNS are your VPN clients getting when they connect to the VPN?

If they are using the Anyconnect client you should disable split DNS on your connection profile so that all DNS requests go to your internal servers.

On a computer that is connected to the VPN and having problems connecting to the exchange server please run:
Nslookup name.of.exchange.server

Does this return the internal IP of your exchange server?  Does it get a response form your internal DNS or a public DNS?

LVL 44

Expert Comment

by:Davis McCarn
ID: 32707876
Or, an oldie; but, still goodie is that, if they are connecting wirelessly, they may need to wait a full minute at the login screen for the wireless to come ready and get connected.  Most Intel wireless software now has an option to wait for that connection; but, on most others, if they login without waiting, they never establish the connection to the server, use their local credentials, and are a mess with everything you describe.

Expert Comment

ID: 32708034
That's funny, that was my original comment :-).
But I agree that the newer drivers give you the option to select a persistant connection, I just worked on this the other day with a client. The only gotcha was when she actually took the laptop offsite and then came back. The workaround I gave her was logon the first time with the cached credentials log back off and then back on once that happened everything was hunky dorie. Not perfect, but works.
LVL 17

Assisted Solution

kadadi_v earned 1000 total points
ID: 32711804
Please RUN  Ipconfig/flushdns

Can you reinstall that network Driver software...?
And also configured the static IP address for that problem PC .
Is there any Antivirus Integrated firewall is installed...? if yes then configure the Trusted IP range in network settings.

This problem PC operating system is fresh installation or restored an image from backups..?
But i think Its DNS Server Problem. Before you rejoin this PC in domain did you delete the record  from DNS server Management console...?


Author Comment

ID: 32712924
Thank you for your comments.  I am leaning towards trying a static IP address.  He was in the office this time, and he was having the same issues in the office.  This throws out the VPN possibility.  Nslookup to the DNS and exchange server works perfectly when he is having the issue.  I also did not delete his computer account from AD when I joined it to the workgroup and joined back in (this fixes it every time).  I don’t think it’s driver related since I tested this over Ethernet and wireless, and both did not work (we have a wifi AP for our LAN).  So while I try the static IP, please let me know if you have any other suggestions.  Thanks.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In a question here at Experts Exchange, a member was looking for "a little app that would allow sound to be turned OFF and ON by simply clicking on an icon in the system tray". This article shows how to achieve that, as well as providing the same OF…
Take advantage of one of the most useful technologies available - virtualization!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

586 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question