Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2054
  • Last Modified:

Usernv Error Event ID 1054 Cannot Reach Domain Controller

I am receiving the following error on all member machines in my domain.

"Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. "

Additionally, I am not able to ping the Domain Controller from any of these machines, although I can ping the other way.  

My setup is as follows:

Single Domain Controller: Dell PowerEdge R710, Dual Intel Quad Core, 24GB RAM
Windows Server 2008 Service Pack 2
Windows Firewall is enabled with exceptions
Trend Micro WorryFree Business Security Advanced is installed

Member Servers
Windows Server 2003 and 2008 SP2, various roles

Member Computers:
Windows XP SP3


Here is what I have attempted:
1. Removed a machine from the domain and then re-added it back.  The Event ID's still existed and I was still unable to ping the DC.

2. Confirmed that the DNS settings are correct

3. I ran DCDIAG on the DC, and all tests passed, although it is complaining thatI have too few addresses available in my DHCP scope

Any ideas?



0
Sleestack90
Asked:
Sleestack90
  • 6
  • 5
1 Solution
 
msincorpCommented:
Seems like a DNS issue.

Make sure the workstation is "pointing" to the local DNS server (domain controller) in the TCP/IP settings.  Follow instructions below.  This should do it.

Windows Server 2003
Open Network Connections in Control Panel.
Right-click Local Area Connection, and then click Properties.
Click Internet Protocol (TCP/IP), and then click Properties.
Type the correct DNS address in the Preferred DNS server box.
Click OK.

Windows XP Professional
Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
Right-click Local Area Connection, and then click Properties.
Click Internet Protocol (TCP/IP), and then click Properties.
Select the Use the following DNS server addresses option button if it is not already selected.
Type the correct DNS address in the Preferred DNS server box.
Click OK.

Good luck!!!

Chris
0
 
Sleestack90Author Commented:
Chris:

Thanks for the quick reply.

While on some XP machines, it is possible that "Obtain a DNS server automatically" might be checked, on all server machines and the vast majority of workstations, the correct DNS address has been assigned in the Preferred DNS server.

0
 
msincorpCommented:
Concerned about the workstation.  I'd like to see you "point" the workstation to the domain controller in the tcp/ip settings.

Also, and entry in the host file (c:\windows\system32\drivers\hosts) pointing to that same server would also make sure it was not getting conflicting information from another device on the network.

Lastly I'd turn off the firewall on the workstation (both the windows firewall and any 3rd party firewall) and see if you can successfully.  I would also try the same on the server just to eliminate that from the mix.  (make sure to re "enable" firewalls after testing).

Chris
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
Sleestack90Author Commented:
Firewall on the server is causing the issue.  When I turned that off, I can ping the DC from a workstation.  I would rather not leave the firewall on, so what policy would be affecting this?
0
 
msincorpCommented:
ok... let me see if I understand.  

Some users DON'T have this connection problem with the server firewall on, while others do.  Once the firewall is turned off on the server all workstations can see the server.

Unless the users are being affected by a group policy, I'm more inclined to think is has something to do with the PC itself, and not the user.  

The easy check is to turn the firewall back on, and then login on one of the workstations that CANNOT connect using a username that CAN connect from another workstation.  If you are successful, we look at the user (not likely) if you are not successful, we look at the PC.

I think we need to make that distinction first, and then deal with the result.  My money is on the PC, possibly a different switch, segment, or a local configuration and not on the user.

Let me know.

Chris
0
 
Sleestack90Author Commented:
All users have the problem with the firewall on the Domain Controller turned on.

All users no longer have the problem when the firewall on the Domain Controller is turned off.

It has to be the firewall on the DC
0
 
msincorpCommented:
Lets try this... can you save all of your firewall rules to a file, then remove all of the rules from the firewall , create a new rule allowing all traffic in both directions and see if we can connect.

What I'd like to see is can we run the firewall, with no blocking rules, and make a connection.  If we can then we simply add the rules back one by one until we find the one that is causing the issue.  If not we need to check to see what is wrong with the firewall (not the rules).

Thanks.

Chris

0
 
Sleestack90Author Commented:
Chris:

I will have to get back to you tomorrow.  In the meantime, thanks again for your help!
0
 
msincorpCommented:
no problem... if I think of anything else I'll post.
0
 
Sleestack90Author Commented:
There were rules in the Windows firewall settings that could not be deleted.  In Logal Computer Policy, I browsed to Computer Configuration => Administrative Templates => Network => Network Connections => Windows Firewall => Domain Profile.  The "Windows Firewall: Allow ICMP exceptions" policy was set to "Disabled".  

After I set the policy to "Not Configured", the suspect rules in Windows Firewall disappeared, and I am now able to ping the DC.

Thanks for your help.
0
 
msincorpCommented:
Outstanding!!

Great work, and I'm glad I could help.

Take care.

Chris
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now