Remote Site Unable to Resolve Names - GP Replication not working either

Hey all.

I have e remote site (single forest) where users are unable to resolve names of shares in the main office.
Going thru the Event log, I found Event ID 4 and 1058.  For Event ID 4 I followed MS KB without luck.  So I am not sure which event ID I should be fixing first.  My sense is to get the Kerberos issue going first.  Thoughts?

Thanks, and feel free to ask for any information that you might need.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Looks to me like there is some sort of DNS/AD replication issue at your site. Can you ping the DNS/DC servers from the remote site to main site via "Name"?

If you cannot you need to correct this first. Check the DNS settings on the client and ensure that they are correct. Does this remote Site have its own Site in AD Sites and Services?

Check your DC's that hold the FSMO role and run the following commands...

repadmin /replsum
dcdiag /Test:DNS

Also check the event logs on the DC's to ensure that all events are clean.
Lets start from scratch here:

I'm going to assume you're dealing with 2 networks (questions below):

-Main office/site
-A remote site

The users from the remote site cannot get to resources at the main site.  Lets narrow this down a bit.  First we need to troubleshoot connectivity and DNS name resolution:

1)  Does the remote site have a DNS server for all the clients at the remote site or does it rely on a DNS server that is at the main site?
2)  Can you ping the DNS server by IP address?
3)  What are the results of an NSLOOKUP to the server hosting the resources you're trying to access?
4)  Can you ping the server hosting the resources via IP address?  If no, can you ping any endpoints from the remote site to the main site?
5)  If you can ping the server, can you access the shares via IP address instead of name?
6)  Does the remote site have it's own domain controller at the remote site or does it depend on DC(s) at the main site?
SandeshdubeySenior Server EngineerCommented:
Please provide us more information about the env how many dcs you have in env?
Does remote site have DCs too?

I will recommend to check the health of DCs first the error you posted is related to secure channel broken.If there is no DC in remote site you can try rejoining the machine to domain.

If there is DC then try opening the unc path to access the sysvol share drive e.g \\Dcname.If you are getting target principle name incorrect,access denied then secure channel is broken.

Refer below link if secuer channel of DC is broken:

Ensure correct dns setting on clients and DC as this:

Please post the dcdiag /q and repadmin /replsum output too.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

IDMAAuthor Commented:
Thank you all for the input.  I ended up reaching out to MS support since the amount of errors were too much and time is $$$...
Anyway, it was determined that 2 of the DCs went into tombstone state and the best solution from MS was to demote and re-promote each DC again.

I am actually working on this today and will post the outcome later.
SandeshdubeySenior Server EngineerCommented:
If the server is tombstone you need to forcefully demote DC followed by metadata cleanup and promote the server back as DC.

You cannot demote the faulty DC gracefully you need to do forcefull removal.You need to ran dcpromo/force removal and then run matadata cleanup on other DC(healthy) to remove the instance of faulty DC from AD database and DNS.If faulty DC is fsmo role holder server the you need to seize the FSMO role on other DC.

Once done you can promote the Server back as ADC.Also configure authorative time server role on PDC role holder server.

Reference link
Forcefull removal of DC:
Metadata cleanup:
Seize FSMO role:
Authorative time server:
Configuring the time service on the PDC Emulator FSMO role holder

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IDMAAuthor Commented:
Had to reach out to Microsoft Support
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.