Domain controllers are not accessible

Error message whenever I try to get into a shared folder on a remote computer:
\\domain controller is not accessible, you might now have permissions....
Logon failure: the user has not been granted the requested log type at this computer.

This all started when I was making some group policy changes like disabling SSL 2.0 and SSL 3.0 and enabling TLS 1.0, 1.1 and 1.2
Also made changes to the local policy "Allow log on locally". Since then I have not been able to access both domain controllers via Remote  Desktop and via shared folders \\mydomain-name....
I looked at the logs and it seems that I have a DNS problem or GPO problem that I can't figure it out.
Both even IDs are: 1058 and 14550. Also both DCs will not replicate.
lcipolloneAsked:
Who is Participating?
 
lcipolloneAuthor Commented:
I have tried that and the settings are correct. I also "not configured" them and still having the same problem. Can it be a DNS problem?
0
 
MacleanSystem EngineerCommented:
Navigate to the following location on your security GPO

Computer Configuration/Policies/Windows Settings/ Security Settings/ Local Policies
1.       Under this click on User Rights Assignment.
2.       Double click Access this computer from the network and check that the policy is either disabled or if set, that appropriate users are granted access.

By default on domain controllers this should be

Default on domain controllers:
Administrators
Authenticated Users
Enterprise Domain Controllers
Everyone
Pre-Windows 2000 Compatible Access

In addition check Deny Logon Locally, and see if you listed any users or groups there, again best to leave this on the default settings unless you are 100% sure that it will not create repercussions.
0
 
MacleanSystem EngineerCommented:
Try doing a ping to the server name, if it translates DNS is less likely to be an issue.
Though you could log onto your DNS server and check its global logs for warnings and errors.
You possibly have Event ID 4013 can't replicate if the DC's cannot talk.

Also see if temporarily disabling the local FW might alleviate the issue. (Probably not the problem, but no harm ruling it out)

Try on Domain Controller A to reach the policies folder of Domain Controller B by browsing to

\\DomaincontrollerBname\sysvol\domain\policies to confirm this is accessible, and Check on Domain Controller B whether you can reach \\DomaincontrollerAname\sysvol\domain\policies

There should be data in it, the folder should not be empty.

If they are empty open up a command prompt and browse to C:\Windows\Sysvol\sysvol and when there type in dir

Check what the junction point is set to and report that back here.

You might want to do a dcdiag and output it to text on the domain controller for added info.
I generally run from a cmd prompt dcdiag /e /c /v >%userprofile%\desktop\dcdiag.log to output it to my desktop.

You can change your domain name or server names if you wish in the log file, and upload it here for review.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
lcipolloneAuthor Commented:
I removed DNS on dc1 and dc2. Still can't access either DC. Can it be a registry setting I'm overlooking?
0
 
MacleanSystem EngineerCommented:
Which service is providing DNS now? I would not recommend removing DNS from a DC, there was no issue prior to the GPO changes with DNS as I understood, and DNS is required for routing internal domain requests.

Is DNS pointing straight to the router on the NIC IPv4 settings now?
I would suggest to revert this unless you had a viable good reason to remove DNS.

I would suggest you restore the DC's to a backup from prior to the changes made if available, or give Microsoft a call to obtain their support in restoring access and services to the domain controllers, as I would presume that removing the DNS only worsened the issues, and it would be good to prevent escalating the issue further.
0
 
lcipolloneAuthor Commented:
I reverted all DNS back to normal but still having the same problem. I can ping both DC and DNS resolves just fine througout network. The only problem is I still can't access my dc s by simply doing \\dc . I've been working on this for 2 days and I'm about to just dcpromo ad on both.
0
 
MacleanSystem EngineerCommented:
Ok, that sounds better. Are you able to answer the below please

1] Are the domain controllers already promoted to DC's (You mentioned dcpromo, so I am uncertain now)
2] Does the DNS global log show any errors in addition to the two mentioned above
3] Are you unable to browse to the DC name from the DC itself (So on the DC browse to \\servername)
4] When you get denied access browsing to \\servername, what is the event ID listed in the event viewer which shows the error or warning in likely the security log.
5] Are you able to backup your new policies, then revert your changes to test if connectivity is restored.
6] Did you run a DCDIAG to get a log of the DC health.
0
 
lcipolloneAuthor Commented:
I decided to re-install DNS server and that worked again. Thanks...
0
 
MacleanSystem EngineerCommented:
lol, sometimes the solution is easier than the analysis. Thanks for letting me know and good luck!
0
 
lcipolloneAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.