Unable to logon to domain when using 2012R2 DNS servers

We are running a distributed  AD domain across several sites, on Windows 2008R2, DFL and FFL are both 2012R2.

All of our DNS Zones are AD integrated and DNS servers are the Domain Controllers

We have recently added some 2012R2 virtual DCs to the environment.

Whenever a notebook is configured to use the 2012R2 servers, Logging on the domain is impossible.  The "There are no logon servers available" message appears.  

If we use locally cached credentials, then connectivity to the domain is restored, switching domain users on the notebook is successful even for non-cached accounts.

The issue only seems to affect notebooks, and not desktops.

Reverting to 2008R2 DNS servers restores domain connectivity.

Does anyone have any insight as to where the issue may lie?

We want upgrade all of our DCs to 2012R2 but this is obviously slowing us down.

Thanks,

Hugo
HugoJJ71Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
DELL manual for - No logon servers available
0
HugoJJ71Author Commented:
DNS server is fine, netlogon service as well.  The DC is Authenticating users and serving DNS without issue.
0
Will SzymkowskiSenior Solution ArchitectCommented:
We are running a distributed  AD domain across several sites, on Windows 2008R2, DFL and FFL are both 2012R2.
I am assuming that this is a typo as you cannot have a 2012R2 DFL and FFL when you are using 2008R2 domain controllers. 2008R2 DFL/FFL is the highest you can do when you have 2008R2 DC's.

What about your replicaiton?
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCdiag /v

Are the notebooks using wireless when they are encountering this issue?

Will.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

HugoJJ71Author Commented:
You are right about the Typo, the FFL and DFL is indeed 2008R2.

Replication is green across the board, DCdiag is good as well.  The notebooks are not using Wireless when experiencing the issue.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Are the laptops using DHCP to get there IP address? If they are are they using a different scope? Do you have any firewalls in place? Do you have any specific GPO's that are specifically for the laptops?

Will.
0
HugoJJ71Author Commented:
Thanks for the answers Will.

Yes, the notebooks are DHCP, and so are the Desktops. We have several scopes but no distiction between notebooks and desktops.

GPOs are also not h/w Platform specific.

I have been running tests with a notebook and noticed that when pointing to the 2012R2 DNS servers, the notebook acts differently.

For example, if I keep a continous ping going to that notebook and reboot it:

When notebook is using 2008R2 DNS servers: PIng times out for about 10 seconds while notebook reboots.
When notebook is using new 2012R2 DNS servers: Ping times out as soon as reboot (or even logoff) command is issued and does not resume until logon is complete using cached credentials.
0
Will SzymkowskiSenior Solution ArchitectCommented:
I would check your network adapter drivers on the laptop. You may also want to check the network as well where the 2012R2 servers are.

It is obvious that if you cannot ping the DNS servers when you logout of the laptop you are not going to be able to log back in, unless using cached credentials. Have you tried to power cycle the 2012R2 DNS servers?

Also how are the 2012 DNS servers configured? Do the servers point to themselves first and then another DNS server as secondary?

How are the clients setup? Are they pointing to the 2012R2 DNS servers first?

Will.
0
HugoJJ71Author Commented:
The 2008R2 and 2012R2 servers are on the same network.

The NIC drivers are something to look at but I am unsure how the the DNS server would influence the driver's root functionality.

On the clients, as long as the 1st DNS server in the list is one of the new 2012R2 servers, the issue occurs.
0
Will SzymkowskiSenior Solution ArchitectCommented:
On the clients, as long as the 1st DNS server in the list is one of the new 2012R2 servers, the issue occurs.
This behavior only affects the laptops? Are they all the same make/model are they laptop imaged? Based on this only relating to a specific hardware makes me think that something is configured on the laptop which is dropping the connection.

When the laptop cannot ping the IP of the DNS 2012 server after logging out can the laptop be pinged? or is the network completely gone at this point?

Are there any entries in the host file on the machines?

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HugoJJ71Author Commented:
Your logic and mine are headed in the same direction, however, I believe I may have a clue as to what is going on and it may be related to pre-installed VPN software and trusted network check.
0
JustInCaseCommented:
Is anything special with this laptop network. If pings are not coming through that seems like routing problem. Are new servers in the same IP range on similar location?

Remove one laptop from domain and try to ping DC with server 2012 R2 on it.
0
HugoJJ71Author Commented:
Ends up the VPN software was the culprit.  The always on config uses DNS servers to evaluate whether the current network is trusted or not and the list had not been updated with new DNS IPs so it was blocking IP connectivity before logon and failing open post-logon after not being able to reach external VPN address.
Thansk Predrag and Will for the help.
0
HugoJJ71Author Commented:
internal misconfiguration of VPN client was the ultimate reason for issue
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.