half of my computers on the domain cannot to the DC, Domain connection shows as “unauthenticated”

windows server 2008 r2

This morning 1/2 of the computers on the domain are unable to access the DC. network connection shows Domain connection shows as “unauthenticated”.
I have gone into AD and right clicked on the computer and clicked reset in hopes of resetting the connection without losing the SID. now when the user tries to login, she receives the error: "the trust relationship between this workstation and the primary domain failed".

On another computer I tried to remove and re-add to the domain and receive the error " An Active Directory Domain Controller (AD DC) for the domain “x.x.com” could not be contacted
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "(domain).COM":

The query was for the SRV record for (domain)

The following domain controllers were identified by the query:
(domain)
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
..

1/2 of the computers are working, I'm afraid of messing with any server settings at this point...

On Friday, we updated our SSL certificate, other than that nothing has changed... Also, I can access the server via IP address but not name on the machines that are down... Not the most familiar with the DNS settings in the server.
BriPCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott GorcesterCTOCommented:
Check the IP address of your domian controller w/DNS service and make sure the PC's have that IP in their IPv4 property settings. also check to make sure those PC's are getting the proper IP and DNS settings from the proper DHCP server. Also insure that no unauthorized DHCP servers have been introduced to the network.

Def sounds like the PC's are not getting proper IP or DNS settings.

Scott Gorcester MCITP
0
BriPCAuthor Commented:
Also just noticed this is only affecting win 8 pc's. Not all though, there is one that is working.. could just be coincidence
0
pjamCommented:
Is the time correct on your DC?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Scott GorcesterCTOCommented:
Interesting. If you go to a cmd prompt and type ipconfig /all it will show you the IP address, DNS server address and DHCP server address, compare the output between PC's that are not working and PC's that are. There were authenticating to the Domain previous to this problem correct?

Scott Gorcester MCITP
0
BriPCAuthor Commented:
@scott the DNS server on the server points to a public dns server. Both working and non working machines points to the server for DNS & DHCP...

@pjam, the time on the server is within 1-2 minutes of the machines. I am at a remote location, 10 minutes different from mine which is the correct time (matches cell phone)
0
Scott GorcesterCTOCommented:
You are saying that the domain controller points to public DNS in the properties of the IPv4 connection on the network card? This is incorrect AD Domain controllers typically point to themselves for DNS although there is more to it than that in complex systems.

Time sync is typically not a problem unless its beyond five minutes.

Scott Gorcester MCITP
0
Scott GorcesterCTOCommented:
You may want to review the event logs on the Domain controllers to see if there are DNS and other error events. You can also run "dcdiag" in an elevated prompt on one of your domain controllers and check for errors or AD problems.

Scott Gorcester MCITP
0
pjamCommented:
If you run ipconfig /all on a working and a nonworking workstation is there a difference?
0
BriPCAuthor Commented:
@scott , yes the DNS  points elsewhere, should I try pointing it to itself and see if this helps correct the issue?

dcdiag: There are warning or error events within the last 24 hours after the SYSVOL has been share. Failing SYSVOL replication problems may cause group policy problems.
Passed all test except SystemLog , failed
0
BriPCAuthor Commented:
@pjam - no, all same work/non work
0
BriPCAuthor Commented:
Warning event :
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/3/2015 11:26:38 AM
Event ID:      2886
Task Category: LDAP Interface
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      SERVER.HAYSTACKSINC.COM
Description:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="32768">2886</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>16</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-03T17:26:38.040892300Z" />
    <EventRecordID>10869</EventRecordID>
    <Correlation />
    <Execution ProcessID="536" ThreadID="692" />
    <Channel>Directory Service</Channel>
    <Computer>SERVER.HAYSTACKSINC.COM</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
  </EventData>
</Event>
0
BriPCAuthor Commented:
2nd Warning:
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          8/3/2015 11:23:51 AM
Event ID:      2041
Task Category: Internal Processing
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      SERVER.HAYSTACKSINC.COM
Description:
Duplicate event log entries were suppressed.
 
See the previous event log entry for details. An entry is considered a duplicate if the event code and all of its insertion parameters are identical. The time period for this run of duplicates is from the time of the previous event to the time of this event.
 
Event Code:
400004c5
Number of duplicate entries:
4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="16384">2041</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>9</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-03T17:23:51.340960900Z" />
    <EventRecordID>10863</EventRecordID>
    <Correlation />
    <Execution ProcessID="536" ThreadID="776" />
    <Channel>Directory Service</Channel>
    <Computer>SERVER.HAYSTACKSINC.COM</Computer>
    <Security />
  </System>
  <EventData>
    <Data>400004c5</Data>
    <Data>4</Data>
  </EventData>
</Event>
0
Scott GorcesterCTOCommented:
system log can show a fail simply because there are event errors there. I would state that domain controllers should always be pointed to an internal DNS server. I am referring to the DNS server settings on the network card. Yes if this is a domain controller that has the DNS server service running on it then I would set its DNS lookup to its own IP address.

Scott Gorcester MCITP
0
pjamCommented:
If SYSVOL replication is happening, as it said this will affect Group Policy.  Below is the Event viewer for DFS Replicatin on a 2012 Server, 2008 is probably similar.  Look in there fro errors, such as 5014, o 4012
DFS Replication
0
BriPCAuthor Commented:
changed dns, still receiving error when trying to connect one of the bad pc's back to the domain..
It lists common causes of this error include:
-Host (A) or (AAAA) Records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses
-Domain controllers registered in DNS are not connected to the network or are not running

should we check the DNS?
0
BriPCAuthor Commented:
@PJAM  Only information logs. There are a couple errors but back in 2010....
0
Neil RussellTechnical Development LeadCommented:
OK So obvious basic checks.  Can you ping the DC by IP Address
Can you ping the DC by name
Can you ping the DOMAIN name (Ping mydomain.com)

?
0
Scott GorcesterCTOCommented:
from the domain controller can you ping its name and the domans name and get a response?

Scott
0
Scott GorcesterCTOCommented:
also can you ping the domain controller by name and by IP from the "bad" pc? If so can you ping the domain name from there?

Scott
0
Neil RussellTechnical Development LeadCommented:
@Scott
I asked that 10 minutes ago.  Please read before posting.
0
Scott GorcesterCTOCommented:
also make sure that your domain controllers have the correct IP address. Also make sure they only have one IP address.

Scott
0
BriPCAuthor Commented:
@neilsr & @scott
Working machine:
ping via ip = yes
ping via name = yes
ping domain name = yes

NON working machine
ping via ip = yes
ping via name = pinging server.domain.com, shows public ip = Request timed out
ping domain name = reply from webhost, lol...   *** See below....

Server
can ping all successfully

*** So... we just setup our website on wix.. could those DNS settings have anything to do with the issue?
0
Neil RussellTechnical Development LeadCommented:
Is your website using the same name as your domain internally?

Whatever that answer is, your machines should ALL be responding in the same way.  Are you 100% certain that both working AND non working machines have EXACTLY the same IP Config /ALL results except for their own IP?
exactly the same DNS server(s) listed? Should ONLY ever be the Domain Controller(s) listed on a workstation for the DNS servers. NEVER ANYTHING ELSE.
0
Scott GorcesterCTOCommented:
Is your public website and the internal domain name the same? I would suspect that the most recent change has caused the issue so yes I would be suspect that there is some confusion in your DNS on your Domain controllers.

After you have verified that your DNS settings are correct on the server you may try going to one of the bad PC's and typing ipconfig /flushdns (use an elevated cmd prompt). then try pining the domain name again.

Scott
0
BriPCAuthor Commented:
yes, domain and website are the same
bad pc:
flushed dns
Yes, all good/bad pull the same ip address range and DHCP/DNS servers point to the server...

pinging the domain name yields the same reply from webhost as the bad pc isn't connected to the domain... unable to ping server.domain.com also
0
Scott GorcesterCTOCommented:
If your public domain name is the same as your internal domain name you may have DNS records cached on PC's that point it to the external website IP instead of your internal Domain controllers. This can happen if internal devices are using public DNS, Public DNS will never resolve back to your internal IP addresses. If your DNs server was using a public DNS host then it would not be able to properly operate within your internal domain. since your DCDIAG output did not indicate that your domain was having trouble then this might be isolated to those newer PC's.

Scott
0
Scott GorcesterCTOCommented:
you could try putting the server names/IP's and the domain name and IP into a local host file and then see if you can ping the server and the domain. I will dig up a reference for you. This would be temporary.

Scott
0
Scott GorcesterCTOCommented:
Here is a guide to editing the host record on a Windows 8 PC. This will override your current DNS info and will hopefully allow you to join the domain. Once this is complete remove the data from the hosts file.

Scott

your entry will be formatted like this


192.168.x.x      domaincontrollername
192.168.x.x      domaincontrollername.domain.com
192.168.x.x       domainname
0
Scott GorcesterCTOCommented:
It would seem that all of your problems arise because these computers cannot locate your internal domain controllers. You may also be having problems accessing your website from computers that are working properly with your internal domain. To fix this issue you can add an A record to your AD DNS forward lookup zone that just says "www' and then has the public address of your website.

Scott
0
BriPCAuthor Commented:
That is correct that no one within the domain can see the website, I will get to that issue in a min...

**just to clarify, the ip address is the ip address of the DC?
0
Scott GorcesterCTOCommented:
Yes, the IP I put in the notes should point to your domain controller. BTW do you have more than one DC?

Scott
0
Scott GorcesterCTOCommented:
@NeilSR, my apologies Neil I stepped out for lunch and did not get a post off right away and did not have clear access to the posts.

Scott
0
BriPCAuthor Commented:
so, getting access denied to replace the hosts file.. I am logged in as a local administrator...
Don't know the password to the "builtin admin" acct..

yes only one DC
0
Neil RussellTechnical Development LeadCommented:
On a BAD pc open a cmd prompt and type

NSLOOKUP

what does it say?
0
Scott GorcesterCTOCommented:
You have to launch notepad "As administrator" to edit the hosts file

Scott
0
Scott GorcesterCTOCommented:
To edit Hosts file

WORKAROUND
To work around this issue, follow these steps:
Click Start Start button , click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

 User Account Control permission  If you are prompted for an administrator password or for a confirmation, type the password, or click Allow or Yes.
Open the Hosts file or the Lmhosts file, make the necessary changes, and then click Save on the Edit menu. If using Windows 7, you will need to click Save on the File menu.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BriPCAuthor Commented:
@neilsr
default server: Unknown
Address: shows server (DC) ip address

@scott, thanks will try that
0
Scott GorcesterCTOCommented:
Its also possible that you have some bad entries in your DNS.

Scott
0
BriPCAuthor Commented:
made changes to the host, do i need to do lmhosts.sam too?
0
BriPCAuthor Commented:
Sweet Lord, It is adding back to the domain!!!
1
Scott GorcesterCTOCommented:
Haha and no you do not need to edit LMHosts, also figure once you have all the systems properly talking to the domain you should remove the entries you put in the host file and test name resolution again!

Glad to hear you are getting this under control!

Scott!
0
David Johnson, CD, MVPOwnerCommented:
editing the hosts file is really old school and IMHO not needed
on each machine the DNS settings should point to only the DNS controller computer, this includes the DNS server itself. Set this up in your DHCP server and on each client machine run the following:
ipconfig /release
ipconfig /renew
ipconfig /flushdns

Open in new window

to access your externally hosted website create a new A record
A www    ip.address.of.external.host
1
BriPCAuthor Commented:
@scott, we will definitely need to go through the DNS records to ensure they are setup properly :)
do i need to undo the changes to the hosts file since it is back online?
What do i need to do to the other computers that weren't removed from the domain but don't have access? edit the hosts file too?
Sorry overloaded with questions, soooo excited that it is working!!
0
BriPCAuthor Commented:
@david johnson  
I created the A record as suggested, website is now viewable from inside domain :) Thanks!
-All DNS records do point to the proper controller.. editing the hosts file is the only thing that has worked all day...
0
Neil RussellTechnical Development LeadCommented:
BUT you have an underlying problem that means that your domain in unstable.   You need to identify the cause of the problem and you will not do that while you have a host file with static entries for your domain in it.
2
BriPCAuthor Commented:
@neilsr
Agreed.. how do we start troubleshooting this?
0
Scott GorcesterCTOCommented:
Yes you will need to edit the hosts file on all affected PC's and yes you will want to remove the hosts entries and let your DNS do the work. I think your problem that kicked this off may have been when you told me your server was pointed to pubilc dns, this would cause your server to beleive the domain was not local. By correcting this you may have fixed your issue and then just needed to fix up the hosts file so your pc's could find the server. Once you have your PC's fixed up and rejoined you can run DCDiag again. If you clear and save your event logs it will remove those old errors from dcdiag.

Scott
2
Scott GorcesterCTOCommented:
@David, we already tried a flushdns and he was still getting the public IP returned. Adding the proper IP's to his hosts file corrected the problem.

Scott

and yes sometimes I go oldskool
1
BriPCAuthor Commented:
Should I reset the computers in AD? then re-add them to the domain? just editing the hosts file isn't working for the ones that say unauthenticated access
0
Scott GorcesterCTOCommented:
you can try a reset but otherwise you can rejoin them to the domain.

Scott
0
BriPCAuthor Commented:
ok, computers are all readded to domain, hosts file set back to normal. DCDiag passed all tests :)

What is next for DNS server to make sure entries are good in there?
0
Scott GorcesterCTOCommented:
Sounds like you are in good shape. I typically look through the entries in the forward lookup zone to insure that all addresses are appropriate. In other words if you see public addresses listed for any domain resources or internal PC's then this might be a problem. If your dcdiags completes with no errors and you do not have any problems or failure events then you are most likely in pretty good shape.

Scott
0
BriPCAuthor Commented:
So I came in this morning and although the computers affected did not say unauthenticated access, their outlook was unable to connect to the server... I redid the hosts files and they were able to connect. Is there further troubleshooting on the server that can be done?
0
Scott GorcesterCTOCommented:
I would go back to the basics, after you removed the entries from the hosts file yesterday did you ping the domain controller and the domain by name? If the PC's are not able to consistently ping the internal systems by name or the public website address answers then I would suspect lingering problems in your DNS infrastructure.

Scott
0
BriPCAuthor Commented:
No, after removing hosts file & readding to the domain, i cannot ping the DC & the domain ping goes back to the webhost..
I ran the best practices analyzer and there are 5 Noncompliant issues: see picdns-err.png
0
BriPCAuthor Commented:
Please verify that i am following the right path here..  I followed each error to the recommended solutions.. **Need help with #3
Error #1 I set the secondary address for loopback at 127.0.0.1 for IPv4 and ::1 for IPv6
Warning #1 fixed by correction of error #1
Warning #2 : Enabled scavenging left 7 days as default
Warning #3 :  following specified directionshttps://technet.microsoft.com/en-us/library/ff807382(WS.10).aspx , ran into this: root-int-cmd.png  does this look correct? the website lists default list of root hints, do you just pick one?
Warning #4 follows #3...
0
BriPCAuthor Commented:
Should I remove the 1st entry? why is it like that?server-properties.png
0
BriPCAuthor Commented:
Removed 2 listed root servers that didn't respond..
0
BriPCAuthor Commented:
So many posts this morning... sorry, short on time today so i am trying to bust this situation out..
result of A record.... you can't just type in www.domain.com it adds an extra www. .. if you just type the domain, it goes to 404.. a-record-affect.png
0
BriPCAuthor Commented:
Reran the scan this role after changes, still receiving error 1: suggestions?dns-err1.png
0
David Johnson, CD, MVPOwnerCommented:
I don't use root hints I use forwarders since the root hints servers are unreliable at my location.

www.www.example.com will never resolve.

the fe80:* is the ipv6 address don't remove this and don't disable ipv6
0
BriPCAuthor Commented:
I know that will never resolve... domain and website are the same so an a record of www was created and this is the result...

The fe80:* isn't showing in ipv6 properties, only ::1, should i add that?
0
Scott GorcesterCTOCommented:
Hello BriPC, I beleive you are now in another question and its a best practise to award points for the solution to your original question and then open a new question.

Thank you!

Scott
0
BriPCAuthor Commented:
I can do that scott, I just am not sure which is the answer as the work around was editing the hosts file, the problem still remains in the DNS in the server correct? The A record I will move to another question, I just need to finish the DNS errors first... please let me know if i'm wrong here...
0
Scott GorcesterCTOCommented:
Hello BriPC, sure I can appreciate this, My feeling is you have multiple issues here in one thread.

Scott
0
BriPCAuthor Commented:
Work around got me functioning, all help is greatly appreciated. Will open a new post for DNS Config
0
Scott GorcesterCTOCommented:
TY BriPC!

FI, I typically do not use the looback address in the DNS settings on the DC's nic properties. When I create the first DC in the Domain I just use its own IP address only and when I add additional DC's I use the IP of the first DC in the Primary field and the new servers own address as the secondary DNS. Once the AD is fully replicated I set the secondary DC to is own address as primary and the first DC as secondary. There is some art and science here as I have read various strategies for this. I also typically rely on the root hints for resolution as I have seen forwarders cause problems. If there is some trouble with external name resolution I will then add forwarders. In other words there may be several ways to set this up that are perfectly acceptable.

Scott
2
Scott GorcesterCTOCommented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.