Domain Computers Can't Talk to Domain

Help if you can....  this is driving me nuts.  We have a handful of client computers that can not talk to the domain at all - doesn't matter site/ip they are on.

40 sites all with AD DC (GC/DNS/DHCP) - server 2012R2 and 2008R2 DC servers (mostly 2012r2)

Client computer was on the domain working fine and now can not see anything on domain.  Can't ping domainname.local or any server on domain (server1.domainname.local). Ping to IP address works just fine.
NSlookup on domain name and server names come back properly.

Unjoined computer from the domain and I can ping all the servers etc. just fine.  Rejoin to domain and same issue - can't talk to anything.
Tried re-joining with different names and no difference, once it's on domain it can't talk to anything on domain.  Can ping the server IP's no problem.

Did 'ipconofig /flushdns' - no difference
Checked our core DNS servers - looks good  (and most clients are not having issues)

Any suggestions?


IP Config on Client is as follows (modified for privacy).

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Surface3-12
   Primary Dns Suffix  . . . . . . . : mydomain.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.domain.com

Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix  . : mydomain.domain.com
   Description . . . . . . . . . . . : Ethernet Adapter #3
   Physical Address. . . . . . . . . : 50-1A-C5-FD-A2-42
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f574:ad63:a60f:f401%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.70.197(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, September 9, 2015 2:21:00 PM
   Lease Expires . . . . . . . . . . : Thursday, September 17, 2015 2:21:00 PM
   Default Gateway . . . . . . . . . : 10.0.70.254
   DHCP Server . . . . . . . . . . . : 10.0.0.18
   DHCPv6 IAID . . . . . . . . . . . : 206576325
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-1B-D2-73-50-1A-C5-F4-9E-89
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

EYSFilmAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

EYSFilmAuthor Commented:
Here are the 'ping' results from the client device that is on the domain.

C:\Users\Administrator>ping mydomain.domain.com
Ping request could not find host mydomain.domain.com. Please check the name and try
again.

C:\Users\Administrator>ping dc-b.mydomain.domain.com
Ping request could not find host dc-b.mydomain.domain.com. Please check the nam
e and try again.

Oh and the local network location is showing as 'Public Network' and not 'Domain'.

This is stumping me here.
-Shawn
Will SzymkowskiSenior Solution ArchitectCommented:
Make sure DNS is set properly. No firewalls blocking communication. You need to ensure that you can ping the FQDN domain.com.

If you cannot also check your network paths.

Will.
EYSFilmAuthor Commented:
DNS is all proper, cause 90% of the other computers don't have any issue.
  Ran 'dcdiag /test:dns' too to make sure and it all passed.
Firewall is not blocking ports - even tried opening it right up to make sure.

No luck pinging the FQDN when it's connected to the domain- this is what doesn't make sense.

Network paths?  please elaborate, not sure what i should be testing here.
Thanks!
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Ken808Commented:
Hi Shawn,

Do you have a vlan setup? or is over wan link?

I think your on the right track with the  'Public Network' and not 'Domain'. The "public network" would be locked down a mix of firewall rules and local polices.

You could try this hot fix: https://support.microsoft.com/en-us/kb/2524478

Ken
EYSFilmAuthor Commented:
Thanks Ken!

There is a mix on VLAN and WAN/VPN connections.
The device I have on my desk is just on a separate VLAN from our core servers at our office.

I'll look at the HotFix, thats only for Win7 so not sure if it will work on the Win8 computer with issues.

Thanks.
Ken808Commented:
Hi Shawn,

check out this link, Ignore bit bout hyper v go down to the bottom and look under "Workaround".

http://nakedalm.com/windows-8-issue-local-network-is-detected-as-public/

It will walk you through changing the windows 8 network profile settings. I similar problem when I was sharing out a folder on my home PC's
EYSFilmAuthor Commented:
Looks like the HotFix is invalid now.  Wont let me install - certificate error.  :(

I don't think that changing the network location is actually the solution.  I tried manually going through RegEdit and changing the location to Domain and it didn't make a difference.
Tried the above URL too and that didnt make a difference either.  But that is handy to know.

:(  back to the drawing board.

-Shawn
Iamthecreator OMIT Admin/EE Solution GuideCommented:
Tests and repairs the secure channel between the local computer and its domain

https://technet.microsoft.com/en-us/library/hh849757.aspx
EYSFilmAuthor Commented:
Thanks Rahual,
 Ran the test and it failed.
 Ran the Repair and it failed too 'Cannot reset the secure channel'...  'Failedtoresetpasswordondomain'

I'm thinking we are just going to have to blow away the computer and re-image it here.
Iamthecreator OMIT Admin/EE Solution GuideCommented:
Run this command from an elevated (Right-click > Run As Administrator) Command Prompt:

Netdom reset computer /domain:domainname /userd:domainadmin /passwordd:password

http://serverfault.com/questions/593201/fixing-the-secure-channel-windows-2012-the-trust-relationship-between-worksta
vivigattCommented:
You might need to leave the domain from the computer AND to delete the computer entry in the domain itself.

netdom reset command proposed by Rahul might not work in all cases.

If it does not work, try to use :

Netdom remove computer /domain:domainname /userd:domainadmin /passwordd:password

Then check that the member computer account in the domain has been actually removed (or remove it manually).

Then join the computer again.

You may also investigate the SECURITY registry hive (corresponding to the file c:\windows\system32\config\security) on the client computer and if you manage to access it, the machine account password entry in it.
EYSFilmAuthor Commented:
Thanks for the suggestions....  Unfortunately they didn't help.

Netdom reset -- fails with no logon servers avaliable to service the logon request.

Netdom remove -- fails wit specified domain either does not exists or could not be contacted.



I should add that this has only stated happening since updating a bunch of DC's to Server 2012R2.
Also seems to only occur on laptops that are setup with Direct Access configured.   The one on my desk that I'm testing has DA shutdown (disabled IP Helper service).

-Shawn
vivigattCommented:
Have you removed the computer(s) account(s) from the Domain itself on one of the DCs after you left the domain from the computer itself ?
Then join the computer again.
EYSFilmAuthor Commented:
Wow....  I think I found the solution.  DirectAccess Network Location Server - cert had expired.

We totally missed updating that certificate when it expired at the end of August.

As soon as I looked in DirectAcces the Network Location Server was failing.  Further investigation showed that the HTTPS link to it was not validating.  'Light Bulb'   our SSL cert just expired, and sure enough wasn't updated on that server.

After applying the new SSL cert and restarting the client computer everything works instantly.  I'm just waiting on a confirmation from a couple other computers with similar issues to ensure they are working too.  But i think we are all fixed up.

Yikers.....  what a headache that has caused.

†Shawn

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vivigattCommented:
Yep, whithout a proper certificate, the commuication would not work.

I am sure you found it!
Good job!
EYSFilmAuthor Commented:
So strange that even on the local lan with DA disabled that it would cause everything to fail still.

But at least I think we fixed it.  Hopefully this can help someone else in the future figure things out.

Thank you everyone for your help and suggestions.  Much appreciated!

†Shawn
EYSFilmAuthor Commented:
DA SSL Server was the issue.  Instant fix.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.