EYSFilm
asked on
Domain Computers Can't Talk to Domain
Help if you can.... this is driving me nuts. We have a handful of client computers that can not talk to the domain at all - doesn't matter site/ip they are on.
40 sites all with AD DC (GC/DNS/DHCP) - server 2012R2 and 2008R2 DC servers (mostly 2012r2)
Client computer was on the domain working fine and now can not see anything on domain. Can't ping domainname.local or any server on domain (server1.domainname.local) . Ping to IP address works just fine.
NSlookup on domain name and server names come back properly.
Unjoined computer from the domain and I can ping all the servers etc. just fine. Rejoin to domain and same issue - can't talk to anything.
Tried re-joining with different names and no difference, once it's on domain it can't talk to anything on domain. Can ping the server IP's no problem.
Did 'ipconofig /flushdns' - no difference
Checked our core DNS servers - looks good (and most clients are not having issues)
Any suggestions?
IP Config on Client is as follows (modified for privacy).
40 sites all with AD DC (GC/DNS/DHCP) - server 2012R2 and 2008R2 DC servers (mostly 2012r2)
Client computer was on the domain working fine and now can not see anything on domain. Can't ping domainname.local or any server on domain (server1.domainname.local)
NSlookup on domain name and server names come back properly.
Unjoined computer from the domain and I can ping all the servers etc. just fine. Rejoin to domain and same issue - can't talk to anything.
Tried re-joining with different names and no difference, once it's on domain it can't talk to anything on domain. Can ping the server IP's no problem.
Did 'ipconofig /flushdns' - no difference
Checked our core DNS servers - looks good (and most clients are not having issues)
Any suggestions?
IP Config on Client is as follows (modified for privacy).
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Surface3-12
Primary Dns Suffix . . . . . . . : mydomain.domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.domain.com
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . : mydomain.domain.com
Description . . . . . . . . . . . : Ethernet Adapter #3
Physical Address. . . . . . . . . : 50-1A-C5-FD-A2-42
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f574:ad63:a60f:f401%12(Preferr ed)
IPv4 Address. . . . . . . . . . . : 10.0.70.197(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, September 9, 2015 2:21:00 PM
Lease Expires . . . . . . . . . . : Thursday, September 17, 2015 2:21:00 PM
Default Gateway . . . . . . . . . : 10.0.70.254
DHCP Server . . . . . . . . . . . : 10.0.0.18
DHCPv6 IAID . . . . . . . . . . . : 206576325
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-1B-D2-73-50-1A-C5-F4- 9E-89
DNS Servers . . . . . . . . . . . : 10.0.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Make sure DNS is set properly. No firewalls blocking communication. You need to ensure that you can ping the FQDN domain.com.
If you cannot also check your network paths.
Will.
If you cannot also check your network paths.
Will.
ASKER
DNS is all proper, cause 90% of the other computers don't have any issue.
Ran 'dcdiag /test:dns' too to make sure and it all passed.
Firewall is not blocking ports - even tried opening it right up to make sure.
No luck pinging the FQDN when it's connected to the domain- this is what doesn't make sense.
Network paths? please elaborate, not sure what i should be testing here.
Thanks!
Ran 'dcdiag /test:dns' too to make sure and it all passed.
Firewall is not blocking ports - even tried opening it right up to make sure.
No luck pinging the FQDN when it's connected to the domain- this is what doesn't make sense.
Network paths? please elaborate, not sure what i should be testing here.
Thanks!
Hi Shawn,
Do you have a vlan setup? or is over wan link?
I think your on the right track with the 'Public Network' and not 'Domain'. The "public network" would be locked down a mix of firewall rules and local polices.
You could try this hot fix: https://support.microsoft.com/en-us/kb/2524478
Ken
Do you have a vlan setup? or is over wan link?
I think your on the right track with the 'Public Network' and not 'Domain'. The "public network" would be locked down a mix of firewall rules and local polices.
You could try this hot fix: https://support.microsoft.com/en-us/kb/2524478
Ken
ASKER
Thanks Ken!
There is a mix on VLAN and WAN/VPN connections.
The device I have on my desk is just on a separate VLAN from our core servers at our office.
I'll look at the HotFix, thats only for Win7 so not sure if it will work on the Win8 computer with issues.
Thanks.
There is a mix on VLAN and WAN/VPN connections.
The device I have on my desk is just on a separate VLAN from our core servers at our office.
I'll look at the HotFix, thats only for Win7 so not sure if it will work on the Win8 computer with issues.
Thanks.
Hi Shawn,
check out this link, Ignore bit bout hyper v go down to the bottom and look under "Workaround".
http://nakedalm.com/windows-8-issue-local-network-is-detected-as-public/
It will walk you through changing the windows 8 network profile settings. I similar problem when I was sharing out a folder on my home PC's
check out this link, Ignore bit bout hyper v go down to the bottom and look under "Workaround".
http://nakedalm.com/windows-8-issue-local-network-is-detected-as-public/
It will walk you through changing the windows 8 network profile settings. I similar problem when I was sharing out a folder on my home PC's
ASKER
Looks like the HotFix is invalid now. Wont let me install - certificate error. :(
I don't think that changing the network location is actually the solution. I tried manually going through RegEdit and changing the location to Domain and it didn't make a difference.
Tried the above URL too and that didnt make a difference either. But that is handy to know.
:( back to the drawing board.
-Shawn
I don't think that changing the network location is actually the solution. I tried manually going through RegEdit and changing the location to Domain and it didn't make a difference.
Tried the above URL too and that didnt make a difference either. But that is handy to know.
:( back to the drawing board.
-Shawn
Tests and repairs the secure channel between the local computer and its domain
https://technet.microsoft.com/en-us/library/hh849757.aspx
https://technet.microsoft.com/en-us/library/hh849757.aspx
ASKER
Thanks Rahual,
Ran the test and it failed.
Ran the Repair and it failed too 'Cannot reset the secure channel'... 'Failedtoresetpasswordondo main'
I'm thinking we are just going to have to blow away the computer and re-image it here.
Ran the test and it failed.
Ran the Repair and it failed too 'Cannot reset the secure channel'... 'Failedtoresetpasswordondo
I'm thinking we are just going to have to blow away the computer and re-image it here.
Run this command from an elevated (Right-click > Run As Administrator) Command Prompt:
Netdom reset computer /domain:domainname /userd:domainadmin /passwordd:password
http://serverfault.com/questions/593201/fixing-the-secure-channel-windows-2012-the-trust-relationship-between-worksta
Netdom reset computer /domain:domainname /userd:domainadmin /passwordd:password
http://serverfault.com/questions/593201/fixing-the-secure-channel-windows-2012-the-trust-relationship-between-worksta
You might need to leave the domain from the computer AND to delete the computer entry in the domain itself.
netdom reset command proposed by Rahul might not work in all cases.
If it does not work, try to use :
Netdom remove computer /domain:domainname /userd:domainadmin /passwordd:password
Then check that the member computer account in the domain has been actually removed (or remove it manually).
Then join the computer again.
You may also investigate the SECURITY registry hive (corresponding to the file c:\windows\system32\config \security) on the client computer and if you manage to access it, the machine account password entry in it.
netdom reset command proposed by Rahul might not work in all cases.
If it does not work, try to use :
Netdom remove computer /domain:domainname /userd:domainadmin /passwordd:password
Then check that the member computer account in the domain has been actually removed (or remove it manually).
Then join the computer again.
You may also investigate the SECURITY registry hive (corresponding to the file c:\windows\system32\config
ASKER
Thanks for the suggestions.... Unfortunately they didn't help.
Netdom reset -- fails with no logon servers avaliable to service the logon request.
Netdom remove -- fails wit specified domain either does not exists or could not be contacted.
I should add that this has only stated happening since updating a bunch of DC's to Server 2012R2.
Also seems to only occur on laptops that are setup with Direct Access configured. The one on my desk that I'm testing has DA shutdown (disabled IP Helper service).
-Shawn
Netdom reset -- fails with no logon servers avaliable to service the logon request.
Netdom remove -- fails wit specified domain either does not exists or could not be contacted.
I should add that this has only stated happening since updating a bunch of DC's to Server 2012R2.
Also seems to only occur on laptops that are setup with Direct Access configured. The one on my desk that I'm testing has DA shutdown (disabled IP Helper service).
-Shawn
Have you removed the computer(s) account(s) from the Domain itself on one of the DCs after you left the domain from the computer itself ?
Then join the computer again.
Then join the computer again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yep, whithout a proper certificate, the commuication would not work.
I am sure you found it!
Good job!
I am sure you found it!
Good job!
ASKER
So strange that even on the local lan with DA disabled that it would cause everything to fail still.
But at least I think we fixed it. Hopefully this can help someone else in the future figure things out.
Thank you everyone for your help and suggestions. Much appreciated!
†Shawn
But at least I think we fixed it. Hopefully this can help someone else in the future figure things out.
Thank you everyone for your help and suggestions. Much appreciated!
†Shawn
ASKER
DA SSL Server was the issue. Instant fix.
ASKER
C:\Users\Administrator>ping mydomain.domain.com
Ping request could not find host mydomain.domain.com. Please check the name and try
again.
C:\Users\Administrator>ping dc-b.mydomain.domain.com
Ping request could not find host dc-b.mydomain.domain.com. Please check the nam
e and try again.
Oh and the local network location is showing as 'Public Network' and not 'Domain'.
This is stumping me here.
-Shawn