Domain computers will not connect to domain controllers

Domain computers  (windows 7 professional) cannot add domain user under Manage accounts locally.  Windows 2012 r2 server.  It appears since we moved from Windows 2008 server to 2012 r2 server, our domain computers do not recognize they are in the domain.   I am not able to add the users locally on the windows 7 clients.  I can see the servers, the desktops are recognized in AD Users and Computers - they can log in, etc. but there is a lot of hesitation connecting to the app server.  We are only talking 3 or 4 desktops with gig connections, so this should not be an issue.  When I go to add the domain user to the client, only the local workstation shows up - not the domain.  I was having this issue with an application server, but I made that a DC and now the clients are experiencing the same issue.  We have been having a lot of lagging and slowness issues so I decided to take a look at everyone's workstations.  They are all doing the same thing - only showing up as their local computer and not seeing the domain when I tried to change Location to the domain.  The desktops are listed in DNS, DHCP, etc.  I have tried unjoining and rejoining the network, giving the computer a different name - nothing is working.  I am also being denied when I try to stop or start a service - logging in locally and as a domain user on the local workstations.  How do I fix this?
manch03Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Double check your assumption that the computers can see.

Use systeminfo |more on the workstation to see whether it times out and uses cached credentials to login.

Run dcdiag on the DC/s to confirm health of the AD.

Double check that what is advertised, is right

Run
nslookup -q=SRV _ldap._tcp.dc._msdcs.youraddomain
Check the DC,s to determine which has the master role.

Have any DCs been restored from backup?
0
manch03Author Commented:
No DC's restored from backup.  I had an outside vendor come in and install the new server 2012 r2.  Things have not been the same, but it's been over a year and he is not available.  Here is the dcdiag - things are definitely out of wack.  How do I fix this?  I removed the domain name and the server name and left the S....   The workstations can find the domain with the nslookup and vice versa.   This is the log from the main domain controller (the new one that was installed).  All of the dc's have the same errors.

Doing primary tests

   Testing server: Default-First-Site-Name\S
      Starting test: Advertising
         ......................... S passed test Advertising
      Starting test: FrsEvent
         ......................... S passed test FrsEvent
      Starting test: DFSREvent
         ......................... S passed test DFSREvent
      Starting test: SysVolCheck
         ......................... S passed test SysVolCheck
      Starting test: KccEvent
         ......................... S passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... S passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... S passed test MachineAccount
      Starting test: NCSecDesc
         ......................... S passed test NCSecDesc
      Starting test: NetLogons
         [S} User credentials does not have permission to perform this
         operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... S failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... S passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,S] DsReplicaGetInfo(PENDING_OPS, NULL)
         failed, error 0x2105 "Replication access was denied."
         ......................... S failed test Replications
      Starting test: RidManager
         ......................... S passed test RidManager
      Starting test: Services
            Could not open NTDS Service on S, error 0x5
            "Access is denied."
         ......................... S failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 04/15/2018   14:09:11
            Event String:
            Name resolution for the name client.teamviewer.com timed out after n
one of the configured DNS servers responded.
         ......................... S passed test SystemLog
      Starting test: VerifyReferences
         ......................... S passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on :
      Starting test: CheckSDRefDom
         .........................  passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... passed test CrossRefValidation

   Running enterprise tests on :
      Starting test: LocatorCheck
         ......................... passed test LocatorCheck
      Starting test: Intersite
         .........................  passed test Intersite
0
arnoldCommented:
The prior DC was 2003? It seems that not all necessary components were installed
On this DC, run net share is netlogon, sysvol shared

On 2012, you need to install the FRS components to facilitate the replication.

Check the otherDC to make sure it is not the cause for the replication issue, journal related, d2/d4 burflags issue.


Do you have HQ branch type setup?

Check ipconfig /all looking for name seeds, making sure you do not have 127.0.0.1 ....
Recently seen issues, use the LAN side IP for the DC itself.....
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Cliff GaliherCommented:
You don't add domain users to the local users mmc in windows. You never did. The local users tool is exactly for that... LOCAL users. This has been true since 2000 (workstation and server) when AD was introduced.
0
manch03Author Commented:
@arnold - no, the prior dc was a 2008 r2.  What is this: " On this DC, run net share is netlogon, sysvol shared" and this:  :Do you have HQ branch type setup?"  I did not do the install.  I was not comfortable doing this, so  we had a vendor do the install.  If you can clarify the steps on what you replied, I could probably get that done, but I do not understand what you need me to do.
0
arnoldCommented:
Cliff, i think the question deals with extending additional rights to a domain login on the workstation I.e. The system is a laptop and the domain user needs to be the admin on the system.

Check the workstation to make sure it is not getting a public name server.
Ipconfig /all | find /i "server"
If you have a public name server pushed by the DHCP server, logins/interaction will have intermittent issues when the public name server is queried to locate a DC for the AD domain.
0
manch03Author Commented:
@Cliff - I know I do not add users on the local workstations.  I should be able to change that location to the network but I cannot get to the domain from the workstation through the management tool.   Not being able to see the network location alerted me to the issue.
0
arnoldCommented:
Running "net share" on the server lists all the fileserver shares served by the server. One of your errors point netlogon ..
The organization of your environment is the second part, I.e do you have a single location, or multiple physical locations main location with a few other branches....

The earlier comment to make sure a public Name server being pushed by DHCP scope options would manifest issues you experience.

The out put from the ipconfig /all |find /i "server" on a workstation will include name server and DHCP server from which it got the ip.
Checking the DHCP configuration, scope options, name server to make sure any public name server is not in that list.

Some add Google, or opendns servers in an AD domain setup, the presence of public name servers would cause intermittent issues.
0
manch03Author Commented:
@arnold - correct in answering Cliff's question.  The command you recommended on the workstation came back with my gateway as my dhcp server (which is not correct).  DHCP is being done by the DC.  DHCP is setup on the  DC and has a different IP address.\ than what shows up on the results.
0
manch03Author Commented:
No public servers come up.
0
arnoldCommented:
Effectively, your setup used the router to distribute IPs and used the router as the name server in this case, you can not using the routers name server locate the DCs.

You need to confirm your DCs have DHCP.
Disabling the DHCP on the router will be the fix.

In the absence of a DHCP server Role on any DC, changes on the router's DHCP settings need to be changed to distribute the DCs as the name servers to fix the issue.
0
Cliff GaliherCommented:
"I am not able to add the users locally on the windows 7 clients."

That certainly implied that you were trying to add domain users locally. So terminology matters.

As for your last post, keep on  in that DHCP is  broadcast protocol. It isn't exclusive to one server and notjgnwilk force a client to accept a response from the one you want it to. A client will grab a lease from the fastest responding server. If ipconfig is showing your gateway as a DHCP server then it likely is one. And is giving out improper DNS settings. Which would cause all sorts of bad behavior on a domain client. Gotta disable DHCP on any unauthorized servers/decides.
0
manch03Author Commented:
I see sysvol is shared, but no netlogin.
0
manch03Author Commented:
One physical location.
0
arnoldCommented:
Based on the recent exchange, your issue is the conflict caused by the existence of a second DHCP server on the router.
Potentially a coincidence if the router was replaced about the same time frame the new system was setup, or the vendor forgot to disable the DHCP server on the router enabled during the system setup to allow your operations to continue.......

Once you disable the DHCP server in your router, pick another workstation unplug its network connection reconnect it after 30 seconds (deals with faster than having to reboot) this way the workstation will get an ip from your DHCP server. Confirm functionality as expected.
Doing this way to make sure there is a functional DHCP server while maintaing/retaining access to the router's config to reenable DHCP if needed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
manch03Author Commented:
You are correct.  The router was replaced around the same time the issues arose.  I thought we disabled DHCP because the 2008 r2 server is the DHCP server.    I will get into this and get it fixed. Thank you
0
manch03Author Commented:
I knew something weird was going on and I thought the DHCP server was disabled on the new router.  However, I have been having issues trying to get into the router so I believe the router reset itself and lost it's configuration.  Probably a power outage and/or spike.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.