Link to home
Start Free TrialLog in
Avatar of manch03
manch03

asked on

Domain computers will not connect to domain controllers

Domain computers  (windows 7 professional) cannot add domain user under Manage accounts locally.  Windows 2012 r2 server.  It appears since we moved from Windows 2008 server to 2012 r2 server, our domain computers do not recognize they are in the domain.   I am not able to add the users locally on the windows 7 clients.  I can see the servers, the desktops are recognized in AD Users and Computers - they can log in, etc. but there is a lot of hesitation connecting to the app server.  We are only talking 3 or 4 desktops with gig connections, so this should not be an issue.  When I go to add the domain user to the client, only the local workstation shows up - not the domain.  I was having this issue with an application server, but I made that a DC and now the clients are experiencing the same issue.  We have been having a lot of lagging and slowness issues so I decided to take a look at everyone's workstations.  They are all doing the same thing - only showing up as their local computer and not seeing the domain when I tried to change Location to the domain.  The desktops are listed in DNS, DHCP, etc.  I have tried unjoining and rejoining the network, giving the computer a different name - nothing is working.  I am also being denied when I try to stop or start a service - logging in locally and as a domain user on the local workstations.  How do I fix this?
Avatar of arnold
arnold
Flag of United States of America image

Double check your assumption that the computers can see.

Use systeminfo |more on the workstation to see whether it times out and uses cached credentials to login.

Run dcdiag on the DC/s to confirm health of the AD.

Double check that what is advertised, is right

Run
nslookup -q=SRV _ldap._tcp.dc._msdcs.youraddomain
Check the DC,s to determine which has the master role.

Have any DCs been restored from backup?
Avatar of manch03
manch03

ASKER

No DC's restored from backup.  I had an outside vendor come in and install the new server 2012 r2.  Things have not been the same, but it's been over a year and he is not available.  Here is the dcdiag - things are definitely out of wack.  How do I fix this?  I removed the domain name and the server name and left the S....   The workstations can find the domain with the nslookup and vice versa.   This is the log from the main domain controller (the new one that was installed).  All of the dc's have the same errors.

Doing primary tests

   Testing server: Default-First-Site-Name\S
      Starting test: Advertising
         ......................... S passed test Advertising
      Starting test: FrsEvent
         ......................... S passed test FrsEvent
      Starting test: DFSREvent
         ......................... S passed test DFSREvent
      Starting test: SysVolCheck
         ......................... S passed test SysVolCheck
      Starting test: KccEvent
         ......................... S passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... S passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... S passed test MachineAccount
      Starting test: NCSecDesc
         ......................... S passed test NCSecDesc
      Starting test: NetLogons
         [S} User credentials does not have permission to perform this
         operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... S failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... S passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,S] DsReplicaGetInfo(PENDING_OPS, NULL)
         failed, error 0x2105 "Replication access was denied."
         ......................... S failed test Replications
      Starting test: RidManager
         ......................... S passed test RidManager
      Starting test: Services
            Could not open NTDS Service on S, error 0x5
            "Access is denied."
         ......................... S failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 04/15/2018   14:09:11
            Event String:
            Name resolution for the name client.teamviewer.com timed out after n
one of the configured DNS servers responded.
         ......................... S passed test SystemLog
      Starting test: VerifyReferences
         ......................... S passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on :
      Starting test: CheckSDRefDom
         .........................  passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... passed test CrossRefValidation

   Running enterprise tests on :
      Starting test: LocatorCheck
         ......................... passed test LocatorCheck
      Starting test: Intersite
         .........................  passed test Intersite
The prior DC was 2003? It seems that not all necessary components were installed
On this DC, run net share is netlogon, sysvol shared

On 2012, you need to install the FRS components to facilitate the replication.

Check the otherDC to make sure it is not the cause for the replication issue, journal related, d2/d4 burflags issue.


Do you have HQ branch type setup?

Check ipconfig /all looking for name seeds, making sure you do not have 127.0.0.1 ....
Recently seen issues, use the LAN side IP for the DC itself.....
You don't add domain users to the local users mmc in windows. You never did. The local users tool is exactly for that... LOCAL users. This has been true since 2000 (workstation and server) when AD was introduced.
Avatar of manch03

ASKER

@arnold - no, the prior dc was a 2008 r2.  What is this: " On this DC, run net share is netlogon, sysvol shared" and this:  :Do you have HQ branch type setup?"  I did not do the install.  I was not comfortable doing this, so  we had a vendor do the install.  If you can clarify the steps on what you replied, I could probably get that done, but I do not understand what you need me to do.
Cliff, i think the question deals with extending additional rights to a domain login on the workstation I.e. The system is a laptop and the domain user needs to be the admin on the system.

Check the workstation to make sure it is not getting a public name server.
Ipconfig /all | find /i "server"
If you have a public name server pushed by the DHCP server, logins/interaction will have intermittent issues when the public name server is queried to locate a DC for the AD domain.
Avatar of manch03

ASKER

@Cliff - I know I do not add users on the local workstations.  I should be able to change that location to the network but I cannot get to the domain from the workstation through the management tool.   Not being able to see the network location alerted me to the issue.
Running "net share" on the server lists all the fileserver shares served by the server. One of your errors point netlogon ..
The organization of your environment is the second part, I.e do you have a single location, or multiple physical locations main location with a few other branches....

The earlier comment to make sure a public Name server being pushed by DHCP scope options would manifest issues you experience.

The out put from the ipconfig /all |find /i "server" on a workstation will include name server and DHCP server from which it got the ip.
Checking the DHCP configuration, scope options, name server to make sure any public name server is not in that list.

Some add Google, or opendns servers in an AD domain setup, the presence of public name servers would cause intermittent issues.
Avatar of manch03

ASKER

@arnold - correct in answering Cliff's question.  The command you recommended on the workstation came back with my gateway as my dhcp server (which is not correct).  DHCP is being done by the DC.  DHCP is setup on the  DC and has a different IP address.\ than what shows up on the results.
Avatar of manch03

ASKER

No public servers come up.
Effectively, your setup used the router to distribute IPs and used the router as the name server in this case, you can not using the routers name server locate the DCs.

You need to confirm your DCs have DHCP.
Disabling the DHCP on the router will be the fix.

In the absence of a DHCP server Role on any DC, changes on the router's DHCP settings need to be changed to distribute the DCs as the name servers to fix the issue.
"I am not able to add the users locally on the windows 7 clients."

That certainly implied that you were trying to add domain users locally. So terminology matters.

As for your last post, keep on  in that DHCP is  broadcast protocol. It isn't exclusive to one server and notjgnwilk force a client to accept a response from the one you want it to. A client will grab a lease from the fastest responding server. If ipconfig is showing your gateway as a DHCP server then it likely is one. And is giving out improper DNS settings. Which would cause all sorts of bad behavior on a domain client. Gotta disable DHCP on any unauthorized servers/decides.
Avatar of manch03

ASKER

I see sysvol is shared, but no netlogin.
Avatar of manch03

ASKER

One physical location.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of manch03

ASKER

You are correct.  The router was replaced around the same time the issues arose.  I thought we disabled DHCP because the 2008 r2 server is the DHCP server.    I will get into this and get it fixed. Thank you
Avatar of manch03

ASKER

I knew something weird was going on and I thought the DHCP server was disabled on the new router.  However, I have been having issues trying to get into the router so I believe the router reset itself and lost it's configuration.  Probably a power outage and/or spike.