Connecting to DC via UNC path by DNS name returns error, problems for shared printers

Assist-Netopa
Assist-Netopa used Ask the Experts™
on
On a Windows Server 2008 R2 Domain Controller we can no longer connect to it using a UNC path from another server or desktop which is causing problems for people printing on the printers shared on that server.

The error is "The specified network name is no longer available "

This DC is also the FSMO role holder, DHCP, RRAS and Veeam Proxy Server, no other network related issues seem to be effected at the moment.

Here's what we know/have tried:

1) The server can connect to its own UNC path and other UNC paths.
2) Other devices CAN connect to the UNC path using its static IP address and they can ping the server name successfully indicating DNS is working
3) The NIC is using domain profile (not private or public)
4) No configuration changes have taken place
5) Nothing in the event logs indicate a serious issue
6) Workstation, Server and Netlogon services along with all other Automatic services are started on the problem server
7) We've tried a reboot of the server
8) We have disabled the Windows Firewall and AV to test

Temporarily we are adding the printers for the user connecting to the IP address

There are loads of links out there but there are various reasons why this could be the case?

Thanks for any advice
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Arjun VyavahareTechnical Consultant

Commented:
Hi,

Try to use Tracert command and check the network path where it is reaching..

Cheers,
Arjun

Author

Commented:
tracert takes us straight to the correct server in one hop
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
2) Other devices CAN connect to the UNC path using its static IP address and they can ping the server name successfully indicating DNS is working
Only I all clients are using the same DNS. Is server using the same DNS and the others?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2017

Commented:
Double check ipconfig /all to make sure no foreign DNS record references exist.

Ehat is the error when running
Net use X: \\addomain\netlogon
If you get error 85,
Repeat using \\serverdc\netlogon

Check to make sure there are no stake sessions on the DC meaning, it receives the request, but according to its sessions the connection already exists
And this will manifest with inability to setup a connection one way, while setup by another name or ip has no issues.

Author

Commented:
@Shaun - The DC is also the main DNS server and it uses itself as the primary DNS for its NIC. Clients also use it as their primary DNS server handed out by DHCP scope options

@Arnold - Mapping the X: \\domainFDQN\netlogon   (from another server)

This successfully maps so I didn't do the second one

The server was rebooted so no stale sessions should exist (assuming a typo in stake)
Distinguished Expert 2017

Commented:
What abou ipconfig /all making sure no external name servers......
Distinguished Expert 2017

Commented:
How many DCs do you have
Nslookup -q=SRV _tcp._ldap.dc._msdcs.addomain.suffix.

Author

Commented:
Four, two at each site.

We are going to reboot them all later tonight and see if that helps
MichelangeloSystem Administrator / Postmaster

Commented:
Use the command arnold provided to check how many DCs are registered in DNS.
Also make sure you do not have any rogue dhcp server which is handing out wrong overlapping dhcp leases - check ipconfig /all on a failing client.
Try to use full name (FQDN) of the DC. See if the error (if any) is literally the same or a different one. Is the DC physical or a VM? If the latter, check that vlan and/or any SDN solution is configured correctly.
Check that the DC name, from a client point of view, is resolved correctly.
Check netmask.

Note: you may have installed updates / created gpo/ modifed settings which disable Old smb versions: see here for some background.
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

https://www.thewindowsclub.com/disable-smb1-windows

Author

Commented:
I may have found the problem:

https://community.spiceworks.com/topic/273893-shares-drive-logon-failure-the-target-account-name-is-incorrect

This gave me the idea to check the Lastpwdreset attribute on the DC's computer object

The last reset was 2/8/18. I think this should have reset on 1/9/18 (last Saturday, 30 days) our problems started on Monday morning.

Is it safe to run netdom resetpwd /s:server /ud:domain\User /pd:* on a DC with FSMO roles and is this the way to do it?

https://support.microsoft.com/en-sg/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows

It looks right to me but never done this before on a DC and don't want to make it worse. Any experience/guidance of this?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
What FSMO roles do it hold?

Author

Commented:
All of them
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
I prefer to do it the other way around, DC against DC with PDCe.

I cannot see that you will break anything. Stop KDC before doing it
Well, that sorted the secure channel computer password but unfortunately, a second DC's password also expired at a different site. At the moment both unc paths work by name at each site but not between sites as the DC replication has problems. That's a separate issue so I will close this question

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial