Connecting to DC via UNC path by DNS name returns error, problems for shared printers

On a Windows Server 2008 R2 Domain Controller we can no longer connect to it using a UNC path from another server or desktop which is causing problems for people printing on the printers shared on that server.

The error is "The specified network name is no longer available "

This DC is also the FSMO role holder, DHCP, RRAS and Veeam Proxy Server, no other network related issues seem to be effected at the moment.

Here's what we know/have tried:

1) The server can connect to its own UNC path and other UNC paths.
2) Other devices CAN connect to the UNC path using its static IP address and they can ping the server name successfully indicating DNS is working
3) The NIC is using domain profile (not private or public)
4) No configuration changes have taken place
5) Nothing in the event logs indicate a serious issue
6) Workstation, Server and Netlogon services along with all other Automatic services are started on the problem server
7) We've tried a reboot of the server
8) We have disabled the Windows Firewall and AV to test

Temporarily we are adding the printers for the user connecting to the IP address

There are loads of links out there but there are various reasons why this could be the case?

Thanks for any advice
Assist-NetopaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Arjun VyavahareTechnical ConsultantCommented:
Hi,

Try to use Tracert command and check the network path where it is reaching..

Cheers,
Arjun
0
Assist-NetopaAuthor Commented:
tracert takes us straight to the correct server in one hop
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
2) Other devices CAN connect to the UNC path using its static IP address and they can ping the server name successfully indicating DNS is working
Only I all clients are using the same DNS. Is server using the same DNS and the others?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

arnoldCommented:
Double check ipconfig /all to make sure no foreign DNS record references exist.

Ehat is the error when running
Net use X: \\addomain\netlogon
If you get error 85,
Repeat using \\serverdc\netlogon

Check to make sure there are no stake sessions on the DC meaning, it receives the request, but according to its sessions the connection already exists
And this will manifest with inability to setup a connection one way, while setup by another name or ip has no issues.
1
Assist-NetopaAuthor Commented:
@Shaun - The DC is also the main DNS server and it uses itself as the primary DNS for its NIC. Clients also use it as their primary DNS server handed out by DHCP scope options

@Arnold - Mapping the X: \\domainFDQN\netlogon   (from another server)

This successfully maps so I didn't do the second one

The server was rebooted so no stale sessions should exist (assuming a typo in stake)
0
arnoldCommented:
What abou ipconfig /all making sure no external name servers......
0
arnoldCommented:
How many DCs do you have
Nslookup -q=SRV _tcp._ldap.dc._msdcs.addomain.suffix.
0
Assist-NetopaAuthor Commented:
Four, two at each site.

We are going to reboot them all later tonight and see if that helps
0
MichelangeloConsultantCommented:
Use the command arnold provided to check how many DCs are registered in DNS.
Also make sure you do not have any rogue dhcp server which is handing out wrong overlapping dhcp leases - check ipconfig /all on a failing client.
Try to use full name (FQDN) of the DC. See if the error (if any) is literally the same or a different one. Is the DC physical or a VM? If the latter, check that vlan and/or any SDN solution is configured correctly.
Check that the DC name, from a client point of view, is resolved correctly.
Check netmask.

Note: you may have installed updates / created gpo/ modifed settings which disable Old smb versions: see here for some background.
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

https://www.thewindowsclub.com/disable-smb1-windows
0
Assist-NetopaAuthor Commented:
I may have found the problem:

https://community.spiceworks.com/topic/273893-shares-drive-logon-failure-the-target-account-name-is-incorrect

This gave me the idea to check the Lastpwdreset attribute on the DC's computer object

The last reset was 2/8/18. I think this should have reset on 1/9/18 (last Saturday, 30 days) our problems started on Monday morning.

Is it safe to run netdom resetpwd /s:server /ud:domain\User /pd:* on a DC with FSMO roles and is this the way to do it?

https://support.microsoft.com/en-sg/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows

It looks right to me but never done this before on a DC and don't want to make it worse. Any experience/guidance of this?
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
What FSMO roles do it hold?
0
Assist-NetopaAuthor Commented:
All of them
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
I prefer to do it the other way around, DC against DC with PDCe.

I cannot see that you will break anything. Stop KDC before doing it
0
Assist-NetopaAuthor Commented:
Well, that sorted the secure channel computer password but unfortunately, a second DC's password also expired at a different site. At the moment both unc paths work by name at each site but not between sites as the DC replication has problems. That's a separate issue so I will close this question
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Printers and Scanners

From novice to tech pro — start learning today.