What went wrong with this windows Active Directory?

MichaelBalack
MichaelBalack used Ask the Experts™
on
This is using MS Windows 2012 R2 AD. There is only one DC with all the 5 FSMO roles, DNS, DHCP roles. Recently, found that the domain logging in were getting slow. Users have to wait some time before they were shown they are logged in. Another issue is, they seem they can't access to the file servers, look like the permissions issue.

The temporary workaround is in the morning, we have to system reboot the DC, and all these above issues are gone (for a time being). What could be the issue? How to troubleshoot?
I did checked through the DNS, sites and services, domain, and user & computers; all looks working fine.

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
First problem is we don't know if YOU know what the correct DNS configuration is.  You say it's fine... what if you don't actually understand what it should be?  You haven't taken the time to fill out your profile so we really don't know...  Not to be insulting, but to eliminate that possibility, you need to post what the actual DNS settings are on both the DC and the clients.

Then start by reviewing warnings, errors, and critical events in a problematic workstations event logs to see what it might be saying.  And also check the servers.
MichaelBalackSenior System Engineer

Author

Commented:
Hi Lee W,

DNS settings on DC:
<DC IP>

On DNS console, no forwarder configured; Internet roots are detected

DNS settings on clients:
<DC IP>

Check on any clients, found name resolution was resolved successfully.
Distinguished Expert 2017

Commented:
As was outlined, check the security log in the DC and see whether there are many failure audit events.

How many workstations do you have?
What is the configuration for the users?
Do you use roaming profiles?

Check the hardware on the server to make sure there is no raid errors/failed drives.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Sounds like a resource exhaustion issue - memory fragmentation, too many kernel objects used (files, sessions, connections, ...). That should show in an increasing amount of erors or warnings in the eventlog. Restarting single services might help prolonging the time span until having to reboot, but eventually a reboot will be required.
FOXActive Directory/Exchange Engineer
Top Expert 2015

Commented:
With all said above >>There is only one DC with all the 5 FSMO roles, DNS, DHCP roles.<<
Michael you also have a single point of failure.  
You need to spin up another server fully patch it, add it to the domain and promote it as an additional domain controller.
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
Server patched? Windows Firewall enabled? You shoul have it enabled, DC rules automatically added into FW exceptions. Time correct?
IPv6 enable? It should be

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial