Domain Logon Issues



  • I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

    So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

    Errors I've seen since:

    1. No logon servers available
    2. The Group Policy Client service failed the logon. Access denied.

    In event viewer I see sync issues with Domain1, but that is to be expected because it doesn't exist. I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.



  • @wirestyle22 said in Domain Logon Issues:

    I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

    So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

    Errors I've seen since:

    1. No logon servers available
    2. The Group Policy Client service failed the logon. Access denied.

    I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.

    Are they VMs or physical boxes?



  • @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

    So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

    Errors I've seen since:

    1. No logon servers available
    2. The Group Policy Client service failed the logon. Access denied.

    I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.

    Are they VMs or physical boxes?

    VM's



  • @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

    So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

    Errors I've seen since:

    1. No logon servers available
    2. The Group Policy Client service failed the logon. Access denied.

    I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.

    Are they VMs or physical boxes?

    VM's

    You've ensured that the hardware time sync is turned off? This is a common issue between Vmware, Hyper-V and domain controllers.



  • @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

    So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

    Errors I've seen since:

    1. No logon servers available
    2. The Group Policy Client service failed the logon. Access denied.

    I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.

    Are they VMs or physical boxes?

    VM's

    You've ensured that the hardware time sync is turned off? This is a common issue between Vmware, Hyper-V and domain controllers.

    Interesting. I did not know that.

    I believe you are referring to this: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 ?



  • @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

    So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

    Errors I've seen since:

    1. No logon servers available
    2. The Group Policy Client service failed the logon. Access denied.

    I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.

    Are they VMs or physical boxes?

    VM's

    You've ensured that the hardware time sync is turned off? This is a common issue between Vmware, Hyper-V and domain controllers.

    Interesting. I did not know that.

    I believe you are referring to this: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 ?

    Yep, that's it.

    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318



  • @coliver Do you know of a way for me to verify the setting outside of powering down the VM etc? Just to check the setting



  • @wirestyle22 said in Domain Logon Issues:

    @coliver Do you know of a way for me to verify the setting outside of powering down the VM etc? Just to check the setting

    If I remember correctly there is a check box in the VM settings.0_1469806514787_2016-07-29 11_34_55-vSphere Web Client.png



  • @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @coliver Do you know of a way for me to verify the setting outside of powering down the VM etc? Just to check the setting

    If I remember correctly there is a check box in the VM settings.0_1469806514787_2016-07-29 11_34_55-vSphere Web Client.png

    Unchecked



  • @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @coliver Do you know of a way for me to verify the setting outside of powering down the VM etc? Just to check the setting

    If I remember correctly there is a check box in the VM settings.0_1469806514787_2016-07-29 11_34_55-vSphere Web Client.png

    Unchecked

    You just unchecked it or it was already unchecked?



  • @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @coliver Do you know of a way for me to verify the setting outside of powering down the VM etc? Just to check the setting

    If I remember correctly there is a check box in the VM settings.0_1469806514787_2016-07-29 11_34_55-vSphere Web Client.png

    Unchecked

    You just unchecked it or it was already unchecked?

    Already unchecked. Sorry.



  • @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

    So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

    Errors I've seen since:

    1. No logon servers available
    2. The Group Policy Client service failed the logon. Access denied.

    I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.

    Are they VMs or physical boxes?

    VM's

    You've ensured that the hardware time sync is turned off? This is a common issue between Vmware, Hyper-V and domain controllers.

    Interesting. I did not know that.

    I believe you are referring to this: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 ?

    That's the most common cause of this.



  • Doesn't seem to be a time sync issue currently.



  • Does this mean you can login again, or not?



  • I think he got a very long lunch today.



  • Here and there I've seen the errors in my initial post. They are still a thing. I would typically disconnect form the domain, delete the local profile, log back in but that doesn't work. It lead me to think there may be an issue with the domain but I don't see anything that points to that. Figured I'd ask



  • Might be network errors. The workstations in question definitely are pointing to the AD DC as their DNS server?



  • @Reid-Cooper said in Domain Logon Issues:

    Might be network errors. The workstations in question definitely are pointing to the AD DC as their DNS server?

    Yes. I checked and it was Domain3.



  • What does the DC say? Its logs may be overflowing with useful info



  • @momurda said in Domain Logon Issues:

    What does the DC say? Its logs may be overflowing with useful info

    I checked the logs and the only errors I see are sync errors with Domain1--which is expected because it doesn't actually exist as stated above



  • @wirestyle22 said in Domain Logon Issues:

    @momurda said in Domain Logon Issues:

    What does the DC say? Its logs may be overflowing with useful info

    I checked the logs and the only errors I see are sync errors with Domain1--which is expected because it doesn't actually exist as stated above

    So you should rip it out. Even if it doesn't exist you can remove it from your domain.

    https://technet.microsoft.com/en-us/library/cc781245(v=ws.10).aspx



  • @coliver said in Domain Logon Issues:

    @wirestyle22 said in Domain Logon Issues:

    @momurda said in Domain Logon Issues:

    What does the DC say? Its logs may be overflowing with useful info

    I checked the logs and the only errors I see are sync errors with Domain1--which is expected because it doesn't actually exist as stated above

    So you should rip it out. Even if it doesn't exist you can remove it from your domain.

    https://technet.microsoft.com/en-us/library/cc781245(v=ws.10).aspx

    I will but I can't imagine that would cause this issue



  • In your OP, by ADSync do you mean the Azure AD Sync tool?



  • @momurda said in Domain Logon Issues:

    In your OP, by ADSync do you mean the Azure AD Sync tool?

    Directory Link/ADSync



  • On metadata cleanup: LDAP extended error message 0000208F: NameErr -- Object Name had bad syntax. ??? why



  • Is your email working correctly? Are all your domain computers authenticated correctly with your dc?



  • @momurda said in Domain Logon Issues:

    Is your email working correctly? Are all your domain computers authenticated correctly with your dc?

    E-mail has been shakey as of late with syncing.Not all domain computers are working correctly. I cannot log into domain accounts on some PC's. It's weird. The local accounts works. I disconnected from domain, deleted local profile and reconnectted. Still nothing.



  • Local accounts would be expected to work.



  • And this Domain1 you mention, used to be a domain hosted on this dc but has been renamed or removed??



  • @momurda said in Domain Logon Issues:

    And this Domain1 you mention, used to be a domain hosted on this dc but has been renamed or removed??

    I took over here a few weeks ago and BartleyDS1 was removed before I was here. It's still listed among the domains, but it doesnt exist.


Log in to reply