Domain Logon Issues

Reid Cooper

@wirestyle22 said in Domain Logon Issues:

@coliver said in Domain Logon Issues:

@wirestyle22 said in Domain Logon Issues:

@coliver said in Domain Logon Issues:

@wirestyle22 said in Domain Logon Issues:

I'm trying to make this neat, orderly and easily understandable. That may not happen though so if it isn't I'm sorry.

So I had to install a new version of ADSync as per the vendor we use to hosted exchange. I followed everything down to the letter. It required a reboot which should not have been an issue as we have two domain controllers. I reboot the domain and everyone's time syncs to the new domain, which is incorrect (I should have checked). I check what the domains are syncing with in Active Directory Sites and Services. The domains we used are Domain2 and Domain3, both of which are syncing with the non-existent Domain1 as well as with each other. Now, my question is why would the time desync? Domain2 and Domain3 must have synced with each other before the reboot so why did the time jump far into the future? I'm assuming that the time had been wrong for awhile, before I was ever hired which would lead me to believe that we have been using only one domain for a long time (Is this the correct way of viewing this situation?). So, I used w32tm to force sync the times and that fixed the time sync problem.

Errors I've seen since:

1. No logon servers available
2. The Group Policy Client service failed the logon. Access denied.

I looked around and I haven't seen anything that would cause this issue to happen just due to a reboot and the time seems to be synced. I have never had this occur before.

Are they VMs or physical boxes?

VM's

You've ensured that the hardware time sync is turned off? This is a common issue between Vmware, Hyper-V and domain controllers.

Interesting. I did not know that.

I believe you are referring to this: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189 ?

That's the most common cause of this.

wirestyle22

Doesn't seem to be a time sync issue currently.

momurda

Does this mean you can login again, or not?

scottalanmiller

I think he got a very long lunch today.

wirestyle22

Here and there I've seen the errors in my initial post. They are still a thing. I would typically disconnect form the domain, delete the local profile, log back in but that doesn't work. It lead me to think there may be an issue with the domain but I don't see anything that points to that. Figured I'd ask

Reid Cooper

Might be network errors. The workstations in question definitely are pointing to the AD DC as their DNS server?

wirestyle22

@Reid-Cooper said in Domain Logon Issues:

Might be network errors. The workstations in question definitely are pointing to the AD DC as their DNS server?

Yes. I checked and it was Domain3.

momurda

What does the DC say? Its logs may be overflowing with useful info

wirestyle22

@momurda said in Domain Logon Issues:

What does the DC say? Its logs may be overflowing with useful info

I checked the logs and the only errors I see are sync errors with Domain1--which is expected because it doesn't actually exist as stated above

coliver

@wirestyle22 said in Domain Logon Issues:

@momurda said in Domain Logon Issues:

What does the DC say? Its logs may be overflowing with useful info

I checked the logs and the only errors I see are sync errors with Domain1--which is expected because it doesn't actually exist as stated above

So you should rip it out. Even if it doesn't exist you can remove it from your domain.

https://technet.microsoft.com/en-us/library/cc781245(v=ws.10).aspx

wirestyle22

@coliver said in Domain Logon Issues:

@wirestyle22 said in Domain Logon Issues:

@momurda said in Domain Logon Issues:

What does the DC say? Its logs may be overflowing with useful info

I checked the logs and the only errors I see are sync errors with Domain1--which is expected because it doesn't actually exist as stated above

So you should rip it out. Even if it doesn't exist you can remove it from your domain.

https://technet.microsoft.com/en-us/library/cc781245(v=ws.10).aspx

I will but I can't imagine that would cause this issue

momurda

In your OP, by ADSync do you mean the Azure AD Sync tool?

wirestyle22

@momurda said in Domain Logon Issues:

In your OP, by ADSync do you mean the Azure AD Sync tool?

Directory Link/ADSync

wirestyle22

On metadata cleanup: LDAP extended error message 0000208F: NameErr -- Object Name had bad syntax. ??? why

momurda

Is your email working correctly? Are all your domain computers authenticated correctly with your dc?

wirestyle22

@momurda said in Domain Logon Issues:

Is your email working correctly? Are all your domain computers authenticated correctly with your dc?

E-mail has been shakey as of late with syncing.Not all domain computers are working correctly. I cannot log into domain accounts on some PC's. It's weird. The local accounts works. I disconnected from domain, deleted local profile and reconnectted. Still nothing.

scottalanmiller

Local accounts would be expected to work.

momurda

And this Domain1 you mention, used to be a domain hosted on this dc but has been renamed or removed??

wirestyle22

@momurda said in Domain Logon Issues:

And this Domain1 you mention, used to be a domain hosted on this dc but has been renamed or removed??

I took over here a few weeks ago and BartleyDS1 was removed before I was here. It's still listed among the domains, but it doesnt exist.

momurda

@wirestyle22
Ok, you need to get on your DCs and look at the DNS. I bet that in your dns under Forward lookup zones for at least one of the DC is listed that non existent domain. Further i think that within that non existent dns domain is listed the pcs which are not available for logon.