Cant authenticate to DC?

SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
I've got a PC at work running Vista, and it seems to have fallen off the domain, I went and took a look, the machine had IP connectivity but in network connections had "domain"2 (unauthenticated). I had never seen such a thing but I continued the troubleshooting process, removed it from the domain reset the account in AD and attempted to re-add it. It doesnt seem to be contacting the DC, it claimed my credentials were wrong several times and never locked the account like it would have had I actually put in the wrong creds. Luckily I had an alternate way of joining it and when I tried to do so, it came up with the message "no logon services available to service the request"

We renamed the PC and re-added the entry in AD but no luck, It can access the internet, and it can ping the DC, it just wont authenticate. Also the user cant login locally with their offline profile. Unfortunately the error massage itself seems to pop up on different issue, so google hasnt been any help so far.

Ideas? We figure its a software issue and we are ready to re-image the machine which should solve the problem, but we would obviously prefer not to if possible.

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Start with DNS.
  • brad-brad- Member Posts: 1,218
    I had a problem like this that wound up being related to Symantec EP. I uninstalled it, rejoined, then reinstalled it....but like D said, DNS/DC connectivity from safe mode...then reimage before you spend too long on it.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    AD trust relationships are a complicated thing when you start looking at the protocol exchanges between domain member and domain controller. As dynamik mentioned, start with DNS. There are other dependencies though, like time (should be within five minutes of the DC clock by default, although I don't recall this being an issue during domain joins), RPC, SMB / CIFS connectivity, and LDAP (both connection and connectionless). There's more, like Kerberos, accounting of all the "high" ports dynamically negotiated via the RPC endpoint mapper port (TCP 135), etc..

    Make sure services like Netlogon are running, and while this technically is no longer relevant based on some things I've read in the past couple of years, try changing the SID of the machine using NewSID just to see if it bumps anything in the OS to help things out. And as brad- mentioned, check for firewall / HIDS settings which might be blocking traffic.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Also check the clock, if it is off from the DC that might cause a problem.
  • rsuttonrsutton Member Posts: 1,029 ■■■■■□□□□□
    Are you sure the computer is configured with correct DNS settings? I've run in to this problem before and DNS wa sthe problem
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    phoeneous wrote: »
    Also check the clock, if it is off from the DC that might cause a problem.

    Greater than 5 minutes by default. Verify the timezone.
    Decide what to be and go be it.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    phoeneous wrote: »
    Also check the clock, if it is off from the DC that might cause a problem.

    As others have said, DNS and time seem to be the most common causes. As for the time issue, just reseting the clock will not work if the time zone is off.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    I'll put $100 down on the client firewall.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    i'll check those when I go back to work. I remember specificly checking the DNS servers, and switching them around. I also set the DNS settings to DHCP, no luck. I didnt specifically check the clock, but what would cause the clock to simply change its time? Even when a PC is off or disconnected, i've never seen one loose time, unless the cmos battery was on its last leg.
  • gatewaygateway Member Posts: 232
    SephStorm wrote: »
    I didnt specifically check the clock, but what would cause the clock to simply change its time? Even when a PC is off or disconnected, i've never seen one loose time, unless the cmos battery was on its last leg.

    The crystal clock chip on a mainboard can start to go faulty - I have seen pc's time increase in speed, every day it would be 5 mins fast even though it was corrected each day.

    How does your client pc get DNS settings, if it's via DHCP and other clients are working I would be looking at the firewall - can you telnet to the appropriate ports on the DC from the client pc? Anything in the AV logs or eventvwr?
    Blogging my AWS studies here! http://www.itstudynotes.uk/aws-csa
  • willhi1979willhi1979 Member Posts: 191
    Can you ping the DC by IP and Name? You might need to flush the DNS Cache on the system as well. If you can't ping it, it sounds like incorrect network settings, firewall, root kit, or something else preventing the connection. A Packet Trace on the client or DC would show if the packets are getting there and coming back.
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    lol, i'll check all that tomorrow, I have the day off, but I dont mind a little extra work. ;)
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Well I checked all the suggestions I could remember (TE is blocked at work). Nothing. The clock is about 10 seconds off from my watch, Time zone is correct. dnS servers are correct, the client can ping the DC by name or IP.

    I ws advised to look in the event viewer, but it only brought up more questions. I wont go into details, but nothing that seems to definitively tell us what is going on. I've got one more thing to try in the morning, then the user demands his pc back so we will likely re-image.

    *sighs*

    *sleeps*
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    SephStorm wrote: »
    The clock is about 10 seconds off from my watch, Time zone is correct.

    Yeah but your watch could be wrong. Is the clock within a few seconds of the dc's. And you said that the pc was once a member of the domain? Has that object been removed already? I wonder if the SID is still the same and causing an issue.
  • JBrownJBrown Member Posts: 308
    The clock should not matter much at this point, since its not domain joined anymore.
    I would try;
    check if DC with PDC role is running
    log in to the PC with local Admin account
    join the PC with to domain with a Domain Admin account privileges
    use FQDN [contoso.com] instead of Netbios [contoso] name
    disable antivirus/firewalls
Sign In or Register to comment.