loggin on AD problem

[mostarx1]

Hello

I have a problem about loggin on AD domain. I have six branch offices with
20 computers at each office and 50 users on central location.
On central location there are two DC installed. In each branch office one DC
is installed.
All computers use two DC's on central location as their DNS. Each office in
AD is configured as a specific site with it's own subnet.
Problem is that I have specific number of users that can't logon on the
domain. When thay try to logon on the domain thay get the message "Windows
cannot connect to the domain, either because the domain controller is down
or otherwise unavailable, or because your computer account was not found."
One solution of the problem is when I remove those users from the domain,
then I change the computers name, and after that put them back in the
domain. After that it works, but it's the hard way.

if there is anyone who could help me with this problem, on some other easier
way, please contact me on mail (e-mail address removed).

 

[Herb Martin]

Hello

I have a problem about loggin on AD domain. I have six branch offices with
20 computers at each office and 50 users on central location.
On central location there are two DC installed. In each branch office one
DC is installed.

Which are GCs?

In general you need a GC (or more) in each SITE. With a single domain
forest every DC should be a GC.

Failure to contact a GC will account for failure to logon.

All computers use two DC's on central location as their DNS.

You should replicate DNS to each Site (AD Integrated works best) and
set a local DNS(-DC) as the PREFERRED.

Failure to resolve with DNS will cause failure to authenticate and to
reach internal resources.

Each office in AD is configured as a specific site with it's own subnet.

Good.

And we must assume you have sufficient SiteLinks with all DCs located
in the correct Site (AD Sites and Services).

Problem is that I have specific number of users that can't logon on the
domain. When thay try to logon on the domain thay get the message "Windows
cannot connect to the domain, either because the domain controller is down
or otherwise unavailable, or because your computer account was not found."

Presuming you have previously joined the computers to the domain, this is
USUALLY a DNS problem.

It might also be a firewall filtering or time sync issue but DNS is the
largest
reason by far.

One solution of the problem is when I remove those users from the domain,
then I change the computers name, and after that put them back in the
domain. After that it works, but it's the hard way.

That should never be done or necessary. Even removing COMPUTERS
from a domain is frowned upon (deprecated) today, as RESET is preferable
when practical.

if there is anyone who could help me with this problem, on some other
easier way, please contact me on mail (e-mail address removed).

Check things mentioned above.

Show us the "IPConfig /all" from a "problem PC" and the local DC. Run
DCDiag on every DC and ensure there are no WARN or FAIL messages
or post the unedited text of the output here.

Every PC (including DC) must use STRICTLY the INTERNAL DNS
that can resolve the AD records in your DNS zone, but you seem to
indicate that is the case.

You must NOT mix in the ISP or some firewall/gateway that can't resolve
internal names.

 

[Paul Bergson [MVP-DS]]

I would recommend you integrate dns with ad and provide local dns servcies
to the local machines for a secondary dns point to the central location. If
you have only a single domain then elevate all your dc's to gc's. Otherwise
if you have multiple domains in the forest you need to either make sure all
dc's are gc's or make sure the Infrastructure master fsmo role isn't a gc.

On a machine that is having problems post the ipconfig /all as well as the
following



Run diagnostics against your Active Directory domain.

If you don't have the tools installed, install them from your server install
disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located in the download section on my website at
http://www.pbbergs.com

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mostarx1]

Thank you on your's advice
I 'll try to do that an I''ll post result

regards