Announcement

Collapse
No announcement yet.

Weird AD problem - Machine Banned from it?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Weird AD problem - Machine Banned from it?

    Hi everyone. I have been searching trough the net about a problem I am facing right now, and this forum has been so far the greatest I have found, but still with everything I have done with the information found in the many posts, my problem persist.

    Here's the info of my scenario.

    I have an AD domain, with 1pdc and 3bdc, Windows 2003 Server Enterprise R2, and about 250 machines joined to my domain. My network is divided so my server network is in one subnet, and the many departments of the building is separated each one of them in their own subnet. This is managed with vlan capable switchs, and everything was working really nice and fast until about one two weeks.

    3 machines of one particular subnet began to go extremely slow in the login process, about 10 minutes to enter the domain. So the IT support reinstalled, from zero, the SO (winXP by the way), and it was imposible to rejoin the machine to the domain. Before formatting the machine was separated from the domain to prevent duplicated name and to make a clean "separation" from the domain. The other 2 machines were disjoined from the domain too, and now cannot be joined as the other one.

    I get errors of userenv 1030 and 1048 in my clients, and Netlogon 5722, 4 in my PDC. The message when you try to join is "The network path is no longer available", and the first thing that came on my mind was: DNS problem. But, my DNS are ok...machines can resolve my domain with no problem, nslookup resolves correctly and netdiag shows me no errors.

    I have checked almost every factor of the ecuation, this is among other things what I have done so far:


    -Checked the computers account. They dont exist previous to join.
    -Checked status of DNS of my domain. Everything is ok, I can ping the domain name, nslookup resolve my 4 servers as parte of the domain.
    -Checked permissions on my gpt.ini. Everything is fine in there.
    -Checked my domain with dcdiag and netdiag, it shows no errors.
    -Checked my firewall and switchs configuration, there is no policy restricting those machines.
    -Have tried almost everything mentioned in this forums, with no luck.

    I know this seems rather simple, I have seen and tried the solutions posted in this forum.

    Now, here comes the weirdest thing:

    The machine cannot join to the domain...I am fine with that, but, if I put another machine, with the same ip configuration, same port or the switch, same subnet and vlan, and even with the same NIC (I put another NIC to be sure), it joins to the domain right away. Now, the troubled machine CAN join to the domain, in any subnet but the original where the problem began.

    So, if I try to join the troubled machine, lets call it machinex, in the subnetwork A, it is imposible. If I try to join machinex in subnetwork B, C, or D, it joins with no problem. If I try to join machinez, which means any machine of the building, in subnetwork A, or any other network, it joins with no problem. And, in any case, using any of the NICs installed on the machines.

    It seems like those 3 machines, in combination with that network segment, prevents from joining to the domain, but I cannot see the logic behind that. The network has no restriction in traffic, you can join or disjoin from the domain with any machine in that subnet. And the 3 machines can join lightning fast in any other network. Is really weird and I am really lost in here.

    It would be rather easy to let those machines in another subnet, I am aware of that, but I cannot leave this problem there, It might become a great treath in the future if this become a problem in others machines of the domain.

    I am hoping someone to give me some ligth in here, maybe someone has faced this problem before and have resolved this, and I would really appreciate any help you guys can give me.

    If it is necesary to provide more information, please tell me.

    Thanks in advance!
    Last edited by jmena; 26th September 2008, 17:21.

  • #2
    Re: Weird AD problem - Machine Banned from it?

    are those XPs w/SP3 by any chance?
    if so try this patch release, I had something similar that was fixed by that patch.

    http://support.microsoft.com/kb/953761/

    ohh and check on those XPs that they get the full DHCP configuration by typing ipconfig /all on the XP machines.
    check on those XPs that the DNS is giving i results (even though the ipconfig would show that it has a DNS server, it stills doesn't function).
    try joining those machine maybe by using the NetBios name domain and the DNS name domain and see if it helps.
    if that doesn't help , then try uninstall SP3 and see if it helps.

    over all it seems your domain is in a perfect shape and it is not related to your AD but Machines vs Switches/Catalist.
    Last edited by Akila; 26th September 2008, 13:56.

    Comment


    • #3
      Re: Weird AD problem - Machine Banned from it?

      Originally posted by Akila View Post
      are those XPs w/SP3 by any chance?
      if so try this patch release, I had something similar that was fixed by that patch.
      http://support.microsoft.com/kb/953761/
      Thanks for your reply Akila!. Well, I have already tried with both service packs, but I will see if your link can help me solving this.

      Originally posted by Akila View Post
      ohh and check on those XPs that they get the full DHCP configuration by typing ipconfig /all on the XP machines.
      check on those XPs that the DNS is giving i results (even though the ipconfig would show that it has a DNS server, it stills doesn't function).
      try joining those machine maybe by using the NetBios name domain and the DNS name domain and see if it helps.
      if that doesn't help , then try uninstall SP3 and see if it helps.
      I have tried that too, static and dynamic ip address, and dns resolve the domain as it should, no problem there. Another thing: If I try to join with netbios name domain, it joins normally - or it seems, but then again the machine enter the domain extremely slow, like 10 or 15 minutes, with errors in userenv as i posted before.

      Originally posted by Akila View Post
      over all it seems your domain is in a perfect shape and it is not related to your AD but Machines vs Switches/Catalist.
      What have me lost is the fact that I can join to the domain with other machines using: the same physical port, the same switch, same vlan, same NIC (meaning, same MAC address), same ip configuration, I mean, the same overall network configuration. But it for some reason it doesnt work with those machines. It is like AD has a fingerprint of those machines combined with that subnet, and as far as I know AD doesnt work that way.

      I will try your suggestions Akila, and I will let you know. Thanks!
      Last edited by jmena; 26th September 2008, 17:22.

      Comment


      • #4
        Re: Weird AD problem - Machine Banned from it?

        Well, so far I am still with the problem. Have tried both service packs and the hotfix as suggested. Hope I can find the solution soon...

        Comment


        • #5
          Re: Weird AD problem - Machine Banned from it?

          Originally posted by jmena View Post
          What have me lost is the fact that I can join to the domain with other machines using: the same physical port, the same switch, same vlan, same NIC (meaning, same MAC address), same ip configuration, I mean, the same overall network configuration. But it for some reason it doesnt work with those machines. It is like AD has a fingerprint of those machines combined with that subnet, and as far as I know AD doesnt work that way.
          I wonder if you do a fresh install of XP (not a ghost Image) on those machines and place them on the problematic VLAN/PORTS/etc, if you would be able to join them in?
          BTW are those machines been duplicated by using some kind of Image System?
          maybe b4 you test a fresh install on those machine , try running sysprep just to Zero out all the SID Information,etc and delete the Computer account from the AD b4 you try and re join the XP machine back into the domain.

          Comment


          • #6
            Re: Weird AD problem - Machine Banned from it?

            Yes, Akila, is a fresh install, from zero, no ghost machines. I have even tried to generate another SID for those machines and still cannot join properly, from that subnet and those machines specifically. Have deleted the machine accounts too, the ones that existed, (because we separate, when is posible, the machines from AD previous to format the harddrive).

            This is really driving me nuts, I have discarded a network problem but my AD never gave me any big trouble like this...

            Comment


            • #7
              Re: Weird AD problem - Machine Banned from it?

              Try these steps
              - first check that your problem machines can ping you DNS server
              - use ipconfig/flushdns
              - then ipconfig /registerdns
              - ping your domain controller, dns and check your ip again
              - if you get ping reply from DC & dns
              - Join the computer to Domain

              Comment


              • #8
                Re: Weird AD problem - Machine Banned from it?

                Originally posted by ahmer_sahab View Post
                Try these steps
                - first check that your problem machines can ping you DNS server
                - use ipconfig/flushdns
                - then ipconfig /registerdns
                - ping your domain controller, dns and check your ip again
                - if you get ping reply from DC & dns
                - Join the computer to Domain
                He already done all of that.
                to bad you did not read the post all the way through.
                it is only the combination of the 3 machines on those specific ports that have the problem, if
                you break either one of those combination/link (either a different port with the same machine or a different machine on the same problematic port),
                everything works fine.

                It's not an AD problem (as far as I can tell), as the machines could join the AD on other port , and other machines can join to the domain on those problematic ports.

                I am out of ideas, maybe try swapping NICs between machine (which I think you already did it).
                or maybe try and configure those problematic ports on a different VLAN and see if it is a Machine/Port related or a Machine/VLAN related.
                Last edited by Akila; 27th September 2008, 12:51.

                Comment


                • #9
                  Re: Weird AD problem - Machine Banned from it?

                  I think Akila is right, you should focus more on the switches then the AD

                  Comment


                  • #10
                    Re: Weird AD problem - Machine Banned from it?

                    Originally posted by Akila View Post
                    He already done all of that.
                    to bad you did not read the post all the way through.
                    it is only the combination of the 3 machines on those specific ports that have the problem, if
                    you break either one of those combination/link (either a different port with the same machine or a different machine on the same problematic port),
                    everything works fine.

                    It's not an AD problem (as far as I can tell), as the machines could join the AD on other port , and other machines can join to the domain on those problematic ports.

                    I am out of ideas, maybe try swapping NICs between machine (which I think you already did it).
                    or maybe try and configure those problematic ports on a different VLAN and see if it is a Machine/Port related or a Machine/VLAN related.
                    Thats right Akila, I am totally lost too, I have tried everything and the problem is still there. Right now I am sending those machines to another network as a temporary measure. What I still cannot figure out is why the machines can join in any other network, and why other machines even using the same nic and general network configuration, can join in those physical ports / vlan.

                    I will keep trying to figure it out, but then again my servers and switches seems ok. I will let you know of any change, and I am still open to ideas to try.

                    Thanks!.

                    Comment

                    Working...
                    X