Announcement

Collapse
No announcement yet.

Organizing AD casuing issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Organizing AD casuing issues

    Hi

    I have a client who I am just in the process of "filing" their AD structure, so I can apply the GPO's to certain OU's.

    I have an OU for laptop users, with a GPO linked to it for various settings. Problem is, when I move the laptops from the default "Computers" location to the "Laptops" OU, as soon as the laptop leaves the corporate network it wont let anyone log in (not even admin) with the error "Cannot find computer on the domain".

    The only way I can solve this currently is to log on as local admin, change the computer name, unjoin and rejoin the domian.

    Why is this happening? I dont have this problem anywhere else that I am aware of?!

    Thanks

  • #2
    Re: Organizing AD casuing issues

    On your GPO, do you have it set to cache logins on the workstation? You will need to set this in order for users to cache a login before leaving the corporate network, which will allow them to log on later outside of the network.
    MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

    Comment


    • #3
      Re: Organizing AD casuing issues

      Like boondock said use Group Policy Management console to build a report of the current policies in place. Your bound to find the GPO setting causing this to occur.
      Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

      Comment


      • #4
        Re: Organizing AD casuing issues

        Originally posted by boondock View Post
        On your GPO, do you have it set to cache logins on the workstation? You will need to set this in order for users to cache a login before leaving the corporate network, which will allow them to log on later outside of the network.
        Yes, this has been set. I dont know where, but I know its set becuase users have been doing this for ages.

        The default Computers OU and the new laptop OU dont currently have any GPO's linked to them, I was just sorting through in preperation to setting up the GPO's.

        There must be something doing this...but GP wise, the only thing I have manually set is a couple of WSUS ones.

        Comment


        • #5
          Re: Organizing AD casuing issues

          You can't apply policies to the Computers container (its not an OU). Maybe look at policies further up the chain. Maybe they have been playing with the Default Domain Policy?
          Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

          Comment


          • #6
            Re: Organizing AD casuing issues

            Well, just looking now and there are only 3 GPO's linked above Computers.

            Default Domain
            Vista Policy
            Small Business Server Client Policy

            I've gone through all 3 and I cant see anything that is relevant. Apart the the absolute basic stuff like Password policy, Disable Welcome Screen and stuff like that.

            Driving me bonkers. Oh, told a lie, there is a GPO linked to the Laptops OU, but theres only 3 things set in it - Automatic Updates, and Windows Firewall Exceptions.

            This is the process:

            Laptop1 joined to the domain, appears in "Computers" and funtions inside and outside of the network.

            Laptop1 moved into "Laptop" - still functions fine on the network.

            User takes laptop home, complains he cant log on. Remote control the laptop, cant even log in as domain admin (all logins tried have been previously working and cached) - Error about not being able to find the computer account.

            Laptop1 back on network, some can log back in, some cant. Ones that can log in stop as soon as they leave the network. Move Laptop1 back into Computers, no joy.

            Change Laptop1 to Laptop1a, unjoin/rejoin the domain, appears in Computers, works fine again.

            Move Laptop1a into Laptop, starts all over again...

            I appreciate this isnt really helpful FWIW everything is patched right up to date.

            Comment


            • #7
              Re: Organizing AD casuing issues

              If you goto Group Policy Management Console

              Group Policy Results

              Follow the wizard and select one laptop and a user with this problem does it show anywhere from the report the fact that they laptop must have contact with a DC to allow logon? Anything about cached logons?

              Maybe save and upload the report here?

              Maybe local polcies?

              Start > Run > gpedit.msc

              Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

              Interactive logon: Number of previous logons to cache (in case domain controller is not available)
              Last edited by ]SK[; 9th August 2008, 00:22.
              Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

              Comment


              • #8
                Re: Organizing AD casuing issues

                I don't think this is an issue with cached profiles. The error he is receiving isn't right.

                With cached profiles off you get something like "there is no domain controller available"

                Look at the Event Logs on the client and then the DCs, see if theres anything about replication errors when moving Computer accounts.

                Comment


                • #9
                  Re: Organizing AD casuing issues

                  Yeah, that isnt the error Im getting - Iv had that one before. Cant remember exact wording but its something along the lines of "Cant find the Computer Account".

                  Replication...? There is only one DC. Its almost like I am moving the Computer Account and its not looking anywhere else except the Computer's Container, and/or the Computer Account gets corrupted.

                  Reason I think this is becuase I have to change the computer name before I can even unjoin/rejoin the domain, otherwise I get the same error.

                  I have moved several Computer Accounts (actual desktops and 1 or 2 laptops that dont leave the network) into another OU I created called "Workstations" (for WSUS GPO) and they work fine, no such issues...

                  For the time being I can designate 1 user to test moving in and out of the OU's, but I dont even know what to test.

                  Cant see anything of relevance on the DC event logs, I dont have access to a client this weekend but I will look.

                  Thanks for the continued suggestions.

                  Comment


                  • #10
                    Re: Organizing AD casuing issues

                    Please post the exact error message first chance you get.

                    Also, have you tried moving a laptop out of the laptop OU to see if a user can log on then?
                    MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

                    Comment


                    • #11
                      Re: Organizing AD casuing issues

                      I will make of point of recreating this as soon as I can and posting the message.

                      And yes, I have tried that (i.e moving the laptop back into the default computers container - doesnt work.

                      Comment


                      • #12
                        Re: Organizing AD casuing issues

                        try to reset the computer account in AD.
                        Should solve most problems involving unidentified compters, could be just a specification was changed on the computer and the computer name needs to be revarified.
                        reset is simply right clicking the computer account and reset.

                        Comment


                        • #13
                          Re: Organizing AD casuing issues

                          I have tried this also, sorry I forgot to mention it

                          Comment

                          Working...
                          X