I am ripping my hair out...... Please help!
Posted by Initial-Expression91@reddit | sysadmin | View on Reddit | 17 comments
I newly manage a hybrid 365 environment with an old traditional RDS setup, and a new Hyper-V based VDI setup we are migrating to.
Last week on friday, one of the DC's took a shit and a lot of people randomly started getting "logon attempt failed" when trying to connect to the old RDP setup, and also randomly getting the "Windows needs your current credentials" pop up on their laptops and simultaneously losing shared drive access until they lock and re login with their password instead of their windows hello pin.
I spun up two new DC's, moved DHCP, FSMO, and all that good stuff over to the new ones. The old ones were decommed properly, and ruminants cleaned up as far as i can tell, DNS servers were updated on all scopes, and on all static IP servers.
The logon request failed issue seemed to only be happening on the old RDS setup, so this morning since we were ready to migrate anyway, we mass moved everyone over to the new VDI setup, and now this afternoon a few users are randomly getting the same logon attempt failed error..... on their devices test-computersecurechannel returns true, nltests all return good....
I cannot figure out wtf i am missing. i checked certs and everything i can think of. This is literally going to kill me...
Does anyone have any ideas???
azo1238@reddit
Flush that DNS
Initial-Expression91@reddit (OP)
Done that on everything 100x a long with reboots and everything else I can think of
azo1238@reddit
If you do an NSLookup from those machines does it resolve properly? Can you ping the new DCs from those troubled machines?
Initial-Expression91@reddit (OP)
Yes and yes
azo1238@reddit
And you can see those machines in AD?
Initial-Expression91@reddit (OP)
Yep sure can. I've been through all the basics over and over again.
azo1238@reddit
Yea sounds like you did all the routine checks. Only other things I could think of would be duplicate PCs of the same name in AD. Time sync / time zones are off between the PCs and DCs or some firewall issue.
Initial-Expression91@reddit (OP)
Ended up enabling ntlm fallback via hpo and pushing it out. That solved the issue.
mangonacre@reddit
I spent my first career as a zookeeper cleaning up after ruminants, but I have to say this is the first time I've seen them mentioned re: my current career! My favorites were rhinos and bongos.
(Sorry couldn't resist. I don't have any suggestions to help, but hoping a little chuckle will help ease the pain somewhat. Good luck!)
Aggravating-Sock1098@reddit
Give IPv4 priority over IPv6.
Initial-Expression91@reddit (OP)
This....
WhyDoIWorkInIT@reddit
Have you done the super basic stuff, before going down the rabbit hole? Check users don't have anything saved in credential manager? Drop and rejoin the machine to the domain?
Initial-Expression91@reddit (OP)
Yeah I have. Nothing in cred manager, and a disjoin rejoin didn't fix it. It's seems to just work when it wants to. Without any reboots or anything on either side it'll start working randomly for somebody that hasn't worked for and then quit working again later on. It's the most irritating problem I've ever come across.
WhyDoIWorkInIT@reddit
Down one of the domain controllers. You mentioned 2, if one is buggered, this may be the cause, machines randomly picking the other suddenly work or don't.
Initial-Expression91@reddit (OP)
Both of them that are running are brand new now. I replaced both of the old ones. Dcdiag on both shows no replication errors or anything. It appears they are both functioning normally.
WhyDoIWorkInIT@reddit
Appears, but worth a test... Also, as the old haiku says... It’s not DNS There’s no way it’s DNS It was DNS
Initial-Expression91@reddit (OP)
Im sure it's dns I just can't figure out how. No adapters have dns servers set to either old dc and nothing in dns manager has anything related to either old dc or their IP addresses. 😭