1

The Setup

I have a single on-prem Active Directory domain. The domain is configured with 3 AD sites, each with a global catalog domain controller. Site A is the main hub, and Site B and Site C are the satellites. I am located at Site A.

The Problem

I am unable to log onto an RDP session at any of the servers at Site B, using domain credentials. RDP connects, but the credentials I use fail to logon.

No error message other than the credentials that were used to connect to ... did not work.

I've no problems RDP-ing to any servers -- DC or members -- at Site C.

No users at Site B experience any issues with connectivity to domain resources. Likewise, no users travelling from Site A to Site B experience any access or permissions issues. Don't typically get users travelling the other way.

A domain controller was recently demoted and decommissioned at Site B. The problems started shortly thereafter.

Rebooting the DC and member servers at Site B fixes the issue. But the problem usually re-occurs a week later.

The Investigation (so far)

The domain creds being used are correct. The account is not locked or disabled, and it has the appropriate permissions for RDP.

DNS resolves all Site B server hostnames to the correct IP addresses. I can ping all the servers at Site B. And I can telnet to all servers at Site B over ports 53, 135, 139, 389, 3389.

I can RDP and log onto member servers at Site B, but only when using local server creds, not domain creds. And, having logged onto a member server at Site B, I can then open and log onto RDP sessions to all other servers at that site, including the DC, using domain creds -- but only from that member server.

Thinking it might be related to AD replication, I ran repadmin and dcdiag from the Site B domain controller. repadmin.exe /replsummary and repadmin.exe /showrepl returned no errors. Likewise, dcdiag.exe /v /i /c /s:<Site-B-DC> returned no errors.

Thinking it was related to the decommissioned DC, I checked AD Sites and Services. The old DC is not included in any DC connectors. I checked DNS forward lookup zones and there aren't any NS or _msdcs records left for the demoted server either.

Where do I go from here?

Rebooting the servers on a weekly schedule is not tenable going forward, especially once company production ramps up again and the business is effectively running 24x7.

Please help.

Improve this question
14
  • Did that demoted dc maybe hold some important ad roles, like scheme master or global catalogs which weren't transferred to another domain controller? Is there another domain controller at that site?
    – Ace
    Sep 28 at 2:36
  • All FSMO are, and have always been, held on DC at Site A. Demoted DC was very probably a GC. Don't know if the GC was transferred before demotion. No other DCs at Site B.
    – MattM
    Sep 28 at 2:47
  • Ok, what you could try to do with one server, is remove it from the domain, reboot and login with a local account and rejoin it to the domain, maybe it has lost it relationship with it's ad computer account.
    – Ace
    Sep 28 at 2:51
  • I could do that. It would take some time. I mean, we remotely manage these servers for a reason -- they are very remote. How then does the domain trust restore when we reboot the servers, as we currently do? And how does a DC lose relationship with AD and still serve active users on site (file and print services, for instance)?
    – MattM
    Sep 28 at 3:08
  • Have you tried RDP'ing to a server at Site B from a computer at Site B? You state that users at Site B don't have connectivity issues to domain resources and that no users travelling from Site A to Site B experience any access or permissions issues, but you didn't specify if you've actually tried RDP.
    – joeqwerty
    Sep 28 at 3:10

1 Answer 1

Reset to default
0

But this sounds logical that you need to use a server in Site B as a stepping stone and then hop onto other servers in Site B. It might be that the rdp pot is restricted in Site B on the firewall or vpn to a certain subnet or ip range

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .