The Setup
I have a single on-prem Active Directory domain. The domain is configured with 3 AD sites, each with a global catalog domain controller. Site A is the main hub, and Site B and Site C are the satellites. I am located at Site A.
The Problem
I am unable to log onto an RDP session at any of the servers at Site B, using domain credentials. RDP connects, but the credentials I use fail to logon.
No error message other than the credentials that were used to connect to ... did not work
.
I've no problems RDP-ing to any servers -- DC or members -- at Site C.
No users at Site B experience any issues with connectivity to domain resources. Likewise, no users travelling from Site A to Site B experience any access or permissions issues. Don't typically get users travelling the other way.
A domain controller was recently demoted and decommissioned at Site B. The problems started shortly thereafter.
Rebooting the DC and member servers at Site B fixes the issue. But the problem usually re-occurs a week later.
The Investigation (so far)
The domain creds being used are correct. The account is not locked or disabled, and it has the appropriate permissions for RDP.
DNS resolves all Site B server hostnames to the correct IP addresses. I can ping all the servers at Site B. And I can telnet to all servers at Site B over ports 53, 135, 139, 389, 3389.
I can RDP and log onto member servers at Site B, but only when using local server creds, not domain creds. And, having logged onto a member server at Site B, I can then open and log onto RDP sessions to all other servers at that site, including the DC, using domain creds -- but only from that member server.
Thinking it might be related to AD replication, I ran repadmin
and dcdiag
from the Site B domain controller. repadmin.exe /replsummary
and repadmin.exe /showrepl
returned no errors. Likewise, dcdiag.exe /v /i /c /s:<Site-B-DC>
returned no errors.
Thinking it was related to the decommissioned DC, I checked AD Sites and Services. The old DC is not included in any DC connectors. I checked DNS forward lookup zones and there aren't any NS or _msdcs records left for the demoted server either.
Where do I go from here?
Rebooting the servers on a weekly schedule is not tenable going forward, especially once company production ramps up again and the business is effectively running 24x7.
Please help.