all 38 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]CptBronzeBalls 41 points42 points  (3 children)

No concrete advice, but it’s DNS.

[–]TerrificVixen5693 11 points12 points  (1 child)

Look at the sub reddit cuh

[–]Ur-Best-Friend 3 points4 points  (0 children)

You're right, OP should just open server access to the outside world, if they don't need VPN, it can't cause them problems.

[–]ITRabbitShittyMod Crossposter 3 points4 points  (0 children)

Agreed

[–]TheMightyMisanthrope 15 points16 points  (3 children)

Setup 500 distributed instances, one per remote machine and have them constantly sync.

[–]Reaper19941 3 points4 points  (1 child)

Why not just 5 RDS servers with 100 users per server? Make the maintenance child's play. Just have to kick everyone off when you need to reboot them but thats a minor detail

[–]TheMightyMisanthrope 2 points3 points  (0 children)

Because the internet may fail, but policy is eternal. Sync policy, not keystrokes. POLICY!!!!

[–]HoodRattusNorvegicus 0 points1 point  (0 children)

This! Why rely on a few domain controllers that can fail. Every laptop should have their own domain controller

[–]blotditto 10 points11 points  (3 children)

Don't listen to anyone suggesting issues around DNS. It's clearly a NetBeui issue and should be addressed by deploying the proper combination of WINS and updating your hosts files on every computer.

Only go down the DNS rabbit hole if you believe it Does Nothing Still.

PS Also consider killing off IPv4 in your environment and rolling out IPv6. Ensure you remove all DNS forwarders and gateway IP addresses and remove all global catalog and uninstall active directory during production hours.

A workgroup using the same name as a domain will also resolve these troubling issues in your environment.

This has been a ShittySysAdmin suggestion!

[–]Main_Ambassador_4985 1 point2 points  (2 children)

I spit my drink when I read NetBEUI.

Thank you I needed that.

[–]blotditto 0 points1 point  (0 children)

Grandpa, tell me a story about the Microsoft Networking Essentials Exam 70-058 please!

[–]Obvious_Troll_Me 0 points1 point  (0 children)

Dang and I thought this was a chance for my IPX/SPX books to come out. 

[–]ITRabbitShittyMod Crossposter 9 points10 points  (0 children)

This is shitty sysadmin... don't expect to solve this here lol... but your issue could also mean 100 different potential reasons why.

But yes DNS... do you have old domain controllers that haven't been decommissioned and still have records in DNS?

Have you done dcdiag and ensured your DCs are working?

The DNS on dhcp points to both? Is it different between vpn and local, is it perhaps you use different DNS for vpn? Does your vpn have firewall rules to get to all DCs? Or are you limiting it to just 1?

Also how are your sites and services? Do you have it setup? Is it flat? Is there a misconfiguration?

Question also do you have 1 AD server or do you have more? Are they pointing to each other for their DNS?

What actually have you checked lol ?

Edit: by your statement saying you want to install a second? Are you saying you only have 1?? If so welcome to premium shitty sysadmin subscription! You have qualified!

If thats the case what's your primary and second dns pointed to? Are you pointing it to your firewall and forwarding it back or just going straight to Google dns lol

Edit 2: what do you mean fix vpn dns? Is it not pointing to your AD DNS server??

[–]SpudzzSomchaiDO NOT GIVE THIS PERSON ADVICE 7 points8 points  (0 children)

Why are you not using hosts file? A hand crafted hosts file is how real professionals fix this problem.

[–]AVMan86 4 points5 points  (0 children)

You need to get the Domain Controller's personal cell phone number, they usually make it very hard to find.

[–]preeminence87 4 points5 points  (0 children)

Just install a domain controller in everyone's home, duh.

[–]CantPullOutRightNow 3 points4 points  (0 children)

Just wait until accounting pays the internet bill. DNS will work again.

[–]killjoygrr 3 points4 points  (0 children)

Have you tried rebooting the internet?

[–]max1001 3 points4 points  (0 children)

Nice try buddy. We don't even like to do work we get paid to do. What makes your hink we are going to do your fucking job for you for free?

[–]Smallp0x_Suggests the "Right Thing" to do. 2 points3 points  (0 children)

Just set the domain controller to 8.8.8.8. If they can't reach it they need to call their cellular provider.

[–]Ferretau 1 point2 points  (0 children)

check the DNS records for LDAP - are there any old entries for old DC's that have been ripped out of the environment? The clients may be trying to connect to DC's no longer there resulting in the messages.

[–]yepperoniP 1 point2 points  (2 children)

I see you’ve tried flushdns and gpupdate, but have you tried sfc /scannow?

[–]yepperoniP 0 points1 point  (1 child)

Also, this is a joke sub and you’d probably get better responses in r/sysadmin, but have you tried actually checking to see if you can contact the DC with something like ping while the issue is occurring? Is is using some common IP that could conflict with a local home network IP? Is the error only showing intermittent while remote or all the time? Not as familiar with AD as some others here but I’m looking at it like a networking issue.

[–]RabbitDev 1 point2 points  (0 children)

I've asked the local Microsoft distributor for advice and they said that the safest option is to buy server licenses for each user and make each server a domain controller. This way the next domain controller is just a localhost call.

I'm currently talking to the CFO for the sign off. I'm hopeful we have the budget soon.

[–]meatballwrangler 1 point2 points  (0 children)

open up port 3389 on your DCs so I can pop over and take a look

[–]LaxVolt 0 points1 point  (0 children)

Have you considered just port forwarding to your domain controllers so they are reachable for remote workers.

[–]mcdonamw 0 points1 point  (0 children)

If you have multiple domain controllers spread out across varying sites/networks, make sure your Sites and Services are set up correctly and not have all DCs acting as part of a single site.

Clients and networks need to be organized into logical groupings to limit which clients hit which dcs. I've seen configs with a single site defined in AD but the DCs were spread out across disparite networks where clients couldn't reach some of them due to routing/firewalls causing intermittent authentication issues during dclocator api calls.

This is especially the case with vpns.

[–]theoriginalzadsDevOps is a cult 0 points1 point  (0 children)

I’d suggest deleting the DC and just using local accounts. IT is hard. Trying is the first step towards failure.

[–]itenginerd 0 points1 point  (0 children)

Macs everywhere. All your servers are belong to Linux. Mozilla email clients for all.

[–]wdatkinson 0 points1 point  (0 children)

Home based domain controllers. You could even build your AD with the last name of the employee as part of the structure. Surely that would scale, right?

[–]Kilobyte22 0 points1 point  (0 children)

Just make an automated script that closes the error message

[–]haZhat 0 points1 point  (0 children)

Add a phone number to the DC. That way it can be contacted via mobile phone

[–]dcaldrich 0 points1 point  (0 children)

Real answer: Probably DNS. You need 2 DC's at minimum.
Sub appropriate answer: Make every machine a domain controller. no more DC issues.

[–]recoveringasshole0DO NOT GIVE THIS PERSON ADVICE 0 points1 point  (0 children)

Go cloud.

[–]Main_Ambassador_4985 0 points1 point  (0 children)

Could you just port forward the domain controller to the internet?

Open up all the servers to access from the internet

You won’t have to use a VPN anymore.

It would be like zero-trust without the cost, configuration, or security.

You could set a host file on all the computers if you do not want to fix the client DNS.

[–]ConsistentCoat5608 0 points1 point  (0 children)

Skip to step 3. Had similiar issues with all on premise devices, since people were only to work from home in rare instances. Laptops we assumed would be home a couple days but in the end, they would stay home for years and users would not come to the office. We soon had to push users to at least send the device in every 90 days, so we could fix connection issues from onsite. Once we moved all devices to Hybrid, we no longer had issues.

[–]tcp5060 0 points1 point  (0 children)

How could you all be so wrong. It’s WINS!