Need help with Active Directory authentication problem.

Question

Would appreciate any assistance on this as it's extremely frustrating.

Thanks in advance.

Problem:

Approximately 25 workstations are losing the ability to authenticate against their local domain controller. Here is the cycle: Reboot client>>Log into Domain>>time goes by (4-12 hours)>>client loses the ability to 1) access network shares, 2) login a user (receives the domain not available message)>>Reboot client>> repeat cycle.

Background:

Approximately 30 workstations (HP desktops with Windows 10) at 3 sites connected with Meraki VPNs. 3 physical servers 1 per site Server 2019. 3 Domain controllers 1 per site (VMs on Hyper V) Server 2019, 2 File Servers VMs on Hyper V(Server 2019), 1 Application Server VM Server 2012R2. DHCP and DNS are provided by the local DC. No other DNS servers are handed to the clients.

This is happening at all 3 sites, but most testing has been at site 2.

Troubleshooting and known work arounds:

1. After a reboot and successful login, the client (W10) will start to lose the ability to access network resources over a period of time that is not consistent. Restarting the client solves the problem temporarily 100% of the time but this lasts less than 24 hours before it becomes a problem again.
2. While at site 2 at a workstation that would not login, I shut down the site 2 DC and the workstation successfully logged in without a restart against the site 1 DC across the VPN.
3. When the client is stuck with no domain available, we get event id's 1006 with error code 81, Event ID 5719, Event ID 40960 The Security System detected an authentication error for the server RPC/SERVER-DC2.MYDOMAIN.LOCAL. The failure code from authentication protocol Kerberos was "No authority could be contacted for authentication.

(0x80090311)".

1. Logged in as a local account, running port query against the local DC results in RPC server unavailable, and LDAP errors. A reboot of the client logging in again as a local account and running the same query results in passing all the RPC and LDAP tests.
2. Have run dcdiag and I don't see any errors, but I can post if somebody wants to take a 2nd look.
3. NLtest /server:server-dc2.FQDN /query will show an RPC failure until a reboot.
4. Have performed above tests from 1 DC to the others and the DCs never lose the ability to Authenticate or access each others Netlogon or Sysvol shares. Only clients are affected.

Answer 1

Something here could help.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/newly-promoted-domain-controller-fail-advertise

also check the required ports are flowing between networks.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 2

Please run;

Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
repadmin /showrepl >C:\repl.txt (run on any domain controller)
ipconfig /all > C:\%computername%.txt (run on EVERY domain controller)
ipconfig /all > C:\problemworkstation.txt (run on problem pc)

Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs of any found. (no evtx files)

then put unzipped text files up on OneDrive and share a link.

Answer 3

I found the culprit. It was BitDefender Network Protection Module. It apparently blocked all the DCs. I'll include the specific triggers so it hopefully will help someone else in the future. Detection Name Exploit.PentestingTool.HTTP.3 Attack Technique lateralMovement

Thank you all very much for your help!