After having renamed a computer in the domain, I noticed that I had to create a computer object with the new name and an entry to DNS. When I wanted to grant the relevant permissions I noticed that automatically created records have computernames displayed differently from manually added computers.

By default a computer object (displayed HOSTNAME$) has full control on the DNS entry.

A manually added ACE for a hostname is displayed HOSTNAME (DOMAIN\HOSTNAME)

The icon for HOSTNAME$ is the same as a user, the icon for HOSTNAME (DOMAIN\HOSTNAME) is the usual as display inActive Directory Users and Computers

Why is that and can I fix it?

Thanks in advance

Guys - Have you seen any documentation that outlines the limitations of running Windows 8 in a 2003 domain? Specifically I'm wondering what group policies I may not be able to apply unless we upgrade the domain controllers.

We have also had some erratic issues where our logon vbscripts do not run on some computers. However, if we take the same script and run it locally on those machines it works fine. Has anyone seen this before?

thank you!

-PD

Dear All,

I need to Increase the number of workstations a user (Specific Group) can join to a domain. please suggest.

Do I've read up on RODC's and deployed a few.  I even had training on them with video examples of how to configure them.  I created a new RODC at my home office site.  I'm preparing it to send to a branch office.

I want to pre-populate a few core domain admin's password on it because I had a problem recently where on another RODC I built, before I sent it off I changed it's NIC settings to match the network it was going to.

I realized I needed to add a drive to it.  I tried to log in but got an error "no logon servers are available" because the nic wasn't configured for this network.

I went ahead and sent that server off and I'll just work on it when it's live again.

One thing I don't understand though is that even if I didn't pre-populate my password on it, shouldn't it know me from my cached pwd from all of the times I logged in to it while building and configuring it?  All of my RODC's and GC's including that one.

Well it didn't let me in.  I want to make sure something like that never happens again.  I mean what if something happens to it remotely and i need to get in to it, or walk someone else through getting in to it.

So cut to my new RODC.  I'm trying to pre-populate my password on it (and a couple other engineers).

So I go into a writing DC, actually the one holding all of the FSMO's, I do to domain controllers, I right click on my newest RODC and in password replication policy I have these settings.

Allowed RODC password Replication - ALLOW - domain/users

Allow - domain admins

Allow - my account

I clicked apply then did a sync all.

I then go back in and click the advanced tab.  I click "pre-populate passwords" find my username again, and click ok.

I get an error "The account must be first added to the allowed list for this RODC."

Well I did that, so what gives?  I rewatched the video training on this section and the instructor did it exactly like I did but with success.

Hi,

I've installed the AD Domain Services on Windows2008R2 by following this guide http://technet.microsoft.com/en-gb/library/cc755059%28WS.10%29.aspx. After click 'Install', step 6, it showed failed to install but there is no clue why it was failed, at all.

Here is a log I copied from C:\Windows\logs\ServerManager.log

2204: 2011-01-05 12:57:54.333 [InstallationProgressPage]  Loading progress page...
2204: 2011-01-05 12:57:54.411 [InstallationProgressPage]  Begining Sync operation...
2204: 2011-01-05 12:57:54.458 [Sync]                     
Sync Graph of changed nodes
==========
---------------------------------------------------------------------------
name     : Active Directory Domain Services
state    : Changed
rank     : 1
sync tech: CBS
guest[1] : Active Directory Domain Controller
guest[2] : Identity Management for UNIX
ant.     : empty
pred.    : empty
provider : null
---------------------------------------------------------------------------
name     : Active Directory Domain Controller
state    : Changed
rank     : 4
sync tech: CBS
ant.     : .NET Framework 3.5.1
pred.    : Active Directory Domain Services, .NET Framework 3.5.1
provider : Provider

2204: 2011-01-05 12:57:54.458 [Sync]                      Calling sync provider of Active Directory Domain Controller ...
2204: 2011-01-05 12:57:54.473 [Provider]                  Sync:: guest: 'Active Directory Domain Controller', guest deleted?: False
2204: 2011-01-05 12:57:54.473 [Provider]                  Begin installation of 'Active Directory Domain Controller'...
2204: 2011-01-05 12:57:54.473 [Provider]                  Install: Guest: 'Active Directory Domain Controller', updateElement: 'DirectoryServices-DomainController'
2204: 2011-01-05 12:57:54.473 [Provider]                  Installation queued for 'Active Directory Domain Controller'.
2204: 2011-01-05 12:57:54.473 [CBS]                       installing 'DirectoryServices-DomainController ' ...
2204: 2011-01-05 12:57:55.020 [CBS]                       ...parents that will be auto-installed: 'NetFx3 '
2204: 2011-01-05 12:57:55.020 [CBS]                       ...default children to turn-off: '<none>'
2204: 2011-01-05 12:57:55.036 [CBS]                       ...current state of 'DirectoryServices-DomainController': p: Staged, a: Staged, s: UninstallRequested
2204: 2011-01-05 12:57:55.036 [CBS]                       ...setting state of 'DirectoryServices-DomainController' to 'InstallRequested'
2204: 2011-01-05 12:57:55.051 [CBS]                       ...current state of 'NetFx3': p: Installed, a: Installed, s: InstallRequested
2204: 2011-01-05 12:57:55.051 [CBS]                       ...skipping 'NetFx3' because it is already in the desired state.
2204: 2011-01-05 12:57:55.098 [CBS]                       ...'DirectoryServices-DomainController' : applicability: Applicable
2204: 2011-01-05 12:57:55.114 [CBS]                       ...'NetFx3' : applicability: Applicable
2204: 2011-01-05 12:57:55.770 [CbsUIHandler]              Initiate:
2204: 2011-01-05 12:57:55.770 [InstallationProgressPage]  Installing...
2204: 2011-01-05 12:58:49.176 [CbsUIHandler]              Error: -2147021879 :
2204: 2011-01-05 12:58:49.176 [CbsUIHandler]              Terminate:
2204: 2011-01-05 12:58:49.254 [InstallationProgressPage]  Verifying installation...
2204: 2011-01-05 12:58:49.270 [CBS]                       ...done installing 'DirectoryServices-DomainController '. Status: -2147021879 (80070bc9)
2204: 2011-01-05 12:58:49.270 [Provider]                  Skipped configuration of 'Active Directory Domain Controller' because install operation failed.
2204: 2011-01-05 12:58:49.270 [Provider]                 
[STAT] ---- CBS Session Consolidation -----
[STAT] For
          'Active Directory Domain Controller'[STAT] installation(s) took '54.7870005' second(s) total.
[STAT] Configuration(s) took '0.0003053' second(s) total.
[STAT] Total time: '54.7873058' second(s).

2204: 2011-01-05 12:58:49.270 [Provider] Error (Id=0) Sync Result - Success: False, RebootRequired: True, Id: 110
2204: 2011-01-05 12:58:49.286 [Provider] Error (Id=0) Sync Message - OperationKind: Install, MessageType: Error, MessageCode: -2147021879, Message: <null>, AdditionalMessage: The requested operation failed. A system reboot is required to roll back changes made
2204: 2011-01-05 12:58:49.286 [InstallationProgressPage]  Sync operation completed
2204: 2011-01-05 12:58:49.286 [InstallationProgressPage]  Performing post install/uninstall discovery...
2204: 2011-01-05 12:58:49.286 [Provider]                  C:\Windows\system32\ServerManager\Cache\CbsUpdateState.bin does not exist.
2204: 2011-01-05 12:58:49.286 [CBS]                       IsCacheStillGood: False.
2204: 2011-01-05 12:58:49.786 [CBS]                       >>>GetUpdateInfo--------------------------------------------------
2204: 2011-01-05 12:59:46.520 [CBS] Error (Id=0) Function: 'ReadUpdateInfo()->Update_GetInstallState' failed: 80070bc9 (-2147021879)
2204: 2011-01-05 12:59:46.520 [CBS]                       <<<GetUpdateInfo--------------------------------------------------
2204: 2011-01-05 12:59:46.598 [DISCOVERY]                 hr: -2147021879 -> reboot required.
2204: 2011-01-05 12:59:46.739 [InstallationProgressPage]  About to load finish page...
2204: 2011-01-05 12:59:46.739 [InstallationFinishPage]    Loading finish page
2204: 2011-01-05 12:59:46.801 [InstallationFinishPage]    Finish page loaded

I also checked the event viewer, here are the event properties occurred during the installation:

Initiating changes to turn on update DirectoryServices-DomainController of package DirectoryServices-DomainController-Package. Client id: RMT

Update Directoryservices-DomainController of package DirectoryServices-DomainController-Package failed to be turned on. Status: 0x80070bc9

Installation failed. A restart is required.



Roles:

Active Directory Domain Services

Error: The server needs to be restarted to undo the changes

Please help.

Thanks,

balrogz

Hi,

We have setup a test AD domain with the master domain controller in our main site.

In each site (country) we have an additional domain controller.

In those sites there are multiple people which will travel to other sites. The login will not be a problem because the sysvol folder which is replicated by default.

But what about the home directories? I saw something about replicating the home directories to each site. This means the servers will have lots of data? On our current linux servers only one site has 1 TB on data.... this seems to be undo able for us if we need to replicate all of it.... Some users travel a lot between sites, some only 2 times a year...

Could somebody clear this out for me how i should manage this.

Thanks in advance.

Kr,

Joeri

History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

hi all

some of my service account like backup,printer etc are automatically account lockout happening with following event id

please help

An account failed to log on.

Subject:

                Security ID:                            SYSTEM

                Account Name:                     ADCSRV$

                Account Domain:                 DOM

                Logon ID:                               0x3e7

Logon Type:                                          3

Account For Which Logon Failed:

                Security ID:                            NULL SID

                Account Name:                     backup

                Account Domain:                 DOM

Failure Information:

                Failure Reason:                      Account locked out.

                Status:                                    0xc0000234

                Sub Status:                             0x0

Process Information:

                Caller Process ID:  0x39c

                Caller Process Name:            C:\Windows\System32\lsass.exe

Network Information:

                Workstation Name:              ADCSRV

                Source Network Address:    172.16.10.100

                Source Port:                           45442

Detailed Authentication Information:

                Logon Process:                     Advapi 

                Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

                Transited Services:                -

                Package Name (NTLM only):              -

                Key Length:                           0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.

Hello, 

We currently have two forests, one for our existing organization and one for a new organization which we are building up.  We would like to have a universal group from our old forest (A) to have both administrative rights on all desktop machines in forest B, as well as the right to join new machines to the domain in Forest B.  However, we would like to avoid making this group a member of Domain Admins, Enterprise Admins, or the local Administrators group for domain B.  

We also would like to avoid having members from Forest A authenticate to Forest B without giving permissions on each device, thus no Forest-Wide authentication.

We've tried setting up a two-way Forest trust and adding this group as administrators to each member of the domain via a group policy, but that doesn't allow them to add machines to the domain due to the authentication firewall.  

Does anyone have any idea how to make this work?  It seems that I need a split between forest-wide auth and selective auth, but I can't quite figure out how to get that balance to actually work.

Hi

We're in the process of planning to upgrade our DCs running 2008 R2 to 2012 R2 servers.  The upgrade method will be to introduce new DCs and phase out the 2008 R2 DCs.  Our environment consists of parent and multiple child domains, forest/domain functional level: Windows 2008 R2. 

Questions

1. We have Windows Server 2000 clients in some of the child domains (3 servers total).  Does anyone know for sure if we will or will not run into issues with 2000 clients authenticating or anything else with regards to 2012 DCs.  Is there a MS KB article or a blog post from a MS AD guru such as http://blogs.technet.com/b/askds/ that outlines why and what issues you may run into if you have 2000 clients in a domain that has 2012 DCs?   It wont for another year until we can upgrade the 2000 client to a newer OS.

I came across this thread in the support forum but I just need something more formal to give to upper management.

http://social.technet.microsoft.com/Forums/en-US/95e00c9b-aa19-49e8-8da8-ab66b444b1be/can-a-windows-2000-client-join-

a-windows-2012-domain-?forum=winserver8setup

2. One option is to upgrade just the parent domain to all 2012R2 DCs and leave the child domains running 2008R2 DCs.  Of course will still run adprep /domain for all child domains even though we wont be introducing 2012 DCs anytime soon.  Will this work as expected, meaning the 2000 client servers will not have any problems since it's auth with 2008R2 DCs. 

The parent domain has just a handful of accounts and doesn't necessarily need to log into the 2000 client.

Thanks.

Hi All, i have a situation as follows:
3 DC's

1 Virtual 2K8, 

1 Physical 2K8 R2

1 Physical 2K3

I am looking to retire the final 2003 DC. However if i power down all of my DC's to simulate a server room power outage or a site move or something similar i have a problem in that i can then not get the domain loaded. If there is 1 DC left switched on and i then restart the other 2 then everything works as expected and the domain works but if all 3 DC's are off then when i switch any of them on it takes about 20 mins to load to Ctrl-Alt-Del and then when i log in i cannot load DNS or ADU&C, my LAN connection shows 'Unidentified Network' and i have 4013 errors in the event log about first initial sync. All FSMO Roles have been transferred away from the 2003 DC and i have a single GC. This post covers exactly my issue:

http://community.spiceworks.com/topic/291108-2008r2-dc-domain-upgrade-dns-issue-event-4013

However i have turned and left on ONLY my 2008R2 DC for 30 mins and then disabled and re-enabled the NIC and still i show 'Unidentified Network'. If i turn on ONLY my other 2008 DC i disable and re-enable the NIC after about 30mins of having logged in (total 45mins from power on) the NIC changes to domain.com and it all seems to work. Similarly if i turn on only my 2003 DC after about 30 mins it all springs to life.

I need to be able to reliably consistently get the domain up and working from any of the DC's to plan for if 2 fail or if all 3 are off for maintenance or power cut, which is the whole point of having multiple DC's! I have read things online about always making sure you have at least one DC online but this doesn't help in the case of a power outage or similar.

Once the DC's are on they all work perfectly well, replication is fine. i have ran

dcdiag,

dcdiag /test:dns,

repadmin /replmon

All tests come back passed.

different domians (a.local and b.local) at my site and no trust between
there is reverse lookup zone for 172.16.18.0/24
there are A record created  for server1 and server2 (appliances)in b.local
from any workstation at a.local domian, no issue to resolve server1.b.local
and 172.16.18.1.  But, for server2.b.local (172.16.18.2),but, no one can resolve
nslookup 172.16.18.2 (reverse)
(can't find 172.16.18.2: Non-existent domain)

Thank you.

I have a Server 2008 domain controller that is about to be decommissioned and two new Server 2012 R2 domain controllers installed and running with all services and FSMO roles transferred to the new domain controllers.

When running Best Practices Analyzer on new DCs, I get the following error message:

"The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record."

I followed the resolution ("Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry.) and verified this is not set.

When I look in DNS, under the domains._msdcs.domain.local container referenced in the BPA error message, I see only one container with a DNS/GUID alias which doesn't match any of the DNS Alias values for our existing domain controllers. But inside of the _msdcs.domain.local container, I do see the CNAME entries mapping the DC GUIDs to our 3 domain controllers (see screenshot below):

Like it says in the picture, I have a feeling that GUID is from an old Server 2003 domain controller that we once had many years ago. I'm only now noticing this error because the Server 2008 domain controller that I installed 5 years ago didn't have BPA (don't think that became available until 2008 R2), while the new Server 2012 R2 domain controllers do.

So the question is, what is the impact and how do I resolve this? Everythingseems to be running normally, although I have noticed the occasional NPS EventID 4402 - "There is no domain controller available for domain applereit" error message on various machines. I never paid much attention since the error is so sporadic (maybe once a week). But maybe that error is sa symptom of this DNS problem?

Thanks in advance!

Shaun

This may be the wrong forum and if so, I apologize in advance.  Please point me to the correct one if that is the case!  I'm setting up a brand new domain in the same subnet.  I don't really have any issues here as I've already created the new domain and will enable DHCP on the new domain once I'm ready move users and computers over to it. 

Here's my quandary:

I need to move all PC's over from Domain A (old) to Domain B (new).  All user profiles are local to the PC and all users have POP3 email accounts.  What is the best methodology to move the user profiles (local) from Domain A to Domain B as well as the POP3 (pst files, nk2), Desktop, Favorites etc?  I'm hoping I might be able to use the USMT or some such utility vs having to copy the profiles, Desktop, My Doc's, pst's, NK2's etc manually from Domain A, un/dis-join domain A, join Domain B and then copy the profile's, PST's, Desktop etc over to new local user on PC (now on Domain B).  I am NOT migrating user accounts as we want a "fresh" Active Directory environment so while they will be using the exact same PC as before, it will be on a new domain and they will be logging in with a newly created user account on Domain B.

I'm sure I can do this all manually per the above, but was hoping there might be a utility/mthodology I'm not familiar with out there that would save me some time.  Not a huge environment, but doing this for 30'ish users will be quite time consuming if I have to go the manual route.

TIA!

Hello,

we currently have an issue regarding DNS in a multiple Domain Forest.

first of all, in the forest there are 5 Domains (names changed):

dom1.domain.org

sub.dom1.domain.org

dom2.domain.org

dom1.url.de

dom.de

As you see, a forest full of Domains not matching ;-)

We also have multiple sites, and as per network requirements, replication is made trough Domain: dom1.domain.org

All other Domains replicate only with this one.

The DNS is currently set up as follows:

Each Domain Controller holds its own domain as primary AD integrated Domain in DNS (Domain wide repl.).

All others are set up as Forest Wide AD integrated Stubs.

Each startup we get Event 4515 on the DCs, that a Zone is available twice.

So, I have to troubleshoot this infrastructure now.

Can you tell me, what is best practice here to set up DNS correctly with less replication traffic as possible?

Best regards

I getting below error in Active Directory server system logs regularly.

Log Name:      System
Source:        Schannel
Date:          4/29/2014 4:27:40 PM
Event ID:      36887
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      servername.domain.com
Description:
The following fatal alert was received: 46.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
    <EventID>36887</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-04-29T20:27:40.172512600Z" />
    <EventRecordID>717678</EventRecordID>
    <Correlation />
    <Execution ProcessID="636" ThreadID="4480" />
    <Channel>System</Channel>
    <Computer>servername.domain.com</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="AlertDesc">46</Data>
  </EventData>
</Event>

I read several articles but unable to find any solution. Please help

Amit

hey guys

I've just created a replica of my active directory on another server (one is windows 2012 and the other is windows 2012 r2)

it works fine but the only problem is , when I shut down my main server which has the active directory on it, the active directory that is on the replicated server doesn't show the data anymore.

I mean it's not working when I don't have the main server on.

It's not replacing the main server as the domain controller.

We have Sonicwall firewall user authentication System active since last two months. We have Windows 2012 Active directory server setup with around 1400 user account created. These accounts were created by using following PowerShell scripts

Import-Module ActiveDirectory 
#Import CSV 
$csv = @() 
$csv = Import-Csv -Path C:\Users\Administrator\Desktop\"College User Ac Password   Details"\FE\civil.csv
FOREACH ($Person in $csv) {
  $name = $Person.UserName
  $displayname = $Person.Name
  $path = "OU=FE,DC=comp,DC=com"
  $password = $Person.Password
  $enabled = $True
  $changePW = $False
  $description="CIVIL"
  new-ADUser -SamAccountName $name -Name $name -Description $description -DisplayName $displayname -Path $path -AccountPassword (ConvertTo-SecureString $password -AsPlainText -force) -Enabled $enabled -ChangePasswordAtLogon $changePW -PassThru
}

Above script reads an CSV file with username and passwords and create user accounts on Active Directory.

But since today we are facing issue during authentication process. We are unable to logon to Directory server. When Sonicwall firewall tries to authenticate an user, it logged-out same user. When I checked Event logger on Windows Active Directory server it shows following message.

The dynamic registration of the DNS record 'ForestDnsZones.comp.com. 600 
 IN A 192.168.0.12' failed on the following DNS server:  

 DNS server IP address: 216.37.64.6 
 Returned Response Code (RCODE): 5 
 Returned Status Code: 9017  

 For computers and users to locate this domain controller, this record must be registered in DNS.  

 USER ACTION  
 Determine what might have caused this failure, resolve the problem, and initiate   
 registration of the DNS records by the domain controller. To determine what might have 
 caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and 
 Support Center. To initiate registration of the DNS records by this domain  
 controller, run 'nltest.exe /dsregdns' from the command prompt on the domain 
 controller or restart Net Logon service. Or, you can manually add this record to DNS,
 but it is not recommended.  

 ADDITIONAL DATA 
 Error Value: DNS bad key.

We are using DsReplicaGetInfoW() API to find the replication partners.

We have 2 Active directory sites A and B.One server on each site is replication partner of each other

While fetching the replication partners from Site A domain controller, DsReplicaGetInfoW() API is not showing site B domain controller as replication partner. However, When we run repadmin /showrepl , it is showing all the replication partners.

Is DsReplicaGetInfoW()  provides the replication partner of other sites also?

Sandeep Gupta

Hi,

We have recently upgraded a Domain Controller in the Domain from Windows 2003 to Windows 2008 R2. The Domain Controller policy is same as it was before migration. After the upgrade we are facing the issue with NAS storage access. We have a NAS storage which have got some shared folders. Users access the folders from their PC's. We are facing the issue that when we try to access the share with IP\\192.168.1.1 it gives error that the "attached device is not functioning" but when we try to access as\\servername it works fine.

I have taken netmon trace while accessing the drive as IP and as Hostname and some of the highlights are as follows:

-------------------------------------------------------------------------------------------------------------------------

When accessing through IP

1. Client -> Server: SMB: C Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002, SMB 2.???

2. Server -> Client: SMB: R negotiate, NT LM 0.12 # = 5

3. Client -> Server: SMB: C session setup & X, NTLM NEGOTIATE MESSAGE

4. Server -> Client: SMB: R session setup & X, NTLM Challenge message error code 22 Status More processing required

5. Client -> Server: SMB: C session setup & X, NTLM Authenticate Message Version:V2 Domain:domain, user:username,workstation:PC1

6. Server -> Client: SMB: R session setup & X NT Status: System Error Code 563 Status DOMAIN Controller NOT FOUND

After that it again goes back to point 3 and continues like that

-------------------------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------------------------------

When Access through Hostname

1. Client -> Server: SMB: C Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002, SMB 2.???

2. Server -> Client: SMB: R negotiate, NT LM 0.12 # = 5

3. Client -> Server: SMB: C session setup & X,Krb5ApReq(0x100)

4. Server -> Client: SMB: C session setup & X,Krb5ApReq(0x200)

5. Client -> Server: Tree Connect Andx Path: \\hostname

---------------------------------------------------------------------------------------------------------------------------

We have already checked the DC Security policies and done the changes as recommended.