W7 Workstations in Domain periodically disconnect from DC/FS.

thecomputerguy

Well-Known Member
Reaction score
1,366
I have an issue that I'm not really sure how to troubleshoot. I have 4 workstations all connected to an in-house Domain Controller/File Server.

Periodically, maybe 1-2 times per day. The users will be working and then they will go to save whatever they are working on (usually Excel), they get an error basically saying they can't save the file because it can't find the original file. The computer does not disconnect from the internet. I login and find that all of their desktop icons are missing (due to folder redirection), and they have been disconnected from their drive maps.

Their folders in the server are now accumulating .tmp files in the directories they are working in because when they are working on an excel document and get forcibly disconnected it is leaving the temp file. I have verified this by changing the extension of the .tmp file to .xls and excel opens it properly, so the the .tmp files are not ransomware related.

The user reboots the computer and everything is normal again for half a day.

- Computers do not disconnect simultaneously, I only get reports of disconnects from one person at a time at completely different times, completely intermittent and the issue cannot be replicated by the user.

- Server has been rebooted multiple times (Server 2008).

- I have gone out and done a full network reboot, including replacing their switches.

- Nothing has changed for them, the only thing I can think of is maybe a recent Windows update is causing this, has anyone heard of anything? It's so weird that they all experience the same issue all at different times.
 
Have they been able to narrow down a time frame or is it completely random? Also what AV are they running? Any chance this happens after the machine goes to sleep or is this happening while actively using it for extended periods. Any logs on the server that may provide any value?
 
Have they been able to narrow down a time frame or is it completely random? Also what AV are they running? Any chance this happens after the machine goes to sleep or is this happening while actively using it for extended periods. Any logs on the server that may provide any value?

Completely random, no pattern. I have them on Kabuto + Emsisoft (for about a year now), sleep is off on all computers because they are all logged into remotely as well. The only time the issue is noticed is when it is actively being used.
 
Check DNS too, while you are at it to verify if you are pulling internal DNS. You might be failing to some Internet-Only DNS and not able to find internal resources.

Honestly, I have no idea. I would have to see it to troubleshoot it.
 
Anything in Event Viewer under System or Application on the workstations that's relevant?

Hey so I checked event viewer as soon as a disconnect happened and all it says is something about netlogon failing to connect to the DC and Group Policy failing to update because of a disconnection to the DC. Also a bunch of delayed write fails because of it being forcibly disconnected.

When I tried moving around I also got this pop-up:

o6b0L.png


I'm thinking it has something to do with this, further research shows that it may be related to IPv6. I did an ipconfig /all on the affected workstation and it does have our DC as the primary DNS (192.168.0.200) but it also has IPv6 entries for DNS as well.

I disabled IPv6 on the workstation and we'll see what it looks like moving forward ... does this sound possible to anyone?
 
Hey so I checked event viewer as soon as a disconnect happened and all it says is something about netlogon failing to connect to the DC and Group Policy failing to update because of a disconnection to the DC. Also a bunch of delayed write fails because of it being forcibly disconnected.

When I tried moving around I also got this pop-up:

o6b0L.png


I'm thinking it has something to do with this, further research shows that it may be related to IPv6. I did an ipconfig /all on the affected workstation and it does have our DC as the primary DNS (192.168.0.200) but it also has IPv6 entries for DNS as well.

I disabled IPv6 on the workstation and we'll see what it looks like moving forward ... does this sound possible to anyone?
IPv6 could definitely cause weird issues. Also did you check the date and time are correct on the affected machines and the server?
 
Interesting ... so on one of the computers in the affected network ... I login to it and go into the network and sharing center and the network had been changed from Domain Network to Public network.

As soon as I disabled IPv6 on it it automatically switched back over to Domain network on it's own. I think that might be a good sign that IPv6 is causing a DNS issue.
 
That's sounding like v6 was making the network location awareness service pitch a fit... it's a thing, still happens on younger windows stations as well just not as frequently.
 
That's sounding like v6 was making the network location awareness service pitch a fit... it's a thing, still happens on younger windows stations as well just not as frequently.
I've also seen servers have issues where they service doesn't start and causes all kinds of issues. Seen it on Server 2012 R2 and 2016.
 
Back
Top