Why is My Computer Status Not Showing Online in the SBS Console?

  • Article

[Today's post comes to us courtesy of Shawn Sullivan]

You may have noticed that some of your computer accounts are not showing “online” in the SBS Console. The purpose of this post is to shed some light on why you may see this and how this information is obtained by the server.

Status information for your machines is displayed under the Network > Computers sub-tab in the SBS console.

clip_image002

The console will only display status information for domain-joined computers from the following three OUs:

  • OU=Domain Controllers,DC=Domain,DC=local
  • OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=Domain,DC=local
  • OU=SBSServers,OU=Computers,OU=MyBusiness,DC=Domain,DC=local

Note: Replace domain and local with your domain name.

clip_image004

Regardless of whether you join a client or a server computer to the domain, by default it will always appear in the SBSComputers OU. Machine accounts for servers must be manually moved to the SBSServers OU .For more information, please visit: https://blogs.technet.com/sbs/archive/2008/09/24/why-does-my-sbs-2008-premium-second-server-display-as-a-client-computer.aspx

What SBS 2008 Checks For

The server first queries DNS for the host A or AAAA record of the machine; IPv4 is preferred over IPv6 in this scenario. If an A record is found, the server will test this with an ARP request (ARP is used instead of Ping since many firewalls will block ICMP by default). However, if the machine is in a different subnet, the server will attempt to ping it. If only an AAAA record is found, the server will ping the IPv6 address for a response (IPv6 does not support ARP). Possible failures include

  • The machine account is disabled: Unknown/Account is disabled
  • No DNS record exists for the machine: Unknown/No DNS entry
  • No response from ARP request: Offline
  • No response from the IPv6 client to the Ping: Unknown/Unable to detect computer on the network

If the server receives a response from either the ARP request or the Ping, then a NetApi call is made to the machine for NetGetJoinInformation. This requires that “Client for Microsoft networks” and “File and Print Sharing” are enabled on the NIC and the proper exceptions are configured in Windows Firewall. Possible failures at this point included:

  • Unable to make an RPC connection to the machine: Online/Unable to query computer information
  • The NetApi call receives an access denied: Online/No access to query computer information
  • The machine is not in the domain: Online/Not joined to domain

Summary

Status What does it mean
Online Computer is online and joined to the domain
Offline No response from ARP
Unknown – Computer account is disabled Computer AD object is disabled
Unknown – No DNS entry Unable to find DNS entry for the computer
Unknown – Unable to detect computer on network Unable to ping computer using FQDN
Online – Not joined to domain Computer is online, but not in the domain anymore
Online – Unable to query computer information Computer is online, but NetApi can’t connect to target RPC machine
Online – No access to query computer information Computer is online, but NetApi returns an access denied

Troubleshooting Checklist

  1. Make sure the machine account is enabled, and exists in the proper OU (Domain Controllers, SBSComputers, or SBSServers), and that it is currently domain-joined.
  2. Check DNS for the Host A or AAAA record. Ensure the machine is properly updating DNS with their IP address.
  3. Enable “Client for Microsoft Networks” and “File and Print Sharing” on the NIC if they are not already.
  4. From the server, run net view \\workstationname and note any errors you may receive.
  5. Review the IP configuration settings on the machine. Make sure that it is pointing only to the SBS server for DNS, it can properly communicate with the server (login to the domain, access shares) and that It can apply group policy from the SBS server.
  6. Ensure that the “Windows Vista Policy” and the “Windows XP Policy” have not been removed from the SBSComputers OU. These GPOs contain the necessary Windows Firewall restrictions. Run “gpresult” on the client to ensure they are applying either GPO. Note: If the client is not running XP SP2 or above, they will not receive these policy settings.
  7. If an XP SP2 or higher client is in a different subnet than the server, the NetApi call may be blocked by Windows Firewall due to the default settings in the Windows XP Policy GPO, which only allows file and printer sharing connections from the local subnet. To fix this, you must change the GPO settings for this exception to include the server’s subnet in the scope. For more information, please visit: https://support.microsoft.com/default.aspx?scid=kb;EN-US;957713
  8. If a 3rd party firewall is installed on the machine, check its firewall exceptions.