Windows 7 Pro 64 bit computer working normally or recently rebooted. User tries to logon and the access denied message displays. I try to logon with local admin account and get the same error. Sometimes rebooting the pc will allow you to logon correctly but we have had to boot into safe mode and choose "active directory repair" on several machines. This has happened on several windows 7 desktops and one 2008 r2 server running Terminal Services. We have about 80 user computers and so far 10 have had this issue over the last month.

Our 2 DC servers are Windows 2008 R2. I couldn't find any AD errors.

To "fix" the pc we had to:

1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.

When a computer has the issue I cannot logon with the domain credentials or the local admin user credentials. Unplugging the network cable doesn't help. The only way to "fix" the issue is to boot into safe mode, login with local admin account and run msconfig, safe boot, active directory repair.

Does anyone know what Safeboot Active Directory repair does? I reboot into this mode and then I reboot again normally and the issue is resolved. If I knew what exactly happens when I boot into safe mode with active directory repair checked then maybe I can understand the problem more.

• Edited by ACCESS DENIED at logon, multiple computers Tuesday, August 11, 2015 2:41 PM

Hi Burak,

               "Access is denied" occurs if a policy is explicitly set to deny interactive logon for authenticated users. Please share the group policy results on a useraccount on a client computer and update in the onedrive to check.

Thanks

Eric

• Proposed as answer by Eric Anto MCITP Wednesday, July 29, 2015 8:42 AM
• Marked as answer by Shaon ShanMicrosoft contingent staff, Moderator Monday, August 10, 2015 12:02 PM
• Unmarked as answer by ACCESS DENIED at logon, multiple computers Monday, August 10, 2015 6:42 PM

I haven't  found any usable errors on event viewer of the pc or the domain controller.

I have checked the domian controllers and haven't found any errors that relate to this.

On the computer that is having the issue(not domain controller):

1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.

This resolves the issues. I do not rejoin the domain or anything like that.

I perform the fix on the pc not the server.

Which commands do you want me to run on the pc and how do I update to the onedrive?

I have had this same issue on about 12 different computers.

We have about 100 domain computers and they are rebooted once a week.

Today I had the issue on my windows 2008 r2 terminal server.

I did the same steps and it fixed the issue.

I still cannot decide on what is causing the issue.

Any help is appreciated. Thanks

Are the domain users group added to the local users group on the PC?

Is the domain users group a member of the users group?

under admin credintials run the following command from the command prompt.

gpresult /h gpreport.html

Other commands to run from a troubled PC:

NLTest /sc_verify:contoso.com (it should say success)

set  (make sure all information is stated correctly)

In ADUC make sure the computer accounts are members of the domain computers group.

Under local polies ->user right assignment make sure Administrators, Everyone, users groups are added or use the defaults.

Make sure the allow log on locally setting is also correct in the same area as the access this computer from the network setting.

In the same are review the deny settings, make sure they are set right.

Review your group policy objects that govern network access/ security/ interactive logon.... Make sure these settings are in accordance with your domain requirements.

The assigned domain user is part of the local administrators group of the pc.

I cannot login as local admin. I cannot  login as the domain user. I have to reboot the pc into safe mode to be able to login at all. I cannot run any 'tests" until I apply the fix and then the issue is gone.

To ensure your DC's are not in anyway contributing to this issue run the following command:

DCDiag /c /v > c:\dcdiag.txt

net share

repadmin /replsummary > c:\repsum.txt

Are there any errors?

In ADUC can you right click the computer object and select manage and connect?

Yes, I did remotely connect to several of these computers and look at the event viewer as they were having the issue.

https://onedrive.live.com/redir?resid=63F101D73FEBDFDA!3213&authkey=!AMOTx13sQZn1ywI&ithint=folder%2ctxt

Logs shared on onedrive

log files

DC3 failed test VerifyEnterpriseReferences..... You need to look at this more closely and fix it. Did you have to force out a DC? If so did you verify that the metadata cleanup succeeded?

Some things I found in regards to it:

The error means that the value of the attribute msDFSR-ComputerReferenceBL is not correct. You can verify it by performing the following steps:

1.    On the Domain Controller, open Active Directory Users and Computers console.

2.    In the console, select Domain Controllers, and then double-click the DC object AD2008 in the right pane.

3.    Click the tab Attribute Editor, click the button Filter, and then check the Backlinks.

4.    After that you should see the attribute msDFSR-ComputerReferenceBL. The expected value is CN=AD2008,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,Cn=system, DC=abc,DC=com.

In ADUC under the system OU you can see your sysvol... File replication service for FRS and DFSR-Globalsettings for DFS... Are all DC's stated their current and correct?

The DC is another ball of wax you need to also fix but to focus on the workstations and servers:

Manage the computer from ADUC, look at the local group memberships by design:

domain users group is added to the local users group and domain users group is a member of the users group, is this correct for your environment?

commands to run from a troubled PC and items to check:

NLTest /sc_verify:contoso.com (it should say success)

set  (make sure all information is stated correctly)

In ADUC make sure the computer accounts are members of the domain computers group.

Under local polies ->user right assignment make sure Administrators, Everyone, users groups are added or use the defaults.

Make sure the allow log on locally setting is also correct in the same area as the access this computer from the network setting.

In the same are review the deny settings, make sure they are set right.

Review your group policy objects in your domain that govern network access/ security/ interactive logon.... Make sure these settings are in accordance with your domain requirements.

Are the computers they are trying to log into enabled and not disabled? in AD? Try changing the computer name and rejoining to the domain. Also check that you haven't got any IP conflicts and the computers are connecting the network and able to ping the domain controllers.

Yes, I am able to remotely connect to the computer but not login.

When a computer has the issue I cannot logon with the domain credentials or the local admin user credentials. Unplugging the network cable doesn't help. The only way to "fix" the issue is to boot into safe mode, login with local admin account and run msconfig, safe boot, active directory repair.

Does anyone know what Safeboot Active Directory repair does? I reboot into this mode and then I reboot again normally and the issue is resolved. If I knew what exactly happens when I boot into safe mode with active directory repair checked then maybe I can understand the problem more.

Active Directory Repair Safe Mode

Active Directory Safe Mode is a bit difficult to explain. Unlike the Windows Registry, the Active Directory does not contain dynamic information or data that is likely to change often. One of the things stored in the Active Directory is machine-specific information such as print queues, contact information, and data pertaining to the hardware in your computer.

If the Active Directory becomes corrupted or if you unsuccessfully change the hardware in your computer, you may experience instability problems with Windows 7. One of the most common issues occurs when a computer owner replaces a faulty motherboard with one that is not the same make and model of the old one. Active Directory Repair Safe Mode can help you restore your computers stability by storing new or repaired information in the Active Directory.

Does booting into this active directory repair mode automatically "refresh" data written to the computer specific data in active directory on the domain controller? The thing that is especially strange is that local admin accounts will not log in either. It's not just a domain login issue.

Below is a detailed description of the difference between local and domain logons...

Have you looked at your GPO's? You said you can manage the workstations that have the issue yet you did not say that the group memberships are as described in previous posts... On your FSMo role holder, look at AD, system, Group policy logs to see if there are any issues... Also make sure your time settings are correct and in line with your NTP server (normally set on the DC holding the roles)

Local Logon

Local logons give users access to local computer applications and resources but not to domain applications and resources. When users log on locally, their identities are validated by authentication packages to local account information stored in the Security Accounts Manager (SAM) database. The SAM operates in the security context of the LSA; it protects and manages user and group information in the form of security accounts stored in the local computer registry. Because user accounts are stored on the local computer, network access is not required for local logons. However, if a computer has a network connection and a user logs on to a local account, there is no interaction with the network.

Local logons can be performed on Windows client operating systems, such as Windows 7 and Windows  Vista. Windows server operating systems, such as   Windows 2008 Server, and Windows Server 2012, also permit local logons.

The following figure shows the local logon architecture.

Interactive Local Logon

A successful local logon begins when a user presses CTRL+ALT+DEL. Winlogon and the GINA DLL collect the user's credentials and then send the credentials to the LSA. The LSA verifies the user's identity and then returns a logon success and the user's access token to Winlogon and the GINA DLL. Winlogon and the GINA DLL then activate the user's shell by creating a new process, such as Explorer.exe.

Domain Logon

Domain
logons give users access to resources throughout the domain. Domain user
accounts are stored in an Active Directory domain. Active Directory is deployed
on each domain controller, and domain user accounts are replicated throughout a
domain.

Before
a user can log on to a computer by using a domain account, the computer must be
joined to a domain. If the computer has access to a network connection, the
user can log on to a domain if the user has an account in the domain's Active
Directory.

The
computer must transparently authenticate to the domain's Active Directory. This
form of logon is called a computer logon. Both users and computers are
considered equal security principals in Active Directory; to be granted access
to network resources, both must be able to verify their identities.

Users
can use a domain account to log on to Windows client operating systems, such as
Windows 8. Windows server operating systems, such as Windows Server 2012
R2, also permit domain logons. Only server operating systems can function as
domain controllers and deploy Active Directory.

On
a domain-joined computer, Windows is hard-coded to show only the last logged on
user or Other
user. Additional tiles for other users to log on are available
only for computers joined to a workgroup.

The
following figure shows the domain logon architecture.

Interactive Domain Logon

Unlike a local logon in which the local LSA validates the user, during a domain logon, the LSA on a domain controller validates the user. The LSA evaluates the user's credentials to determine if the logon should be processed as a logon to a local account or a logon to a domain account. After determining the logon type,
either the NTLM or Kerberos authentication package validates the user. If the authenticating domain controller is a computer running Windows 2008 or Windows Server 2012, the LSA will use Kerberos, the default authentication package for domain and network logons. The LSA uses NTLM to process domain logons in Windows NT 4.0 mixed environments.

• Edited by Jedi_Administrator Wednesday, August 12, 2015 4:15 PM

I am not sure I understand this question:domain users group is added to the local users group and domain users group is a member of the users group, is this correct for your environment?I joined the pc to the domain and then I add the specific domain user to the pc administrators group.

I am investigating my GPOs as well. The GPO setup has been in place for a long time and I haven't made any major changes  prior to this issue. Not all of the computers that have been affected were in the same OU, so I can't narrow it down using that criteria.

I also checked the time on a few systems and they look to be correct.  I can't check the time when access is denied occurs, so i am checking it after the fact.

I looked here on the FSMo for errors and didn't see any useful info. Do you suggest any different logs?

To view the Group Policy operational log

1. Start the Event Viewer.

2. Click the arrow next to Applications and Services Logs.

3. Click the arrow next to Microsoft, and then Windows, and then Group Policy.

4. Click Operational.

In ADUC, go to the Builtin OU, double click the "users" group... Domain users (for your domain) should be a member. On the local PC, in local users and groups, go to the group called "users" make sure domain users group is added to this group.

As for GPO's separate OUs is good, this gives you the ability to narrow down the GPOs all workstations have in common such as the domain policy. Domain policies are normally used to set password, Kerberos, interactive etc.

On the DC's the AD role makes an AD log.

Another thing... When looking at the GPO's look at the detail tab, modified section... if something was recently modified it may help.

• Edited by Jedi_Administrator Wednesday, August 12, 2015 6:06 PM

This statement is true: In ADUC, go to the Builtin OU, double click the "users" group... Domain users (for your domain) should be a member.

I have this local group membership setup differently. (This is a recommendation from our billing system and have been doing this way for 10 years at least.)

On my local PCs in local users and groups, in the groups I have the domain user and sometimes domain admins as part of the local  Administrators group.

On DC3, in event viewer look at the following logs.

custom views\server roles\active directory domain services

Under your domain policy or other GPO did you go to:

computer configuration\policies\windows settings\security settings\user rights assignment

look at the "deny log on locally" option is a group added? Eric Anto MCITP<abbr class="affil"></abbr>   propsed this awhile back.

you can run from the command prompt: gpresult /h gpreport.html  

that will help you look at the gpo settings being applied to your machines.           

"deny log on locally" option is Not Defined.

I checked the event viewer logs for DC# and didn't see any recent errors that correlate.

How many DC's do you have and what OS?

Active directory database is housed on the DC's, did you look at correcting the error you got in your DCDiag?

I have two DC's. Both 2008 r2.  DC3 is a physical box and the PDC.  Websvr is a virtual machine in a VMware environment. We did raise the AD level from 2003 to 2008 several years ago.

I did more research on the error from dcdiag and some others have said to ignore the error. I called a friend who has several windows 2008 r2 DC's. His Dc's have the same "not defined" for that value. The DC3 has been in place for years so the value has not been set since the beginning. I decided to ignore that error.

So your schema version should be 47 you can verify it by running:

dsquery * cn=schema,cn=configuration,dc=domainname,dc=local -scope base -attr objectVersion

under the mmc for certificates, computer account, local computer... Does the workstation have a valid certificate?

in regards to network changes are all the required ports open? link below... NIC and DHCP settings correct?

https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

For the workstations that were having the issue, go to the security log around the time of the issue, look for logon failures

My schema version is 47

I have the windows firewall disabled. All Ports open on local lan.

Can you give me more info on checking the certificate? We do not have any additional certificate setup beyond the default.

MMC ->certificates->Computer account->Local machine.

Personal->Certificates ... Computer certificate should be in there (assuming it is part of your design)

Access denied can either be a access/ permission issue or the PC is failing to register its information... You can use microsofts message analyzer to trace packets for this... Restarting the netlogon service on workstations should register their information back in AD.

Do you use any HIPS, IPS, IPSEC? This can cause issues as well.

Do you use any HIPS, IPS, IPSEC?  NO we do not

I connected to the computer with ADUC --manage and I tried restarting the netlogon service a few times on a system I had issues with this morning. This did not resolve the issue.

We do not have certificates as part of our setup.

On the DC, in the system log, are there any netlogon errors with the computer names that are having issues?

I did not see any netlogon errors

Did you run:

NLTest /sc_verify:contoso.com (it should say success)

Is someone or something reseting or disabling the computer object in AD? (https://support.microsoft.com/en-us/kb/216393)

Are your computer objects getting all the default security permissions? (https://technet.microsoft.com/en-us/library/dd875539%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396)

We do get a success on the NLTest, when ran from a working pc (We can't run this test if we can't login)

C:\Windows\System32>NLTest /sc_verify:cgemc.com
Flags: b0 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DC3.cgemc.com
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

No one is resetting or disabling computer objects that  I am aware of.

I checked the default security and the only difference is that none of my computers have the creator owner listed under permissions.

From a powershell prompt that has the RSAT tools for AD installed run the following:

import-module active directory

get-adcomputer "computername" -properties *

Run it against a good PC and one that has had issues or is having issues, any differences?

Also have you made sure that the network has all the required AD ports open?

See the txt logs in the shared folder:

https://onedrive.live.com/redir?resid=63F101D73FEBDFDA!3213&authkey=!AMOTx13sQZn1ywI&ithint=folder%2ctxt

 All ports seem to be open. I did find that the windows firewall was enabled on DC3 but not on websvr. I went ahead and disabled it for now.

I did not see any problems.... Lets look at your primary question:

Does anyone know what Safeboot Active Directory repair does?

Anwser: Boots the system into a repair mode that restores the Active Directory service from backup medium.

Active Directory is housed in the NTDS.DAT file which is replicated between all DC's... So lets look at AD.

Is it possible you have duplicate SIDs in your environment?

Is it possible you have a max token issue? (link to script below)

Are these items restored from the AD Recycle bin?

https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5

I did not find any duplicated SIDS.

I ran the max token size script and did not find any token size issues.

Summary:
- Processed 207 user accounts.
- 207 have a calculated token size of less than or equal to 12000 bytes.
  - These users are good.
- 0 have a calculated token size larger than 12000 bytes.
- 0 have a calculated token size larger than 48000 bytes.
- Administrator has the largest calculated token size of 1504 bytes in the cgemc.com domain

I did have this issue on a few more computers. I did notice that trying to login as local admin gives "incorrect username or password" instead of access is denied.

None of these computers have been restored from AD recycle bin.

How many of your domain controllers virtual?

One physical DC3.

One Virtual websvr. (vmware 5.1)

Both servers are 2008 r2.

Have you logged into the vsphere console and made sure the DC settings and information are correct?

I am able to login to the vsphere client with my domain credentials and I also connected to the vcenter server to make sure there were no login issues. Is there another area you would like me to check? This server and setup has been in place since 2013. No major changes recently.

Can you open 2 ldp.exe and connect to the DC's. Compare the output, does it match? Can you bind the connections on port 389 and 3268?

Also did you run DCDiag /c /v >c:\dcdiag.txt on both domain controllers and compare the settings?

run GPResult /h GPReport.html on both DC's and compare the results?

https://onedrive.live.com/redir?resid=63F101D73FEBDFDA!3263&authkey=!AB81ZMI3czE06AM&ithint=folder%2c

I compared the output and they look the same.

Also did you run DCDiag /c /v >c:\dcdiag.txt on both domain controllers and compare the settings?

From the DC's run GPResult /h GPReport.html on both DC's and compare the results? Also do it on a PC that had issues (assuming they have not been moved out of the OU).

From a DC run the powershell command: get-adcomputer "computername" -properties *

use a computer name of a PC that had issues and one that has not.

On the DC's look in the system event logs, use the filter or find buttons in the action pane. Search for the PC names, they should generate netlogon events.

The AD repair feature is Booting the system into a repair mode that restores the Active Directory service from backup medium. This makes me think some setting in AD is causing it.

My co-worker had the issue this morning.

Our users are in the same IT OU. I have notr had the issue while here computer had had the issue twice now.

I check the AD properties from the powershell command and they look identical.

I am not seeing any errors for my coworker's computer in the net logon events.

I compared the dcdiag results side by side. I also compared the gpresults and they look the same.

https://onedrive.live.com/redir?resid=63F101D73FEBDFDA!3269&authkey=!ACJcib8laMou0Z0&ithint=folder%2c

Can you run the gpreport on the workstations?

For the part of the DCDiag that fails, I know you said it is ok before. If you do not mind though can you use the steps below to check and make sure?

Based on the attribute name msDFSR-ComputerReferenceBL, the domain function level has been raised to Windows Server 2008. Therefore, the KB article Q312862 may not apply to your environment.

The error means that the value of the attribute msDFSR-ComputerReferenceBL is not correct. You can verify it by performing the following steps:

1.    On the Domain Controller, open Active Directory Users and Computers console.

2.    In the console, select Domain Controllers, and then double-click the DC object "dcname" in the right pane.

3.    Click the tab Attribute Editor, click the button Filter, and then check the Backlinks.

4.    After that you should see the attribute msDFSR-ComputerReferenceBL. The expected value is CN=dcname,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,Cn=system, DC=abc,DC=com.

I uploaded the desktop gpresults to the onedrive

https://onedrive.live.com/redir?resid=63F101D73FEBDFDA!3272&authkey=!APPBrgx7HGRmjMM&ithint=folder%2c

msDFSR-ComputerReferenceBL  is not set

Can you run the following command on DC3?

dfsrmig /getglobalstate & dfsrmig /getmigrationstate

0 for the Start state, 1 for the Prepared state, 2 for the Redirected state, and 3 for the Eliminated state.

GetGlobalState:

Retrieves the current global migration state for the domain from the local copy of the AD DS database, when run on the PDC emulator.

Use this option to confirm that you set the correct global migration state. Only stable migration states can be global migration states, so the results that the dfsrmig command reports with the /GetGlobalState option correspond to the states you can set with the /SetGlobalState option.

You should run the dfsrmig command with the /GetGlobalState option only on the PDC emulator. Active Directory replication replicates the global state to the other domain controllers in the domain, but replication latencies can cause inconsistencies if you run the dfsrmig command with the /GetGlobalState option on a domain controller other than the PDC emulator. To check the local migration status of a domain controller other than the PDC emulator, use the /GetMigrationState option instead.

Getmigrationstate:

Retrieves the current local migration state for all domain controllers in the domain, and determines whether those local states match the current global migration state.

Use this option to determine if all domain controllers have reached the global migration state. The output of the dsfrmig command when you use the /GetMigrationState option indicates whether or not migration to the current global state is complete, and it lists the local migration state for any domain controllers that have not reached the current global migration state. Local migration state for domain controllers can include transition states for domain controllers that have not reached the current global migration state.

• Edited by Jedi_Administrator Monday, August 31, 2015 9:01 PM

C:\Users\administrator.CGEMC>dfsrmig /getglobalstate

DFSR migration has not yet initialized. To start migration please
set global state to desired value.

C:\Users\administrator.CGEMC>dfsrmig /getmigrationstate

DFSR migration has not yet initialized. To start migration please
set global state to desired value.

The links below will help explain the previous post. We want to make sure all is in order with both DC's

http://blogs.technet.com/b/filecab/archive/2008/02/14/sysvol-migration-series-part-2-dfsrmig-exe-the-sysvol-migration-tool.aspx

https://technet.microsoft.com/en-us/library/dd641052.aspx?f=255&MSPPError=-2147217396

https://technet.microsoft.com/en-us/library/dd641227.aspx?f=255&MSPPError=-2147217396

I tried looking at your GPResult.html and it did not display correctly for me. Use the results to look at local policies that would govern access, authentication, etc. items like NTLM, Kerberos, FIPS, etc.... Also look at your sysvol to make sure you have no corrupted GPO's.

https://support.microsoft.com/en-us/kb/328492

You said you migrated your sysvol from FRS to DFS correct? Look at the below items... I think you may want to do more research to make sure this is 100% a success as this could be part of the random issues your are seeing.

Question

If I walk into a new Windows Server 2008 AD environment cold and need to know if they are using DFSR or FRS for SYSVOL replication, what is the quickest way to tell?

Answer

Just run this DFSRMIG command:

dfsrmig.exe /getglobalstate

That tells you what the current state of the SYSVOL DFSR topology and migration.

If it says:

• Eliminated

they are using DFSR for SYSVOL. It will show this message even if the domain was built from scratch with a Windows Server 2008 domain functional level or higher and never performed a migration; the tool doesnt know how to say they always used DFSR from day one.

If it says:

• Prepared
• Redirected

they are mid-migration and using both FRS and DFSR, favoring one or the other for SYSVOL.

If it says:

• Start
• DFSR migration has not yet      initialized
• Current domain functional level      is not Windows Server 2008 or above

they are using FRS for SYSVOL.

Hi,

If you are getting access denied at logon. Best option is to enable the net logon debug log and this will help to investigate further. Please upload the log file to one drive.

Enable Debug log then reboot the computer. possible reproduce the issue and once logs are captured disabled the debug log.

Enabled Debug log : nltest /dbflag:0x2fffffff

Disabled: nltest /dbflag

We had raised the Ad level from 2003 to 2008 r2. I did not convert from FRS to DFS at that time. I did perform those steps this evening.

new log after dfs migration. https://onedrive.live.com/redir?resid=63F101D73FEBDFDA!3273&authkey=!AC0YF2Q4n4BMpvw&ithint=file%2ctxt

From one of the workstations that was having trouble, did you check the ports to the DC? Below is a links for the required ports that needs to be open for AD to work, this includes workstations.

https://technet.microsoft.com/en-us/library/Dd772723%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

Hi,

Based on log investigation it is very much clear that you have issue in your environment with secure channel is  not getting established between client machine & domain controller.

9/04 13:34:02 [SESSION] CGEMC: NlSessionSetup: Try Session setup
09/04 13:34:02 [SESSION] NlSessionSetup: ClientSession->CsState = 0x0
09/04 13:34:02 [SESSION] CGEMC: NlDiscoverDc: Start Synchronous Discovery
09/04 13:34:02 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
09/04 13:34:02 [DNS] NetpDcFindDomainEntry: CGEMC cgemc.com.: Failed to find domain cache entry with quality 0/7
09/04 13:34:02 [DNS] Cache: CGEMC cgemc.com.: Create new domain cache entry
09/04 13:34:02 [DNS] Cache: CGEMC (null): Set netbios domain name
09/04 13:34:02 [DNS] Cache: CGEMC cgemc.com.: Set DNS domain name
09/04 13:34:02 [DNS] NetpDcFindDomainEntry: CGEMC cgemc.com.: Failed to find exact domain cache entry with quality 0/7
09/04 13:34:02 [MAILSLOT] NetpDcPingListIp: cgemc.com.: Sent UDP ping to 10.10.0.25
09/04 13:34:02 [MAILSLOT] cgemc.com.: Received 'Sam Logon Response Ex' response.
09/04 13:34:02 51cb8740 728de2ea 7e3297c5 b83ae936   @..Q...r..2~6.:.
09/04 13:34:02 [MISC] NetpDcGetName: NetpDcGetNameIp returned 0
09/04 13:34:02 [SITE] NlSetDynamicSiteName: Old and new site names 'Default-First-Site-Name' are identical.
09/04 13:34:02 [DNS] Cache: CGEMC cgemc.com.: Add cache entry 1 (Quality: 28)
09/04 13:34:02 [SESSION] CGEMC: NlSetServerClientSession: New DC is an NT 5 DC: \\websvr.cgemc.com
09/04 13:34:02 [SESSION] CGEMC: NlSetServerClientSession: New DC is in closest site: \\websvr.cgemc.com
09/04 13:34:02 [SESSION] CGEMC: NlSetServerClientSession: New DC runs the time service: \\websvr.cgemc.com
09/04 13:34:02 [SESSION] CGEMC: NlSetServerClientSession: New discovery flags: 0x1dc; Old flags: 0x0
09/04 13:34:02 [PERF] NlAllocateClientSession: New Perf Instance (0000000000368E08): "\\websvr.cgemc.com"
    ClientSession: 000000000036F800
09/04 13:34:02 [SESSION] CGEMC: NlDiscoverDc: Found DC \\websvr.cgemc.com
09/04 13:34:02 [SESSION] NlSessionSetup: ClientChallenge = d8227629 e9a09f3a 811d1faf 34623f1f   )v".:........?b4
09/04 13:34:02 [SESSION] NlSessionSetup: Clear New Password = 4d1c0179 604c547b 5233ec66 b0315118   y..M{TL`f.3R.Q1.
09/04 13:34:02 [SESSION] NlSessionSetup: Password Changed: 3a5f3f66 01d0df8a = 8/25/2015 19:03:17
09/04 13:34:02 [SESSION] NlSessionSetup: Password = 62a795a6 7c5706da d04b0262 22392ec2   ...b..W|b.K...9"
09/04 13:34:02 [SESSION] CGEMC: NlStartApiClientSession: Bind to server \\websvr.cgemc.com (TCP) 0 (Retry: 0).

09/04 13:34:47 [SESSION] NlTimeoutApiClientSession Called

https://technet.microsoft.com/en-us/library/cc961817.aspx

You have so many entry for "NlTimeoutApiClientSession Called" at the end of the log files and  after repair log files all entry is gone and your machine gets authenticated to DC3. hence check if all required DC's with there tcp/IP configuration. Check all required ports are open. Also check you have valid sites  & subnets are created and you have proper site-link created/

In previous posts you ran the NLTest command which tests the secure channel and the TechNet link for the required ad ports tht needs to be open. You can also use the powershell Test-ComputerSecureChannel cmdlet.... Another thing you can check is to track down when the first issue occurred and see if any Microsoft patches were installed that could now be causing this issue.