This normally means something has changed in AD. Prime candidates are:

1. Someone have moved your AD groups to a different OU (in my experience AD admins seem to be always redesigning the OU structure)

2. The AD account used by the VPN boxes is disable, locked or the password has changed/expired.

1. i'm the domain admin and no i didn't move anything

2. i tested the LDAP config from the management console and it passes

well all groups from AD doesn't work.

as i've mentioned, there were no OU movements done and i've retested the LDAP config from the management console with a success return.

is there a particular event code i should look for in DC server?

Start with the Policy Trace AND user access logs on SA.  A tcpdump from failed attempt will probably be the fastest way to narrow down but might not be as easy to read as the policy trace is. The test config button only helps verify basic connectivity.

Hi, not sure if this helps, but I find that I have to toggle between / (forward slash) and \ (back slash) quite a bit to get my groups to work. Sometimes it works with domainname/group1, sometimes with domainname\group1, and sometime just with group1.

Thanks

Natasha

If everything else appears to work ok, try deleting and rebuilding your role mapping rules/create a new sign-in policy and new realm and test it there.

I have seen similar behavior before, for whatever reason (with no changes on our end) we were either unable to extract AD group memberships, or better yet, we were extracting them, and they werent matching to our existing rules.

Delete/rebuild of the role mapping rules resolved it every time. If you have tried everything else with no luck, give it a go.