Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Users cannot log in after DC turned on

提議的解答 Users cannot log in after DC turned on

  • Friday, June 10, 2011 1:47 PM
     
     
    Sign In to Vote
    0
    I took over a network admin position recently.  We have a domain controller in every branch, and the main DC in our headquarters.  I recently realized one of our branch DCs was powered off (apparenly this server is only used for AD and backups, as nobody noticed since February).  When I powered it back on, users were no longer able to log in to their PCs using domain credentials.  When I powered down the server, all was fine.  The error when logging in was something like "domain controller unavailable...make sure your username and password are correct...etc."  I will try to track down the actual error; I took a screenshot and misplaced it.  But if there are any ideas what may cause this I'd be interested.  I did notice that AD on our main was not updated on the branch DC, which I'm sure has something to do with the problem.
     

All Replies

  • Friday, June 10, 2011 2:48 PM
     
     Proposed Answer
    Sign In to Vote
    0

    Hello,

    looks like that the DC was down for a long time and it has been a long time since AD replication was performed on it.

    I think also that your users / computers passwords were reset and the replication was not performed.

    In this case, if the DC is down then the head office DCs will be used for authentication and when the DC is up it will be used for authentication and then you will have such errors.

    To solve your problem, proceed like that:

    • Force demotion of the DC
    • Perform a metadata cleanup
    • If the DC was holder of FSMO roles then resize them to another DC
    • Promote again the DC and install DNS on it

    Once done, check that all is okay.

     

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

     
  • Wednesday, June 15, 2011 5:55 PM
     
     
    Sign In to Vote
    0

    Sorry. Have not had time to reply with status.  I have not done this yet, but noticed something else that may be causing it.  Any suggestions on what's causing this may help solve the original problem.

     

    Event Viewer error: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SERVER$.  The target name used was E3514235-###-###-###(random alphanumerals)/domainname@domainname.  This indicates that the target server failed to decrypt the ticket provided by the client.  This can occur when the target server principal name(SPN) is registered on an account other than the account the target service is using.  Please ensure that the target SPN is registered on, and only registered on, the account used by the server.  This error can also happen when the target service is using a different password for that target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account.  Please ensure that the service on the server and the KDC are both updated to use the current password.  If the server name is not fully qualified, and the target domain (domain name) is different from the cleitn domain (domain name), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

     

    Event ID: 4

     

     

     
  • Wednesday, June 15, 2011 6:16 PM
     
     
    Sign In to Vote
    0

    Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx

    If it does not help, proceed like I mentioned previously.

     

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

     
  • Monday, June 20, 2011 3:10 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    I’d like to confirm whether there is any update about this issue, please feel free to let us know.

    Regards,

    James