Friday, June 10, 2011 1:47 PMI took over a network admin position recently. We have a domain controller in every branch, and the main DC in our headquarters. I recently realized one of our branch DCs was powered off (apparenly this server is only used for AD and backups, as nobody noticed since February). When I powered it back on, users were no longer able to log in to their PCs using domain credentials. When I powered down the server, all was fine. The error when logging in was something like "domain controller unavailable...make sure your username and password are correct...etc." I will try to track down the actual error; I took a screenshot and misplaced it. But if there are any ideas what may cause this I'd be interested. I did notice that AD on our main was not updated on the branch DC, which I'm sure has something to do with the problem.
Friday, June 10, 2011 2:48 PM
looks like that the DC was down for a long time and it has been a long time since AD replication was performed on it.
I think also that your users / computers passwords were reset and the replication was not performed.
In this case, if the DC is down then the head office DCs will be used for authentication and when the DC is up it will be used for authentication and then you will have such errors.
To solve your problem, proceed like that:
- Force demotion of the DC
- Perform a metadata cleanup
- If the DC was holder of FSMO roles then resize them to another DC
- Promote again the DC and install DNS on it
Once done, check that all is okay.
Wednesday, June 15, 2011 5:55 PM
Sorry. Have not had time to reply with status. I have not done this yet, but noticed something else that may be causing it. Any suggestions on what's causing this may help solve the original problem.
Event Viewer error: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SERVER$. The target name used was E3514235-###-###-###(random alphanumerals)/domainname@domainname. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name(SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for that target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain name) is different from the cleitn domain (domain name), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Event ID: 4
Wednesday, June 15, 2011 6:16 PM
Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx
If it does not help, proceed like I mentioned previously.
Monday, June 20, 2011 3:10 AMModerator
I’d like to confirm whether there is any update about this issue, please feel free to let us know.