none
Cannot login after dcpromo

    Question

  • OS: W2K8R2SP1 | Only DC

    Just did dcpromo and installed AD and DNS without enabling ADDS and DNS in Roles; and now after auto reboot it does not take both my and administrator password. So can't login to the domain/server.

    This is a test to replicate an issue that had happened in production env when AD and DNS where installed using dcpromo without first enabling the corresponding roles. To see if a solution exists to come out of this situation and save the AD.

    What are the possible reasons for not allowing to login? FYI, earlier password's complexity was complex enough, so Default Domain Policy should not interfere. DSRM working fine.

    How can this situation be salvaged so that I don't have to re-image and the AD and DNS works fine. Can LKGC work, to take the server back to days when it was not yet a DC?

    ~TIA


    - thestriver


    • Edited by thestriver Thursday, December 20, 2012 5:22 AM
    Thursday, December 20, 2012 5:19 AM

Answers

  • Even if you don't enable the ADDS roles in Win2008R2 by default the DNS/GC role will be enabled while DCpromo setup thats not an issue.
    http://www.elmajdal.net/win2k8/setting_up_your_first_domain_controller_with_windows_server_2008.aspx

    It seems that you are not using the correct domain name to login to the server.Try domainname\userid to login to the server.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by thestriver Thursday, December 20, 2012 1:05 PM
    Thursday, December 20, 2012 5:40 AM
  • You can refer below link to reset the domain admin Password.

    How to Reset Your Forgotten Domain Admin Password on Server 2008 R2
    http://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/
    http://blogs.technet.com/b/meacoex/archive/2011/08/15/reset-your-windows-sever-2008-r2-domain-controller-administrator-password.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by thestriver Thursday, December 20, 2012 1:05 PM
    Thursday, December 20, 2012 6:25 AM
  • I agree with Sandesh that the most likely cause is that even after DCPROMO the logon screen (while just typing a username) to logon with default's to the local computer and will fail as the computer is now DC, hence you have to specify DOMAIN\username - this should always work for the built-in administrator or object's that have the 'isCirtialSystemObject' set to 'TRUE' as they always replicate directly as a port of the initial/critical replication during DCPROMO: http://msdn.microsoft.com/en-us/library/cc220034(v=prot.20).aspx - However other objects (accounts) may replicate in at a later stage depending on your replication topology and therfor might not be possible to logon with instantely.

    Enfo Zipper Christoffer Andersson – Principal Advisor

    • Marked as answer by thestriver Thursday, December 20, 2012 1:03 PM
    Thursday, December 20, 2012 6:25 AM
  • Thanks! I am using the correct domain name.

    - thestriver

    Can you post the exact error message, you are seeing while trying to login to the domain? Secondly, i heard few instances where user is not able to login to the DC post promotion to DC but, issue is resolved on forcing replication from the other working DC using repadmin /syncall /APed. Try to connect the DC with another working DC, restart the netlogon service.

    PS: The above will force the replication of all the DC as well as all the partition & might create traffic, so its better to run this command in non business hours.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by thestriver Thursday, December 20, 2012 1:06 PM
    Thursday, December 20, 2012 9:09 AM
    Moderator

All replies

  • Even if you don't enable the ADDS roles in Win2008R2 by default the DNS/GC role will be enabled while DCpromo setup thats not an issue.
    http://www.elmajdal.net/win2k8/setting_up_your_first_domain_controller_with_windows_server_2008.aspx

    It seems that you are not using the correct domain name to login to the server.Try domainname\userid to login to the server.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by thestriver Thursday, December 20, 2012 1:05 PM
    Thursday, December 20, 2012 5:40 AM
  • Thanks! I am using the correct domain name.

    - thestriver

    Thursday, December 20, 2012 5:58 AM
  • Not sure enough, You can't login into the server anymore because domain controllers do not have local user accounts. The local user accounts were converted to domain biltin accounts during DCPROMO process. YOu need to log on to the domain from the server in the from off

    domain\username.

    Thursday, December 20, 2012 6:23 AM
  • You can refer below link to reset the domain admin Password.

    How to Reset Your Forgotten Domain Admin Password on Server 2008 R2
    http://www.howtogeek.com/106333/how-to-reset-your-forgotten-domain-admin-password-on-server-2008-r2/
    http://blogs.technet.com/b/meacoex/archive/2011/08/15/reset-your-windows-sever-2008-r2-domain-controller-administrator-password.aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by thestriver Thursday, December 20, 2012 1:05 PM
    Thursday, December 20, 2012 6:25 AM
  • I agree with Sandesh that the most likely cause is that even after DCPROMO the logon screen (while just typing a username) to logon with default's to the local computer and will fail as the computer is now DC, hence you have to specify DOMAIN\username - this should always work for the built-in administrator or object's that have the 'isCirtialSystemObject' set to 'TRUE' as they always replicate directly as a port of the initial/critical replication during DCPROMO: http://msdn.microsoft.com/en-us/library/cc220034(v=prot.20).aspx - However other objects (accounts) may replicate in at a later stage depending on your replication topology and therfor might not be possible to logon with instantely.

    Enfo Zipper Christoffer Andersson – Principal Advisor

    • Marked as answer by thestriver Thursday, December 20, 2012 1:03 PM
    Thursday, December 20, 2012 6:25 AM
  • Thanks! I am using the correct domain name.

    - thestriver

    Can you post the exact error message, you are seeing while trying to login to the domain? Secondly, i heard few instances where user is not able to login to the DC post promotion to DC but, issue is resolved on forcing replication from the other working DC using repadmin /syncall /APed. Try to connect the DC with another working DC, restart the netlogon service.

    PS: The above will force the replication of all the DC as well as all the partition & might create traffic, so its better to run this command in non business hours.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by thestriver Thursday, December 20, 2012 1:06 PM
    Thursday, December 20, 2012 9:09 AM
    Moderator
  • Thanks to everyone.

    In the 1st post I had mentioned it is the only DC. So replication is not a choice. It might be mighty silly this, one of the admins changed the password on this test system, instead of the production dc. Mis-information / Mis-interpretation.


    - thestriver

    • Edited by thestriver Thursday, December 20, 2012 1:02 PM
    Thursday, December 20, 2012 1:01 PM
  • In the 1st post I had mentioned it is the only DC. So replication is not a choice. It might be mighty silly this, one of the admins changed the password on this test system, instead of the production dc. Mis-information / Mis-interpretation.


    - thestriver

    I actually requested for forcing replication for the production problem DC :)


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, December 20, 2012 1:03 PM
    Moderator
  • haha, Sure.

    I will try Sandesh's idea in lab next year and see first hand.

    Happy Holidayzzz...


    - thestriver

    Thursday, December 20, 2012 1:08 PM