none
Unable to log on to 2008r2 dc in a 2003 domain after the dcpromo restart

    General discussion

  • I have a 2003 domain with 2 2003 dc/dns.  Attempting to add a 2008r2 dc with the end game of upgrading the domain to 2008r2.  ADPREPs completed.  After joining the 2008r2 member server to the domain, DCPROMO seems to work fine, but after the promotion and restart, the 2008r2 dc server will not allow the administrator to log on. 

     "Incorrect user name or password" warning appears when attempting log on.  Can logon through SAFE mode, but haven't found anything in logs pointing towards a solution.  Some similar postings here but not exactly as I'm experiercing. 

    Need a solution soon to avoid having to rebuild a moderate size domain from scratch and transfer data etc.

    Wednesday, July 06, 2011 4:13 PM

All replies

  • Are you using domain account or local account to login to domain, once server is promoted to DC, you have to use domain Id to login to domain like Domain\username.

     

    Regards


    MVP-Directory Services 

    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, July 06, 2011 4:20 PM
    Moderator
  • Hello,

    sounds for me that maybe caps-lock is enabled or the keyboard language is changed.

    Never had problems on a DC to logon with the account name "Administrator" without the NetBios domain name. As the DC has no option to logon to the local machine as a member server no UPN logon or Netbiosdomainname\Administrator is required.

    Anyway, did you try it the option?

    What happened if you use another administrative account?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, July 06, 2011 5:12 PM
  • Caps were/are off.  Administrator/password didn't work nor did several other domain admin accounts.  Forgot to mention earlier that this is a virtual machine on esxi host.  Don't think that makes any difference.

    Can see the AD replication in Sites and the server is listed as a kerberos SVR in DNS.  Everything looks like a healthy DC except being able to log on to it.

     

    Wednesday, July 06, 2011 5:27 PM
  • Hello,

    as you are talking about a VM make sure it does NOT use the host as time source with the VMWare tools.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, July 06, 2011 5:36 PM
  • I have seen what Awinish descries. if you try logon as “Administrator” it some times defaults back to logon to the local computer with COMPUTERNAME\Administrator even if it has ben promoted to a DC, trying explicit with NETBIOSNAME\Administrator or administrator@upn is a good idea.
     
    ----------------------------------------------------------

    Enfo Zipper
    Christoffer Andersson – Principal Advisor

    "Meinolf Weber" wrote in message news:542d61d2-7c08-400a-8fa2-b41a0de76826...

    Hello,

    sounds for me that maybe caps-lock is enabled or the keyboard language is changed.

    Never had problems on a DC to logon with the account name "Administrator" without the NetBios domain name. As the DC has no option to logon to the local machine as a member server no UPN logon or Netbiosdomainname\Administrator is required.

    Anyway, did you try it the option?

    What happened if you use another administrative account?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Enfo Zipper Christoffer Andersson – Principal Advisor
    Wednesday, July 06, 2011 9:53 PM
  • John,

    Have you managed to fix this?

    It sounds like you and I both have the same problem - http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1e38fa2c-6f66-4593-b49d-e7337176d60d

    Please let me know if you manage to sort it out.  I will do likewise.

    Nigel

    Wednesday, July 06, 2011 10:08 PM
  • Nigel,

    Not yet.  I'm a little relieved to know I'm not alone or crazy!  If I find a solution, I will surely post it

    John

     

    Thursday, July 07, 2011 11:34 AM
  • Dont suppose you have done either of the following have you -

    messed around with ktpass.exe

    -- or --

    Performed the following -

    Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options \ Network security: Configure encryption types allowed for Kerberos

    The following were enabled/checked -

    DES_CBC_MD5, DES_CBC_CRC, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1.

    Future encryption types was left unset.

    ??

    Thursday, July 07, 2011 11:53 AM
  • John,

    I've managed to get logged on to my 2008R2 DC after a normal boot.  Not sure if this is repeatable (Im currently logged on to the console and am not about to log off any time soon ;-)

    What I did was boot it in to DSRM mode and configured the DNS servers to be the two 2003 DC's I have in the doman.  I removed the 2008 DCs own IP address from the DNS server list.  After making that change I rebooted in normal mode, enterred my credentials and the  instead of getting the dreaded "Unknow user name or password" response it went all the way through and logged me on to my desktop.  typing set on the command prompt also showed my logonserver as the 2008 machine.

    Not holding my breath, but at least I can log on and kick it out of AD via dcpromo (at least I hope I can).

    Hope this helps.

    Thursday, July 07, 2011 2:34 PM
  • John,

    You still around??????

    As we may have the same problem, can you try the following -

    Boot in to directory services restore mode and enable kerberos logging - KB 262177

    Boot normally.  Attempt to log in.  Reboot back to dsr mode.

    Look in the logs and see if you get the following -

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          08/07/2011 16:20:56
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      HPW2K8SPOCT01.lab.net
    Description:
    A Kerberos Error Message was received:
     on logon session lab.net\hpw2k8spoct01$
     Client Time:
     Server Time: 15:20:50.0000 7/8/2011 Z
     Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
     Extended Error:
     Client Realm:
     Client Name:
     Server Realm: lab.net
     Server Name: krbtgt/lab.net
     Target Name: krbtgt/lab.net@lab.net
     Error Text:
     File: e
     Line: 9fe
     Error Data is in record data.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
        <EventID Qualifiers="32768">3</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-07-08T15:20:56.000000000Z" />
        <EventRecordID>46291</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>HPW2K8SPOCT01.lab.net</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LogonSession">lab.net\hpw2k8spoct01$</Data>
        <Data Name="ClientTime">
        </Data>
        <Data Name="ServerTime">15:20:50.0000 7/8/2011 Z</Data>
        <Data Name="ErrorCode">0x19</Data>
        <Data Name="ErrorMessage">KDC_ERR_PREAUTH_REQUIRED</Data>
        <Data Name="ExtendedError">
        </Data>
        <Data Name="ClientRealm">
        </Data>
        <Data Name="ClientName">
        </Data>
        <Data Name="ServerRealm">lab.net</Data>
        <Data Name="ServerName">krbtgt/lab.net</Data>
        <Data Name="TargetName">krbtgt/lab.net@lab.net</Data>
        <Data Name="ErrorText">
        </Data>
        <Data Name="File">e</Data>
        <Data Name="Line">9fe</Data>
        <Binary>308184306CA10302010BA265046330613009A003020117A10204003029A003020103A12204204C41422E4E4554686F7374687077326B3873706F637430312E6C61622E6E65743029A003020101A12204204C41422E4E4554686F7374687077326B3873706F637430312E6C61622E6E65743009A103020102A20204003009A10302010FA2020400</Binary>
      </EventData>
    </Event>



    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          08/07/2011 16:20:56
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      HPW2K8SPOCT01.lab.net
    Description:
    A Kerberos Error Message was received:
     on logon session lab\USERACT_REPLACED
     Client Time:
     Server Time: 15:20:50.0000 7/8/2011 Z
     Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
     Extended Error:
     Client Realm:
     Client Name:
     Server Realm: lab
     Server Name: krbtgt/lab
     Target Name: krbtgt/lab@lab
     Error Text:
     File: e
     Line: 9fe
     Error Data is in record data.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
        <EventID Qualifiers="32768">3</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-07-08T15:20:56.000000000Z" />
        <EventRecordID>46290</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>HPW2K8SPOCT01.lab.net</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="LogonSession">lab\USERACT_REPLACED</Data>
        <Data Name="ClientTime">
        </Data>
        <Data Name="ServerTime">15:20:50.0000 7/8/2011 Z</Data>
        <Data Name="ErrorCode">0x19</Data>
        <Data Name="ErrorMessage">KDC_ERR_PREAUTH_REQUIRED</Data>
        <Data Name="ExtendedError">
        </Data>
        <Data Name="ClientRealm">
        </Data>
        <Data Name="ClientName">
        </Data>
        <Data Name="ServerRealm">lab</Data>
        <Data Name="ServerName">krbtgt/lab</Data>
        <Data Name="TargetName">krbtgt/lab@lab</Data>
        <Data Name="ErrorText">
        </Data>
        <Data Name="File">e</Data>
        <Data Name="Line">9fe</Data>
        <Binary>3064304CA10302010BA245044330413009A003020117A10204003019A003020103A11204104C41422E4E45544830343933313531333019A003020101A11204104C41422E4E45544830343933313531333009A103020102A20204003009A10302010FA2020400</Binary>
      </EventData>
    </Event>

    Friday, July 08, 2011 3:54 PM
  • I'll give it a try Monday.  Our facility was shutdown today.  Thanks
    Saturday, July 09, 2011 1:35 AM
  • The problem appears to be related to replication.  I let the server "cook" over the weekend and it logged in just dandy on Monday morning.  I repeated the setup with another virtual server load and got the same symptoms and overnight it replicated/synchronized and allowed me to log on.  I have been able to log off and back on as well as reboot and log on.  The initial replication after promotion seems to take a very long time.  I guess patience really is a virtue and I want some  . . . right now!:-)
    Tuesday, July 12, 2011 6:44 PM
  • Hi,

     

    I am glad to hear the improvement. Just for your reference, after adding a new DC, please run DCdiag to validate that your domain controller is working as specified. To troubleshoot the replication issue, please run “repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt”.

     

    Thanks.

    Nina    


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, July 13, 2011 10:14 AM
    Moderator
  • I ran dcdiag and found that 3 of 4 DCs failed advertising GC test.  That explains why when the 1 DC with a GC goes off line no one can log in.  Any ideas how to force the DCs to advertise their GC?  One of them says the promotion to DC is incomplete.  A little confusing.  Any ideas?  I have the print out of the dcdiag at home this weekend for reference.
    This is slightly different from the original problem.  The new  2008R@ DC logs in ok now but was taking sevedral hours of "cooking" to allow logon.  That seems to be ok now.

    Saturday, July 16, 2011 10:17 PM
  • In order to advertise a server to be DC, first thing to be looked upon is Sysvol/Netlogon share to be shared & read only accessible to all the domain client.If Sysvol/Netlogon is not shared, you can perform non-authoritative restore. Below article is valid for even windows 2008 R2.

    http://support.microsoft.com/kb/840674

    http://technet.microsoft.com/en-us/library/cc816627%28WS.10%29.aspx

    Time sync has to be in place, all other DC's & domain client should only point to PDC for syncing their system time & PDC sync to external source & for this port 123 UDP needs to be opened for all. The DNS should be healthy with all the necessary srv & RR records in place. All the domain controllers & domain systems should only point to local DNS.

    Taking hours to logon can be due to DNS issue or multihomed DC. Refer the below article for configuring DNS in the domain.

    DNS recommendations from Microsoft

    http://awinish.wordpress.com/2011/03/08/dns-recommendations-from-microsoft/

    How to configure authoritative tine server

    http://support.microsoft.com/kb/816042

    What does DCDIAG actually… do?

    http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx

    Previous discussion

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/a1583d7f-fa59-4497-89de-666d683e53a0/

     

    Regards  


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Sunday, July 17, 2011 6:14 AM
    Moderator
  • Hi,

     

    Please check the suggestions provided by Awinish. Any progress? To avoid confusion and to get the new problem resolved more efficiently, please submit a new thread. Thanks for your understanding.

     

    Best Regards,

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, July 19, 2011 4:04 AM
    Moderator
  • The original problem has resolved itself, although everytime I have to reboot for an update etc, it takes several hours before I can log on to the server normally.  I can reboot and not suffer the time out if it is not a "forced" reboot.  Consider this closed.  I'll revise if I find a cause for the excessive delay.
    Monday, August 01, 2011 12:55 AM
  • Hi,

     

    Thanks for your update. Glad to hear that the original issue has been resolved. Your time and efforts are highly appreciated.

     

    Best Regards,

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, August 01, 2011 9:54 AM
    Moderator