locked
Cannot Logon to Windows Server Console or through RDP on Branch Office AD DC Windows 2008 Server "user name or password is incorrect" error RRS feed

  • Question

  • I have a client with SBS 2008 and two Win2k8 SP2 servers in branch offices.  The win2k8 servers are both configured with ADDS and domain controllers.  The server were originally installed and setup in the main office location in active directoy sites and services, and all the servers were in the Default-first-site-name.  The SBS server remained in the main office and the two win2k8 DCs were sent to their respective branch offices.  The two branch office sites were configured and computers joined to the domain using the win2k8 DC server that was sent to that location.  The offices are not connected via site-to-site VPN so the servers have not been replicating active directory information and each branch office is functioning with their own domain controller.

    My client was supposed to purchase a site-to-site VPN router so that the sites could communicate and AD replication between domain controllers could take place during regular intervals.   This was 4 months ago and they still have not purchased the site-to-site VPN routers and thus the AD DCs are sitting orphaned in the branch offices. 

    Everything has been working fine up until today when they had to restart the Win2k8 DC server in one of the branch offices.  Now no one can log on to the server with the domain admin credentials, and I cannot remotely connect using RDP to the branch office server using domain admin credentials either.  When I run the RDP, it takes the user name and password and it looks like it's going to connect, but then it doesn't.  I get to the Windows Server 2008 logon screen (after you press CTRL-ALT_DELETE), but when I enter the credentials (domain\<domain_admin_account) and password, i get "The user name or password is incorrect".  I know it is not because I logged into the server using RDP earlier in the day to restart the computer. 

    My guess is that there is something screwed up with the Active Directory account database on the branch office server and/or something to do with kerberos because the DC has never synched with the main office DC since it was installed four months ago. 

    Does anyone know of a way I can logon to the server console remotely and somehow do a force replication?  Say if I insist the client get the site-to-site VPN functional between the two sites?  Right now I am stuck and connect logon to the server at all with any user account.  

    I know all the information is probably not in this original post.  Please feel free to post more questions if you have them and can help me get into my branch office Windows Server. 

    Thanks.

    -Randy

    Wednesday, March 16, 2011 4:26 AM

Answers

  • I set up a site-to-site VPN between the two offices and forced synchronization between the two DCs, this worked for about a day until I started getting errors that the DCs had date/time differences.  After checking the BIOS on the erroring server, I found that the date and time was set incorrectly, thus forcing the O/S to have the incorrect date and causing the error.

    I replaced the battery in the server and set the date/time correctly and everyting is working properly. 

    Lessons learned: 

    1).  Do not use the built in RRAS service to establish a VPN and rely on it for A/D synchronization.  If you don't know what you are doing and/or are not familiar with routing, you will cause more problems.  RRAS is only good for establishing a VPN connection for client computers.  A better solution is to set up a network "always-on" VPN. 

    2). Make sure that your date/time settings are correct and that your system board battery is fully charged.

    3). Make use of Microsoft Professional or Premier support :-)

    -Randy

    Wednesday, March 23, 2011 4:15 PM

All replies

  • Hi,

     

     

    If you restart this DC which is separately in the branch office, you may lose the cache embedding the pervious user’s credential, and I’m assuming this DC does not hold the PDC function in your environment. In your case, I suggest moving this problematic server to the other location where you can find a PDC to sync the domain administrative account.

     

    In case, if this problematic DC is stand-alone for a long term, please do backup the server status and then replicate with other DC. As the user account might be wiped during the replication, you can perform the authorized restore to recovery the lost account.

     

    Meanwhile, I highly recommend you create one new post in the AD forum where you can get more professional suggestion on the AD issue.

     

    Directory Services

    http://social.technet.microsoft.com/Forums/en/winserverDS/threads

     

     

     

    Thanks.

    • Proposed as answer by Alan Zhu Monday, March 21, 2011 7:17 AM
    Thursday, March 17, 2011 9:19 AM
  • I set up a site-to-site VPN between the two offices and forced synchronization between the two DCs, this worked for about a day until I started getting errors that the DCs had date/time differences.  After checking the BIOS on the erroring server, I found that the date and time was set incorrectly, thus forcing the O/S to have the incorrect date and causing the error.

    I replaced the battery in the server and set the date/time correctly and everyting is working properly. 

    Lessons learned: 

    1).  Do not use the built in RRAS service to establish a VPN and rely on it for A/D synchronization.  If you don't know what you are doing and/or are not familiar with routing, you will cause more problems.  RRAS is only good for establishing a VPN connection for client computers.  A better solution is to set up a network "always-on" VPN. 

    2). Make sure that your date/time settings are correct and that your system board battery is fully charged.

    3). Make use of Microsoft Professional or Premier support :-)

    -Randy

    Wednesday, March 23, 2011 4:15 PM