locked
Server 2012 R2 - "Access is denied." error RRS feed

  • Question

  • so this has been happening ever since i've installed Windows updates on our accounting server(windows server 2012 r2), and upgraded the RAM on the VM server(all these Server 2012 R2's are hosted on a VMware 5.5, client & server) . Sometimes, when trying to log in as an Active Directory user via RDP, i'll get an "Access is denied" error. This occurs for 3 different users, all of whom are domain admins. When this done happen, I'm only able to log in as the local machine administrator. Our AD server is also a 2012 R2.

    Some things to note:

    1) I can ping to the AD server, and ping from AD to the accounting server in question- all traffic is allowed over a VPN connection, and no traffic is being blocked by the firewall. Windows Firewall is turned off completely for both servers. Tracert finds both servers in 3 hops, but times out on the 2nd hop. also, the preferred DNS server for the accounting is the IP address for the primary domain controller.

    2) The time is the same on both the AD and accounting servers(at least when logged in as a local admin on the accounting server). Most of the most recent Windows updates are installed on both.

    3) I've tried removing the accounting server from the domain, and adding it back to the domain, and removing the accounting computer object in AD- the computer object was never added back after rejoining the domain, automatically or manually.

    3) I can't run a gpupdate on this accounting server. It returns this error:

    Computer policy could not be updated successfully. The following errors were encountered: Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator's requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected. If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem. User Policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windowswill automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. To diagnose thefailure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

    so this has been happening ever since i've installed Windows updates on our accounting server(windows server 2012 r2), and upgraded the RAM on the VM server(all these Server 2012 R2's are hosted on a VMware 5.5, client & server) . Sometimes, when trying to log in as an Active Directory user via RDP, i'll get an "Access is denied" error. This occurs for 3 different users, all of whom are domain admins. When this done happen, I'm only able to log in as the local machine administrator. Our AD server is also a 2012 R2.

    Some things to note:

    1) I can ping to the AD server, and ping from AD to the accounting server in question- all traffic is allowed over a VPN connection, and no traffic is being blocked by the firewall. Windows Firewall is turned off completely for both servers. Tracert finds both servers in 3 hops, but times out on the 2nd hop. also, the preferred DNS server for the accounting is the IP address for the primary domain controller.

    2) The time is the same on both the AD and accounting servers(at least when logged in as a local admin on the accounting server). Most of the most recent Windows updates are installed on both.

    3) I've tried removing the accounting server from the domain, and adding it back to the domain, and removing the accounting computer object in AD- the computer object was never added back after rejoining the domain, automatically or manually.

    3) I can't run a gpupdate on this accounting server. It returns this error:

    Computer policy could not be updated successfully. The following errors were encountered:
    Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator's requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.
    If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem. User Policy could not be updated successfully. The following errors were encountered:
    The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windowswill automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. To diagnose thefailure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.


    so GPResults.html shows this(domain and AD user hidden just in case):

    DOMAIN\ADuser on ACCOUNTING2
    Data collected on: 12/16/2014 1:02:44 PM show all

    Summaryhide
      During last computer policy refresh on 12/16/2014 12:56:05 PM
       A fast link was detected More information...
     

      During last user policy refresh on 12/16/2014 12:56:05 PM
       A fast link was detected More information...
     

    Computer Detailshide
    Generalhide
    Computer name ACCOUNTING2
    Domain Local
    Site (None)
    Security Group Membership hide
    Mandatory Label\System Mandatory Level
    Everyone
    BUILTIN\Users
    NT AUTHORITY\SERVICE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    NT SERVICE\BITS
    NT SERVICE\CertPropSvc
    NT SERVICE\DsmSvc
    NT SERVICE\Eaphost
    NT SERVICE\hkmsvc
    NT SERVICE\IKEEXT
    NT SERVICE\iphlpsvc
    NT SERVICE\LanmanServer
    NT SERVICE\MMCSS
    NT SERVICE\MSiSCSI
    NT SERVICE\NcaSvc
    NT SERVICE\RasAuto
    NT SERVICE\RasMan
    NT SERVICE\RemoteAccess
    NT SERVICE\Schedule
    NT SERVICE\SCPolicySvc
    NT SERVICE\SENS
    NT SERVICE\SessionEnv
    NT SERVICE\SharedAccess
    NT SERVICE\ShellHWDetection
    NT SERVICE\wercplsupport
    NT SERVICE\Winmgmt
    NT SERVICE\wuauserv
    LOCAL
    BUILTIN\Administrators

    Component Statushide
    Component Name Status Time Taken Last Process Time Event Log
    Group Policy Infrastructure Success   12/16/2014 12:56:05 PM   
    Registry Success   12/12/2014 8:05:55 AM   
    Security Success   12/12/2014 8:06:01 AM   

    Settingshide
    No settings defined.
    Group Policy Objectshide
    Applied GPOshide
    Denied GPOshide
    Local Group Policy [LocalGPO]show
    Link Location Local
    Extensions Configured   
    Enforced No
    Disabled None
    Security Filters   
    Revision AD (0), SYSVOL (0)
    WMI Filter   
    Reason Denied Empty

    WMI Filtershide
    Name Value Reference GPO(s)
    None

    User Detailshide
    Generalhide
    User name DOMAIN\ADuser
    Domain domainname.local
    Security Group Membership show
    DOMAINNAME\Domain Users
    Everyone
    BUILTIN\Users
    BUILTIN\Administrators
    NT AUTHORITY\REMOTE INTERACTIVE LOGON
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    LOCAL
    DOMAINNAME\Backup Admins
    DOMAINNAME\Scans FTP Users
    DOMAINNAME\Scans FTP Admin
    DOMAINNAME\Domain Admins
    Authentication authority asserted identity
    DOMAINNAME\Denied RODC Password Replication Group
    Mandatory Label\High Mandatory Level

    Component Statushide
    Component Name Status Time Taken Last Process Time Event Log
    Group Policy Infrastructure Success   12/16/2014 12:56:05 PM   

    Settingshide
    No settings defined.
    Group Policy Objectshide
    Applied GPOshide
    Denied GPOshide
    Local Group Policy [LocalGPO]hide
    Link Location Local
    Extensions Configured   
    Enforced No
    Disabled None
    Security Filters   
    Revision AD (0), SYSVOL (0)
    WMI Filter   
    Reason Denied Empty

    WMI Filtershide
    Name Value Reference GPO(s)
    None

    Also, in the accounting server, i get multiple Microsoft-Windows-Security-Kerberos (codes 4 & 5)
    and Microsoft-Windows-GroupPolicy (codes 1030 & 1126) in the All Servers > Events page. Where can i find the "Details" tab for the error code and description?
    any help would be greatly appreciated. thanks!

    Tuesday, December 16, 2014 10:49 PM

Answers

  • Hi,

    Could you give a shot and reset the secure channel of this server with active directory again, a domain admin cannot login to this server shows the box cant talk to AD to verify the permissions on who is login to the server, at least cache credential should work, how about joining this server to domain once again (considering the production application pls make sure you have an outage window in hand)

    http://blogs.technet.com/b/reference_point/archive/2012/12/03/secure-channel-broken-continuation-of-quot-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed-quot.aspx

    Thanks


    Inderjit

    • Proposed as answer by IJSingh Monday, December 22, 2014 6:26 AM
    • Marked as answer by Vivian_Wang Friday, December 26, 2014 2:49 AM
    Wednesday, December 17, 2014 8:50 AM
  • Ensure VMWare Server is not preventing the Virtual Machines from syncing time with AD.

    Follow this to ensure your VMWare is setup correctly to prevent time sync issues

    http://www.sole.dk/ -> Choose VMware

    Reg,

    Darshan


    Darshan

    • Proposed as answer by Vivian_Wang Wednesday, December 24, 2014 6:23 AM
    • Marked as answer by Vivian_Wang Friday, December 26, 2014 2:49 AM
    Wednesday, December 17, 2014 10:18 AM

All replies

  • Hi,

    Could you give a shot and reset the secure channel of this server with active directory again, a domain admin cannot login to this server shows the box cant talk to AD to verify the permissions on who is login to the server, at least cache credential should work, how about joining this server to domain once again (considering the production application pls make sure you have an outage window in hand)

    http://blogs.technet.com/b/reference_point/archive/2012/12/03/secure-channel-broken-continuation-of-quot-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed-quot.aspx

    Thanks


    Inderjit

    • Proposed as answer by IJSingh Monday, December 22, 2014 6:26 AM
    • Marked as answer by Vivian_Wang Friday, December 26, 2014 2:49 AM
    Wednesday, December 17, 2014 8:50 AM
  • Ensure VMWare Server is not preventing the Virtual Machines from syncing time with AD.

    Follow this to ensure your VMWare is setup correctly to prevent time sync issues

    http://www.sole.dk/ -> Choose VMware

    Reg,

    Darshan


    Darshan

    • Proposed as answer by Vivian_Wang Wednesday, December 24, 2014 6:23 AM
    • Marked as answer by Vivian_Wang Friday, December 26, 2014 2:49 AM
    Wednesday, December 17, 2014 10:18 AM
  • Hi,

    In addition to others, do you have any problem with AD replication?

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, December 18, 2014 6:27 AM
  • So I believe that I've fixed the time issue, but it still sometimes kicks off users on this accounting server, and gpupdate doesn't work. I have 2 domain controllers, and it seems that when this server queries the secondary domain controller(which was "screwed up", i was told by the previous IT guy who set this environment up), i get the Event ID 1030[GroupPolicy (Microsoft-Windows-GroupPolicy)] error and error # 4(Security-Kerberos) after the gpupdate fails.

    and Vivian, i do have a problem with AD replication. i cannot replicate the secondary DC with the primary DC. i get several event id 4 codes on the secondary DC.

    when i try to force a replication via AD Sites & Services > Sites... Servers > NTDS Settings of primary DC > Right-click > Replicate Now, i get the error:

    "The follow error occured during the attempt to contact the Domain Controller DCPRIMARYNAME(actual domain name hidden for privacy): The target principal name is incorrect."

    which is interesting, because i've seen this "target principal name is incorrect" error in several event viewer error codes in different Servers(all 2012 R2).


    • Edited by Cobra351 Friday, January 9, 2015 7:50 PM
    Friday, January 9, 2015 7:12 PM