locked
Windows 10 Pro unable to logon to domain 1607 RRS feed

  • Question

  • New laptop, upgraded from Windows 10 Home to Pro via Windows Store.

    After upgrade the machine is joined to the domain but no-one can logon to the domain with error 'incorrect username or password'.  Username/password is correct.

    Run a clean install per: http://answers.microsoft.com/en-us/windows/wiki/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

    Same problem.

    Call Microsoft who repeats the clean install and this is where we are now, same place, same problem.

    Domain/forest is running in 2008R2 mode with default DC GPO.  3 DCs (2 in site, 1 in a remote site).  Subnets are properly defined in sites and services.  Replication is fine based on repadmin.  GPOs are in sync per GPMC.  IPv6 is disabled via registry, on the NIC and there are no IPv6 DNS entries for any DCs in the domain.

    Netlogon errors:

    Rejecting an unauthorized RPC call from ncalrpc:DESKTOP-UGSNU29.

    09/08 10:24:43 [CRITICAL] [676] NetpDcGetDcNext: domain.local.: 32: Cannot NetpSrvNext. 9003 0x232b
    09/08 10:24:43 [CRITICAL] [676] NetpDcGetNameIp: domain.local.: cannot find A record.

    The correct IPv4 addresses are returned for all domain.local queries (only ADDNS servers are returned).  The correct records are returned for all _msdcs.domain.local queries.

    There is no split brained AD (secure channels between DCs and workstation all pass tests).

    I would guess there is a problem with the digital upgrade based on the error below.  It would appear the upgrade is incomplete.

    Has anyone seen this behavior?


    -=Chris

    *edit

    I also disabled tcp chimney/rss on the DCs and the workstation.

    • Edited by Progent.CT Thursday, September 8, 2016 6:13 PM Add info
    Thursday, September 8, 2016 6:12 PM

Answers

  • Have the same issue 3 times in 8 attempts to upgrade Home to Pro from the store in the past two weeks, different locations, computer models and networks. The computers join the domain, show up in AD, Domain Admins are part of the local administrators account, but no domain user can log in. Tried all available built-in tools (SFC, DISM) no change. Called MS support for the first problem, was told to restore to factory and try upgrade again, same result.

    There might be an easier way, but my resolution was to run Windows 10 Media Tool (https://www.microsoft.com/en-us/software-download/windows10/), download and run, and select Upgrade instead of creating media ISO. This fixed the problem on all 3. I'm guessing, but I think the problem may be the version of Home you start with. All that have the problem are build 10.0.14393, the ones that didn't are 10.0.10586.


    • Marked as answer by Progent.CT Thursday, September 8, 2016 11:34 PM
    Thursday, September 8, 2016 8:02 PM

All replies

  • So is the clean install straight to Pro? If not then guess the upgrade is missing something and seen a few posts with issues of Pro features not working after Home to Pro update. Windows 10 Multiple Edition does not prompt which version to install has a way to modify the install media to install Pro if only Home is being offered on the install.

    If a clean to Pro install already, noticed User Name or Password Incorrect When Trying to Log In as Domain User and a couple of others I have linked in that thread that could be related. No replies or ideas on those really but interesting perhaps a few posts like this.

    Thursday, September 8, 2016 6:55 PM
  • Have the same issue 3 times in 8 attempts to upgrade Home to Pro from the store in the past two weeks, different locations, computer models and networks. The computers join the domain, show up in AD, Domain Admins are part of the local administrators account, but no domain user can log in. Tried all available built-in tools (SFC, DISM) no change. Called MS support for the first problem, was told to restore to factory and try upgrade again, same result.

    There might be an easier way, but my resolution was to run Windows 10 Media Tool (https://www.microsoft.com/en-us/software-download/windows10/), download and run, and select Upgrade instead of creating media ISO. This fixed the problem on all 3. I'm guessing, but I think the problem may be the version of Home you start with. All that have the problem are build 10.0.14393, the ones that didn't are 10.0.10586.


    • Marked as answer by Progent.CT Thursday, September 8, 2016 11:34 PM
    Thursday, September 8, 2016 8:02 PM
  • Thanks guys!

    I'm trying the 'Upgrade' method via the media tool now.  If that fails I did get an ISO which is 'supposed' to be Win 10 Pro.  I can't tell for sure.  I can't open with install.wim without jumping through a bunch of hoops.  https://social.technet.microsoft.com/Forums/en-US/e8f32c75-deaf-433a-bab2-a9e5d45adaf2/windows-10-x64-deployment-through-wds-fails-to-import-install-image?forum=win10itprosetup


    -=Chris

    Thursday, September 8, 2016 8:48 PM
  • Upgrade didn't fix it but a clean install of Win 10 Pro from a Win 10 Pro ISO worked.

    To recap, Win 10 Home x64 upgrade to Pro x64 v10.0.14393 via purchasing through windows store (digital entitlement) breaks windows 10 domain logon in multiple cases.


    -=Chris

    Thursday, September 8, 2016 11:37 PM
  • I am having the same issue right now and trying to do the Upgrade from the mentioned media tool now. Chris, do you have any more insite on this? Did you happen to resolve the issue?
    Friday, September 23, 2016 11:13 AM
  • I am having the same issue right now and trying to do the Upgrade from the mentioned media tool now. Chris, do you have any more insite on this? Did you happen to resolve the issue?

    So I have found a way that worked for me and thought I would share. After trying to do a complete restore I went to the https://www.microsoft.com/en-us/software-download/windows10/ that was recommended earlier in this post and said to Download tool now. Basically I installed windows 10 pro on top of windows 10 pro. After it came back up it worked just like it should. Just wanted to let everyone know so if you are having the same issue that's what did it for me.
    Friday, September 23, 2016 1:28 PM
  • This same method that Dilts suggested worked for me.  Thank you Dilts, my issue is resolved, and I've successfully logged into the laptop with multiple domain accounts.

    I too purchased a new Dell XPS laptop, came with Win10 Home 1607, upgraded to the Pro license from the Microsoft store.  Successfully joined my domain, 2008 R2 functional level.  Unable to log into the laptop with any domain accounts.

     

    Friday, September 23, 2016 4:30 PM
  • Prior 1607 update clients were using Windows PIN for logins as it was enabled in domain group policy. Just got the 1607 update on 09/24/2016, afterwards, PIN login failed, as it is a wrapper for the cached PW, the password failed as well. Message from Windows, "Password was changed on another device", only other device is a MS Surface 4 which does not have the 1607 update and I can still login using the original password, so there's been no PW change. But, can still login to a local account without problems. Changed PW in AD and required a change password on initial login. When I logged in with changed password, I was prompted to change my password as expected, did so and then system hung with Other User displayed on screen, but was able to cancel login attempt. then repeated the previous steps using the last changed PW windows required at the change PW screen. Client has returned to showing same message after 1607 update, Password was changed on another device.

    Will go to MSDN subscriber downloads, get the 1607 ISO and do a clean in place upgrade over this existing 1607 update to see if that gets the correct bits deployed.

    Sunday, September 25, 2016 1:43 AM
  • Backed up all user data and did a clean install of build 1607, used an ISO from MSDN Subscriber downloads. As I had hoped, this action actually solved multiple problems. For one, my OneDrive for Business would sync correctly but the Next Generation Sync Client was completely unusable from the desktop and the tray icon showed a failed sync. This was true as real time syncing was failing, but the client would successfully sync on each new cold start. I using an Office 365 subscription, Azure AD and an on premise domain syncing with AD Connect. The version of Office Suite was 2016, x86. And while clean install of build 1607 fixed OneDrive for Business Next Generation Sync problem, it exposed or is now contributing to an inability to update passwords in Azure AD for single sign on. I noticed this new behavior once the client was joined to an on premise DC. Rather than having to manually setup a work account in Settings-Account, the client prompted me to take this action and then automatically setup an account to my domain. Server is 2012 R2 and runs AD Connect to sync to Azure AD.

    With regards to the Windows 10 build 1607 error message at login, "Password was changed on another device", I was getting this I believe, due to the changes made for the Windows Hello feature and the former 1511 build ability to wrap a password with a convenience PIN in Windows 10 Settings->Accounts. Both are impacted by group policy settings specific to use of a PIN or biometric feature for authentication when running Windows 10 in a domain.

    Following the clean install, even though my group policy was enabled for the use of a PIN or biometric authentication, those features were disabled on the client now. Per MS documentation, group policy should override the changes in build 1607 to allow the use of a convenience PIN without the Windows Hello feature. So this will require more research.

    Bottom line, a clean install of build 1607 will solve the domain authentication problem for those who wish to use this method and would be a good choice if your client has multiple features which are not operating correctly per design.
    Sunday, September 25, 2016 11:13 PM
  • Thank you for this solution.  It has definitely solved the login problem.  I sure appreciate your wisdom on that.  Tedious yes, but interestingly, I still ended up with the same version as it was before the problem: 14393, build 1607

    Anyway...moving on...now I receive some strange security error that says something like "The security database on the server does not have a computer account for this workstation trust relationship"

    I cannot find (in simple terms) on Google what this means, or how to establish/create a 'trust relationship' for my workstation; trusts are something new to me, and the explanations are quite complex and not directed at this specific problem.  Our IT support manager also cannot understand the complaint, and is currently looking into it.

    Could it be a problem with the workstation (remote) running W10, and the server on Server 2003?  And if so, how do we resolve that issue?  We are migrating to Server 2012; this has not been done yet.



    crocodile_dondii


    • Edited by Dodger4 Sunday, October 2, 2016 8:44 PM
    Sunday, October 2, 2016 8:42 PM
  • I had the same issue. I describe my experience in the thread linked to below (I didn't find this through searching). I ran the install/upgrade to Pro from media and then it worked. Thank you.

    https://social.technet.microsoft.com/Forums/en-US/c903167f-17ec-479b-8359-3f76abbd8ace/cannot-log-into-domain-from-windows-10-says-its-wrong-username-or-password-it-isnt?forum=win10itprosetup

    Wednesday, October 12, 2016 1:26 PM
  • There is a known issue where domain logons from domain joined RS1 Pro computers upgraded from home edition fail with the on-screen error "the user name or password is incorrect" after entering a valid password.

     Is that a match for your computer? Can the same account logon from Win10 computers that installed Win10 Pro directly?

     If so, a fix is said to be coming later this month.
     Microsoft support is aware of a workaround where you edit the registry as a workaround until then.

    Friday, October 14, 2016 2:39 PM
  • There is a known issue where domain logons from domain joined RS1 Pro computers upgraded from home edition fail with the on-screen error "the user name or password is incorrect" after entering a valid password.

     Is that a match for your computer? Can the same account logon from Win10 computers that installed Win10 Pro directly?

     If so, a fix is said to be coming later this month.
     Microsoft support is aware of a workaround where you edit the registry as a workaround until then.


    Thank you for letting us know MSFT are aware and a fix is on the way. Any chance you can put the workaround here so people can find it?
    Friday, October 14, 2016 5:20 PM
  • Too easy to tell everyone what the Registry Fix is then? Prefer clean installs of Win 10 on PCs we all bought an upgrade from MS direct not working?

    It's like you've learned nothing from the shambles that is OneDrive for Business.

    Wednesday, October 19, 2016 1:33 PM
  • I have been following this thread .... this issue is a major headache for people like myself rolling up a network into AD and upgrading a large number of systems to 10 Pro. 

    If there is a temporary fix via registry change to correct this problem and allow normal domain authentication to take place after Upgrade via the MS store, that should be published ASAP.  A more permanent fix via update/patch can follow after that. 

    Each system that fails to upgrade due to this issue is delaying implementation processes as well as taking 2 - 3 hours of extra hands on time to deal with this issue. 

    Monday, October 24, 2016 4:11 PM
  • Please submit the temporary fix (I am assuming through a registry edit) for this problem to allow normal domain authentication to take place.  I completely agree with Rick Glover TN.  A more permanent fix (through a patch or update) can be released at a later date
    Wednesday, October 26, 2016 6:56 PM
  • My apologies for not checking back sooner or posting the workaround.  The fix is in KB3197954 which released today.  The workaround is fairly simple, except that the change must be made offline using Win PE.

    1. Boot from Win PE
    2. Select 'Repair your computer'
    3. Troubleshoot
    4. Command Prompt
    5. type Regedit.exe
    6. Select HKLM and load a hive by going to File -> Load Hive
    7. Browse to C:\Windows\System32\config , select the file named as SYSTEM
    8. Give it an easy name to find, like ZZZZZZ
    9. Go to the loaded hive and then to the path ContolSet001\Control\ProductOptions
    10. Edit the Multi-String value data under ProuductSuite
    11. You will notice Terminal Server and Personal under it.

    12. Remove Personal

      Note: The system protects this reg key blocking all writes to it. This workaround only works if run from Win PE.

    13. Select the ZZZZZZ hive and click File -> Unload Hive

    14. Exit and continue to windows 10  and login to the domain

    Friday, October 28, 2016 7:14 PM