none
Terminal Server users can't log in with new DC

    Question

  • Hi All

     We had an environment with a 2003 x86 DC and a separate 2008 R2 terminal server. About 20 HP Thin clients authenticate in and receive various desktops from the 2008 TS. There are about 5 GPOs setup.

    The 2003 Server was reaching eol so a new 2008 R2 was brought in. I ran adprep on the 2003 and the new 2008 is now acting as a DC after dcpromo along with the 2003 x86. I thought everything had replicated over. As a test before any final decommisioning steps on the 2003 DC or operation role changes we shut it down to be sure all was ok. The Thin Clients could NOT authenticate in when making their RDP to the Terminal Server. "No Domain Controller is available to process the request". As soon as the 2003 was brought up they could sign in. While the 2003 was down I could log in to the new 2008 R2 DC and see all the GPOs and user accounts.

    Any obvious thoughts? I will say that two years ago I replaced a 2003 Terminal Server with the current 2008 R2 terminal server and that was smooth (for the most part after I found out we needed new licenses).

    Wednesday, November 28, 2012 6:57 PM

All replies

  • "No Domain Controller is available to process the request"

    I think this has nothing to do with your Thin-Clients.

    Try to check the Eventlogs on your new DC.
    Also run a "dcdiag" on the new DC.

    Please also try to rejoin the Terminalserver to the Domain.

    Do you have the same issues on your regular computers?

    Did you also install a DNS service on your new DC?


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!



    Wednesday, November 28, 2012 7:48 PM
  • Interesting - there were errors:

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\administrator.ROB>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = ROBWINSERV2008
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\ROBWINSERV2008
          Starting test: Connectivity
             ......................... ROBWINSERV2008 passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\ROBWINSERV2008
          Starting test: Advertising
             Warning: DsGetDcName returned information for
             \\robsupwin2.rob.com, when we were trying to reach
             ROBWINSERV2008.
             SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
             ......................... ROBWINSERV2008 failed test Advertising
          Starting test: FrsEvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... ROBWINSERV2008 passed test FrsEvent
          Starting test: DFSREvent
             ......................... ROBWINSERV2008 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... ROBWINSERV2008 passed test SysVolCheck
          Starting test: KccEvent
             ......................... ROBWINSERV2008 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... ROBWINSERV2008 passed test
             KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... ROBWINSERV2008 passed test MachineAccount
          Starting test: NCSecDesc
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=ForestDnsZones,DC=rob,DC=com
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=DomainDnsZones,DC=rob,DC=com
             ......................... ROBWINSERV2008 failed test NCSecDesc
          Starting test: NetLogons
             Unable to connect to the NETLOGON share! (\\ROBWINSERV2008\netlogon)
             [ROBWINSERV2008] An net use or LsaPolicy operation failed with error
             67, The network name cannot be found..
             ......................... ROBWINSERV2008 failed test NetLogons
          Starting test: ObjectsReplicated
             ......................... ROBWINSERV2008 passed test ObjectsReplicated
          Starting test: Replications
             ......................... ROBWINSERV2008 passed test Replications
          Starting test: RidManager
             ......................... ROBWINSERV2008 passed test RidManager
          Starting test: Services
             ......................... ROBWINSERV2008 passed test Services
          Starting test: SystemLog
             ......................... ROBWINSERV2008 passed test SystemLog
          Starting test: VerifyReferences
             ......................... ROBWINSERV2008 passed test VerifyReferences


       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : rob
          Starting test: CheckSDRefDom
             ......................... rob passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... rob passed test
             CrossRefValidation

       Running enterprise tests on : robinsonsupply.com
          Starting test: LocatorCheck
             ......................... rob.com passed test LocatorCheck
          Starting test: Intersite
             ......................... rob.com passed test Intersite

    Wednesday, November 28, 2012 8:24 PM
  • Hello,

    Unable to connect to the NETLOGON share! (\\ROBWINSERV2008\netlogon)
             [ROBWINSERV2008] An net use or LsaPolicy operation failed with error
             67, The network name cannot be found..

    Can you manually access this share?
    Your DNS Resolution is working both ways?
    (from the DC to the Server, from the Server to the DC)

    You could also try to start your old DC and a an authoritative restore of the SYSVOL.

    http://support.microsoft.com/kb/290762/en-us

    http://support.microsoft.com/kb/315457/en-us


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Wednesday, November 28, 2012 9:55 PM
  • I don't have a netlogin share on the new 2008. On the 2003 there is a Netlogin and a sysvol. I have neither on the 2008...DNS seems fine both ways when I do nslookups.

    On the 2003 server someone had created a Windows folder on D as well as C. It is in the D where D:\WINDOWS\SYSVOL\SYSVOL is. Under that is my rob.com and then under that is policies. On the 2008 it's all on C and under my rob.com it's empty - no "policies".

    I feel strong that all when right when I prepped for the 2008 and joined the DC. Perhaps I inherited an issue off the original DC. There is no dcdiag native on 2003 correct? This is really a bad situation for me if there are are issues. Any more steps are appreciated.

    Thursday, November 29, 2012 1:19 AM
  • Hi,

    What did you mean by "there is no dcdiag native on 2003"? You can run Dcdiag on computers running Windows Server 2003 with no service pack installed! Run it on Windows Server 2003 to have a check.

    If there is no problem with your Windows Server 2003 DC, perform authoritative restore on it and non-authoritative restore on Windows Server 2008 DC, steps refer to KB 315457 as Matthias posted above.

    Regards,
    Cicely

    Thursday, November 29, 2012 6:44 AM
    Moderator
  • Am 28.11.2012 21:24, schrieb BSI2010:
             Warning: DsGetDcName returned information for
             \\robsupwin2.rob.com, when we were trying to reach
             ROBWINSERV2008.

    You have DNS issues...

    Do a nslookup for your DOMAIN name and for both DC names on both DCs and compare the results. They should be all the same. Also, run "dsquery server" on both DCs.

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, November 29, 2012 12:07 PM
  •  Somewhere in the process of the authoritative restore with the BurFlags I lost the NetLogin on the old 2003DC. I also lost all my policies. I had previous backups for all except the Default Domain Controller and the Default Domain policies. I do have tape backup of the SYSVOL.

    After the auth restore I do now have SYSVOL share and the same replicated structure of SYSVOL on the 2008 that I had on the 2003. Can I recover the lost policies or Netlogin? There seems to have been no loss of functionality or login ability so I have decided to slow down before I create more problems for myself.  When I did the BurFlags I did the authoritative (D4). I made that regedit on the 2003 only. I changed nothing on 2008.

    Monday, December 03, 2012 6:47 PM
  •  
    > After the auth restore I do now have SYSVOL share and the same
    > replicated structure of SYSVOL on the 2008 that I had on the 2003. Can
    > I recover the lost policies or Netlogin? There seems to have been no
    > loss of functionality or login ability so I have decided to slow down
    > before I create more problems for myself. When I did the BurFlags I
    > did the authoritative (D4). I made that regedit on the 2003 only. I
    > changed nothing on 2008.
     
    Are you sure you did a D4 on the 2003?
     
    D4 means: Drop any replication history and consider your local sysvol
    content to be valid.
    D2 means: Drop (aka "delete") your local sysvol and replicate inbound
    from anywhere.
     
     
    Anyway: There should be a "Pre-existing" folder where the former sysvol
    content (including the scripts folder that is shared as netlogon) resides.
    The Default Domain and DOmain Controller policy can be restored through
    dcgpofix.
     
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, December 04, 2012 9:10 PM
  • A system search for "Pre-existing" found nothing. I have a full Symantec Backup Exec tape backup. Could the SYSVOL be restored?...I definitely did a D4 as it pushed out the SYSVOL to my 2008 and the SYSVOL share was then created over there.

    Thursday, December 06, 2012 8:51 PM
  •  
    > A system search for "Pre-existing" found nothing. I have a full
    > Symantec Backup Exec tape backup. Could the SYSVOL be restored?...I
    > definitely did a D4 as it pushed out the SYSVOL to my 2008 and the
    > SYSVOL share was then created over there.
    >
     
    Sysvol on its own - as long as you still have the GPO objects in AD -
    yes, it can.
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Friday, December 07, 2012 10:44 AM
  •  Well, I did use dcgpofix. I had hard doc for the Default Domain Policy and I referenced some other doc for the Default Domain Controller Policy. From a test i had done on an offline system I found that i could create the netlogin folder and after a reboot the share was there. I then did the same on 2008. DCDIAG on both system looks good. Changes are replicating. I have turned off the 2003 Server and we are logging in fine on the Domain.....Now, what steps must I perform in order to make the 2008 Master? I believe I must change the Forest and Domain function levels to 2008 and what else to remove refernce from the 2003? Do I need to DCPROMO down the 2003?

    Friday, December 14, 2012 9:10 PM
  • Verify the availability of the Operations Master on the 2008 server using the following commands.

    dcdiag /s:<nameofnewserver> /test:knowsofroleholders and dcdiag /s:<nameofnewserver> test:fsmocheck

    Once you are sure that the tests are passed, check and confirm once more that the new 2008 dc is holding all the role holders using the command

     netdom query /domain:<domainname> fsmo

    After confirming the above, shutdown the 2003 server and confirm that you are free from any other issues related to this. I would advice to move the server off the network, and see for 3 to 5 days to confirm that everything works fine.

    Please do tell us how it went.


    Tom Jacob

    Saturday, December 15, 2012 1:59 AM
  • Tom - Thanks for the reply - my question was how to make 2008 the Master - all the roles now are held by the 2003 - at this current time the 2003 is still turned off (that was done to be sure the 2008 had all the replicated GPO, etc. so users could log on). WHich they can so I am now at the point of wanting to begin the actual de-commision of the 2003. So my question was what do I need to do to transfer those roles, after which your commands would seem to make sense to confirm that all is ok - right now those commands fail as they can't find the PDC. I found this link:        http://support.microsoft.com/kb/324801?wa=wsignin1.0

     Is this what I need to follow? I assume I don't follow a 2008 writeup as I am not transferring away from 2008 but rather away from 2003. Am I thinking about this logically? Also, do I need to raise forest and domain functional levels in there somewhere on my 2008 after the roles are assigned? They are at 2003 now.

    Saturday, December 15, 2012 3:37 PM
  • Hi All

     At this point I need the steps to make my 2008 the operations Master and then to remove the 2003 from the domain. Both servers are now back up. WOuld I follow this document:

    http://support.microsoft.com/kb/324801?wa=wsignin1.0

    Also, do I need raise the Forest and/or Domain functional levels? There was a previous response but I think it was made with the assumption that I had alread made the 2008 the Master, which I had not. I assume that after i do then I can perform those steps. I am hoping to get this wrapped up before the new year so any resplies would be appreciated- Merry Christmas to all!!

    Tuesday, December 25, 2012 5:25 PM