none
DC - refuses administrator log on RRS feed

  • Question

  • History:  I migrated a 2003 domain to 2012 R2 (2 DCs), now native.  All was ok until my 1st reboot of the 2nd DC.  It lost its ability to communicate w/the domain.  I've demoted/removed it and am now on 1 DC until I can do some more testing.  DNS is now clean and dcdiag give a clean bill.  This has been running without issues for several weeks.

    This AM I get a call and users cannot log into the terminal server.  I reboot it, but the problem persists.  I then try to log onto the DC.  I get a login error, the DC doesn't recognize administrator or the regular domain admin account I typically use.  I'm forced to do a power button shutdown and restart.  After restart I can log in and everything appears to be good.

    A review of the event logs show that @ 4:30PM yesterday the scheduled backup (Win Backup) occurred successfully.  Then shortly after 5PM the system logs event 5823 (NETLOGON  The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ). 

    The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED)  and 1006 (Group Policy processing failed) errors every couple minutes until I reboot.

    Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

    Tuesday, January 14, 2014 6:00 PM

Answers

  • I have now had a member server (2012 R2) do a machine account change and then start throwing #4 & 1097 errors.    By the time I was aware of it I couldn't log onto it and had to do a power reboot.

    In my GPO for my domain servers I've set Computer Config\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member:Disable machine account password changes and Domain Member:Refuse machine account password changes to enabled.

    Seems there's a bug in 2012 R2.



    • Edited by DennisT. _ Tuesday, January 21, 2014 3:49 PM
    • Marked as answer by DennisT. _ Monday, March 31, 2014 3:10 PM
    Tuesday, January 21, 2014 3:48 PM

All replies

  • Can anyone shed some light on what possibly happened?  Did the automatic change of the system password break AD because I only have 1 DC?

    No. That should not break your DC.

    The details you shared do not provide enough details about the problem. Is there any DNS resolution issues reported by the server?

    If yes, you might consider following the IP settings recommendation provided here: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx

    Note also that it is highly recommended to have at least two DC/DNS/GC servers per AD domain and that you do periodic system state backups using an AD-aware backup solution. Also, make sure that you have the DSRM admin password as you will need it in similar situation so that you can access AD in Directory Services Recovery Mode.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    Tuesday, January 14, 2014 9:16 PM
  • I'm running DNS (ad integrated) on the DC and a member server.  dcdiag /a /c /test:dns passes everything and gives one warning (Warning: Failed to delete the test record dcdiag-test-record in zone ourdomain.local).  All the SRV as well as other records look good and I'm seeing no DNS related errors or warnings since I rebooted (same as before the 4/1006 errors started).

    I just checked the other DNS server (2012 R2) and it started throwing Event 4 errors (kerberos KRB_AP_ERR_MODIFIED) 3 minutes after the NETLOGON password change occurred on the DC.  A quick survey of Win 7 and higher systems shows that this was the earliest that error appeared and all the systems were recording it regularly until I rebooted the DC.

    Tuesday, January 14, 2014 9:45 PM
  • Hi,

    Thanks for your response.

    Please refer to the following article for troubleshooting event id 1006 and 4:

    Event ID 1006 — Group Policy Preprocessing (Active Directory)

    http://technet.microsoft.com/en-us/library/dd392546(v=ws.10).aspx

    Event ID 4 — Kerberos Client Configuration

    http://technet.microsoft.com/en-us/library/cc733987(v=ws.10).aspx

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang

    Wednesday, January 15, 2014 9:20 AM
    Moderator
  • Vivian,

    Your post gave me some more clues.  

    As best I can figure, the 1006 error is a symptom of the 4 error.  The 4 error is a result of a password change initiated automatically by the system (see my initial post).

    I'm considering disabling the automatic change of the DC's machine account password.  As best I can tell, the risks are minimal and in our environment nearly nil.

    Wednesday, January 15, 2014 6:03 PM
  • Hi,

    Thanks for your response.

    We recommended to disable machine account password changes.

    Please refer to this article:

    http://technet.microsoft.com/en-us/library/cc785826(v=ws.10).aspx

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang

    Tuesday, January 21, 2014 5:54 AM
    Moderator
  • I have now had a member server (2012 R2) do a machine account change and then start throwing #4 & 1097 errors.    By the time I was aware of it I couldn't log onto it and had to do a power reboot.

    In my GPO for my domain servers I've set Computer Config\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member:Disable machine account password changes and Domain Member:Refuse machine account password changes to enabled.

    Seems there's a bug in 2012 R2.



    • Edited by DennisT. _ Tuesday, January 21, 2014 3:49 PM
    • Marked as answer by DennisT. _ Monday, March 31, 2014 3:10 PM
    Tuesday, January 21, 2014 3:48 PM
  • Hi Dennis,

    I have almost the same exact environment (2003 domain, migrated to 2012R2) and the same issue ( The system successfully changed its password on the domain controller, Event 5823) which causes the Kerbos error 4  and 1006 messages (among others). 

    Have you tried resetting the machine account password to synch it up with the domain?

    http://support.microsoft.com/kb/325850

    If the computer password changes and its out of 'alignment' with the domain password this could help bring it back in sync. if the password on the local machine resets and it is too old or there's some funky 2012R2 issue going on then it wouldn't be in sync or able to talk to active directory since the password is stored in the active dir. there are two passwords saved in the cache on the local machine and if its somehow older or out of sync with the two passwords in the active directory it could cause this - at least thats what I gather from all the time ive spent looking into this. 

    Tuesday, January 21, 2014 9:50 PM
  • AlphaFox-78,

    No I hadn't tried that.  I'm not sure it would apply in my situation.   The 5823 event (machine account password change) only occurred once on the DC and once on the 2012 R2 domain member server.  That KB appears to be for instances where the password is changing but the servers aren't communicating that action and get too far out of sync.

    Tuesday, January 21, 2014 10:22 PM
  • well if the issue happens every 30 days id say that the passwords are out of alignment and you should try that to see if it fixes it. I have two domain controllers which were installed within days of each other and one server did it one day and the other did it the next day - today they are fine because they have a password in common. but I bet in 30 days it does it again, if that happens im going to try that resync command. 
    Wednesday, January 22, 2014 1:45 PM
  • Too soon to tell on that, as I migrated from 2003 just over 30 days ago and these servers were built at that time.

    As I've disabled the machine account password changes I suspect I won't see any additional problems.  Only time will tell.

    Thursday, January 23, 2014 5:23 PM
  • Hi,

    I just want to confirm what is the current situation.

    Please feel free to let us know if you need further assistance.

    Regards.


    Vivian Wang

    Tuesday, January 28, 2014 6:48 AM
    Moderator
  • Waiting to see if the problem recurs.
    Tuesday, January 28, 2014 4:13 PM
  • Did you ever get this resolved?

    I have had a similar sounding problem with Windows 2008, and have had a support case open with Microsoft Support for 2 years and still no resolution. I can no longer use netdom resetpwd for some reason. Have you tried that for a fix to your solution?

    However, if you have this resolved with some other method, please post the solution so I can try that.

    We've had to forcibly demote several DC's and rebuild them from base image. We even disabled the password reset altogether but still manage to break.

    Sunday, March 30, 2014 9:16 PM
  • Disabling the machine account password changes appears to have fixed the problem for us.  The problem hasn't recurred since.
    Monday, March 31, 2014 3:11 PM
  • This has happened at 3 of my customer sites now like clockwork. There definitely has to be a bug in 2012 R2. Disabling machine password changes is not standard practice when deploying domain controllers. Any word from this on Microsoft?
    Tuesday, April 22, 2014 6:07 PM
  • This has happened at 3 of my customer sites now like clockwork. There definitely has to be a bug in 2012 R2. Disabling machine password changes is not standard practice when deploying domain controllers. Any word from this on Microsoft?
    More info - These have all been Active Directory 2003 environments migrating to 2012 R2.
    Tuesday, April 22, 2014 6:27 PM
  • Hi, at first i want to apologies for my bad english skills.

    Have anybody a new solution for this problem? I have the same problem I got everyday a call that somebody can't login into the computer. I got the same error in eventlog "Security-Keberos ERROR ID 4" After reboot, always works fine. 

    We moved from Windows Server 2003 R2 (2003 domain structure) to Windows Server 2012 R2 (2008 domain structure)

    Any official solution from Microsoft?






    Tuesday, April 29, 2014 5:48 AM
  • Look at one of the posts with a check as its icon.
    Tuesday, April 29, 2014 2:51 PM
  • That's not a resolution. It's a work around. I too am looking for a real resolution. 
    Tuesday, April 29, 2014 2:54 PM
  • Migrated from 2003 to 2012 R2 (Domain/forest functional level).

    And same problem: must restart or sometime hardreset (when I can't logon to physical DC).

    regards,

    Ludovic

    Monday, May 5, 2014 9:16 AM
  • we've started to see this problem occur now as well. same situation.

    during some testing last night we were able to remotely shut off the KDC service to logon to the domain controllers

    and then safe reboot them. still waiting on a patch from ms on this.

    ~Caleb

    Tuesday, June 3, 2014 4:20 PM
  • We have had a case open with Microsoft for 2 months now. They are no closer to figuring this out and tell us that they haven't had any other reported cases. Impossible.

    It's starting to get really frustrating. We have obviously stopped deploying 2012 R2 until they get a handle on this. 

    Tuesday, June 3, 2014 4:32 PM
  • Did you follow the normal method of upgrading dc's?

    ie. provision a new DC higher os level, add it, then roll through the process of upgrading

    the other domain controllers?

    we've tracked down a lot of our issues to the involvement of the third DC that was added.

    running some tests now with the third DC demoted/removed. We noticed that when the issue was present

    this third domain controller was being used by the boxes showing the issue.

    my thinking is that for some reason this third DC is causing the auth problems for the machine accounts.

    i'll keep you updated on if we see this issue, should have a few boxes machine accounts roll over in the next

    couple days.

    Tuesday, June 3, 2014 6:33 PM
  • In our case what I did was add a virtual 2012 R2 DC to the domain.  

    Then ensured all roles were off one of the 2003 DCs and did a wipe and loaded 2012 R2 onto it.  Made it a DC and moved all roles to it.  

    Wiped the 2nd and last 2003 DC and rebuilt it as a 2012 R2 server then DC.

    Demoted the virtual 2012 DC and removed it from the domain, then deleted it.



    Then about 30 days later the problem happened.  The disabling of machine account passwords seems to have resolved the problem for us.  Yes, it is not a fix, but it does eliminate the effects.
    • Proposed as answer by ITAccess Thursday, July 31, 2014 1:44 PM
    Wednesday, June 4, 2014 3:32 PM
  • do you remember what functional level you were at before/after the upgrade?

    we actually did it step by step,

    2k3 -> 2k8 -> 2k12.

    functional level still 2k8 after the upgrade due to a one way trust deal were still working on.

    Wednesday, June 4, 2014 4:46 PM
  • I don't recall exactly; started at 2003 native and stepped through whatever was offered to get to 2012 native.  We don't have any trusts to worry about.  
    Wednesday, June 4, 2014 5:02 PM
  • Hello all,

    Just so you know... you are not alone!

    We are experiencing this exact same issue. Domain in mixed mode with 2003 R2 DC and 2012 R2 DC.

    We have a case with MS.

    It seems the issue occurs on Windows 2008 R2 only (in fact it happened to a Windows 8.1 also)

    It occurs after computer account reset password and the only way to fix is a reboot.

    We are working with MS at the time and they tell us they have other case in progress with same issue. But that it is really difficult to reproduce. In fact, in our environnement, we are not able to reproduce. It happens here and there without warning.

    So if any of you have a step-by-step recipe we can follow to reproduce each and every time.... please share! It could help a lot MS engineers.

    I'll try to keep you posted.

    David

    Thursday, June 19, 2014 1:24 PM
  • Hello all,

    Some environment here. 2003 AD upgraded to 2012 r2. We are still running in 2003 mode but only with 2012 r2 DCs. The issue occur sporadically with some machines after they changed their machine password account the only way to solve it is reboot the server. The  big problem is when it happens on the DC itself, because until we reboot it,

    no one attached to that DC can log on...

    We disabled machine password changes on a specific OU and had no issues on the servers within that OU. We are now going to disable machine password changes globally...

    Any news from MS @DavidJobs?

    Regards,


    Nuno Carvalho


    Monday, June 30, 2014 10:37 AM
  • DavidJobs - Any update on your open case with Microsoft?
    Thursday, July 3, 2014 8:02 PM
  • Add me to the list of "Me too" seeing this.  In our case it was the customers PDC FSMO role holder and everything was behaving odd prior to hard reset, same sequence of events in logs. I refuse to set the GPO to disable password changes on my DC's..

    Bump


    Sr Exchange Engineer

    Wednesday, July 23, 2014 6:01 PM
  • Hello All 

    Take a look at this post http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx

    Regards,

    Nuno Carvalho


    Nuno Carvalho

    • Proposed as answer by HarryNew Wednesday, August 6, 2014 2:41 PM
    Monday, July 28, 2014 8:49 AM
  • Looks like the fix is in the works.  :)
    Monday, July 28, 2014 3:20 PM
  • Hello Everyone,

    I would like to chime in.

    We seem to suffer from the same problem. We have a mixture of 2003, 2008 R2 and 2012R2 DCs in our domain. Every once in a while a 2008 R2 or 2012 R2 member server will stop applying it's computer policies after changing it's password on the domain. Additionally Kerberos event 4 will be logged in the system log and domain user accounts will not be able to login. Local user accounts can login without a problem and user policy updates for already logged in users also work after the password change.

    After rebooting the member server everything will be ok again. It does not seem to hit the same servers every time.

    Thanks for the info here and the link to the AD blog. Does anyone know when the fix will be available? We do not want to disable password changes and changing the encryption types sounds like asking for trouble.

    Regards

    HarryNew

    Wednesday, August 6, 2014 2:41 PM
  • Same thing happened to us today (Monday, August 12, 2014) I could not even log into the domain controller to restart it. I had to Power it off through my vSphere Client. Once I rebooted, everything returned to normal. But I received all the errors just like everyone else has here: Right after the NETLOGON 5823 event at 12:29AM I received many Security-Kerberos EventID 4 errors over the next 9 hours until I rebooted. When people attempted to access network drives on that domain controller they could not get access. And as I stated, I could not log into the domain controller. I also received the GroupPolicy 1006 error. Here are examples of each event I'm getting:

    NETLOGON EventID 5823:

    "The system successfully changed its password on the domain controller .  This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password."

    Security-Kerberos EventID 4:

    "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server domaincontroller$. The target name used was LDAP/domaincontroller.domain.com/DOMAIN. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

    GroupPolicy EventID 1006:

    "The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description."

    Just like everyone else we migrated from a Server 2003 domain to a Server 2012 R2. All we have now are 2012 R2 domain controllers (all VMs) and the domain functional level is Windows Server 2012 R2.

    dcdiag comes back with PASSes

    I'm going to make the same changes other have recommended to the prevent the Machine account password from changing.

    I'm sure Microsoft will be seeing more of this error from its larger customers since support for Server 2003 ends in July 2015 and many people will be transitioning to Server 2012 R2 over the next year.



    • Edited by coldchill Tuesday, August 12, 2014 2:10 PM
    Tuesday, August 12, 2014 2:10 PM
  • Ours happened this morning - See also http://social.technet.microsoft.com/Forums/windowsserver/en-US/4d8a4018-5969-4c6c-99b1-b446711e1dd4/krbaperrmodified-4-random-on-member-server-in-upgraded-domain-2003-to-2012-r2?forum=winserverDS

    Out of curiosity coldchill - what is your forest level set to? Ours was 2003 but the domain was 2012r2.

    We're setting the password change to 120 days and hope that MS have the fix out by then.

    Unfortunately the comments for the Microsoft blog post site are disabled.


    http://absoblogginlutely.net

    Wednesday, August 13, 2014 2:09 PM
  • We also encounterd this problem few days ago. Our forest level is set to 2003 and DC deployed this time is Windows Server 2012. Administrator logon by RDP and local has been failed everytime and event id 1006, id 4 was logged intermittently. The problem seems to be gone by restarting server. but we hope to get complete solution as same problems can be happening future in an uncertian situation. please advice us if Microsft success reproduce this problem and solve it.

    Monday, September 1, 2014 1:20 AM
  • Microsoft have released a patch - http://support.microsoft.com/kb/2989971

    I've not ran this myself yet but it sounds like this is the solution.


    http://absoblogginlutely.net

    Tuesday, September 2, 2014 2:28 AM
  • We've had the same issues as well -- I just got off the phone w/ MS and there's a newer version of this patch - http://support.microsoft.com/kb/2984006 

    However, with all DCs patched we're still running into this problem.  

    Tuesday, September 23, 2014 2:51 PM
  • I'd like to chip in as well.

    We have quite a few servers in our environment, and we recently in the past 3-4 months, added new 2012 servers to take over for some older 2003 domain controllers. Our forest level is still 2003.

    We're experiencing this "unable to login with domain credentials" problem on a few 2012 and 2008 servers we have.

    Symptoms seem to match what everyone else is seeing, Kerberos error in event log about the server failing to salt a token with itself, and following that a group policy failure error.

    Forest level: 2003

    New DCs: 2012 R2 (we have 1 primary and 1 backup, all systems have been redirected to look to these as the new DCs)

    Old DCs: 2003 (1 primary and 1 backup, still operational but all responsibilities have been shifted onto new servers, exist only to make sure everything is working as roles have been slowly shifted onto the new units)

    Problem occurring randomly on: 2008 and 2012 servers.

    Restarts seem to temporarily fix it, but these are servers, and their restart times are very long and it's a process we need to remove from our daily work.

    We haven't applied the patches yet, but only because the problem/environment they seem to fix is slightly different then ours.



    • Edited by matt9999 Monday, October 13, 2014 8:46 PM
    Monday, October 13, 2014 8:32 PM
  • Hi together,

    this topic is old but seems to be still unsolved, isn't it?

    Are there any news?


    Greetings/Grüße Gernot

    Tuesday, December 29, 2015 9:06 AM
  • Yes, the issue is still ongoing with fully updated Windows 2012 R2 servers.

    Nick Dorak

    Wednesday, January 6, 2016 2:21 PM
  • I just experienced this issue, with the following key differences from most people's problem:

    1. The DC and member server are both running 2012 R2 and the whole domain was created from scratch at the 2012 R2 functional level-- never migrated from older versions.
    2. REBOOTING DOES NOT HELP!  I cannot log in to the DC or the member server, even after rebooting both.
    3. I have no other accounts I can log in with.  This is a closed, local domain used for config and testing purposes by me only, so there was never any point in creating additional user accounts.

    I can't view any event ids or install patches if I can't log in!

    • Proposed as answer by Roy McKenzie Thursday, June 22, 2017 2:27 PM
    • Unproposed as answer by Roy McKenzie Thursday, June 22, 2017 2:28 PM
    Thursday, July 21, 2016 5:45 PM
  • Upgraded a forest and domain from 2003 functional levels to 2016 after adding a couple of Windows Server 2016 domain controllers and demoting the old 2003 boxes.  Everything went beautifully, until I encountered the same errors (NETLOGON - account password change, followed by event 4 and 1097) on one of my member servers.  No one had access to shares on that server and I couldn't login to any administrative account.  Since it was a Hyper-V virtual guest, I issued a shutdown, then started it up and I could login with no issues.

    Apparently, this is still a problem in Windows Server 2016 when upgrading directly from Windows Server 2003.  Can't believe they didn't build in a fix, especially since they still allow you to run the upgrade (which I appreciate).  I've just set the two GPO settings mentioned later in your post in the hope that I can prevent other servers and domain members from changing their passwords until a fix is located and applied.  Thanks for your posts!


    Roy G. McKenzie

    Thursday, June 22, 2017 2:36 PM
  • FWIW we haven't experienced any issues with the work around I posted. 

    I suspect this will never be fixed properly.  2003 is no longer supported and as time goes by there are fewer and fewer 2003 domains active.

    Thursday, June 22, 2017 3:18 PM
  • Upgraded a forest and domain from 2003 functional levels to 2016 after adding a couple of Windows Server 2016 domain controllers and demoting the old 2003 boxes.  Everything went beautifully, until I encountered the same errors (NETLOGON - account password change, followed by event 4 and 1097) on one of my member servers.  No one had access to shares on that server and I couldn't login to any administrative account.  Since it was a Hyper-V virtual guest, I issued a shutdown, then started it up and I could login with no issues.

    Apparently, this is still a problem in Windows Server 2016 when upgrading directly from Windows Server 2003.  Can't believe they didn't build in a fix, especially since they still allow you to run the upgrade (which I appreciate).  I've just set the two GPO settings mentioned later in your post in the hope that I can prevent other servers and domain members from changing their passwords until a fix is located and applied.  Thanks for your posts!


    Roy G. McKenzie

    We are experiencing the exact same thing: domain upgraded from 2003 to 2016 after which we started having these issues; every once in a while we were unable to login to the domain controllers and member servers even though the username and password were correct. Only way to fix it was to reboot the server. In the event viewer we had the "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server " errors (Event ID 4). Does anyone have an open ticket about this for Microsoft (Server 2016)?

    And just to be clear we don't have any 2003 Domain Controllers in our environment anymore, all our DCs are Server 2016.

    • Edited by Timo_ Friday, July 21, 2017 7:07 AM additional information
    Friday, July 21, 2017 7:06 AM
  • still no solutions for this trouble? 
    Friday, July 21, 2017 7:11 AM
  • Has anyone managed to get a hold of the patch mentioned in this link to see if it's compatible with server 2016?

    I also have the same problem.  Sites with just 2003 or 2008 or 2012 are fine but the site with a mix of 2003, 2008 and 2016 is seeing KRB_AP_ERR_MODIFIED eventID 4's in the logs and the only fix known right now is a reboot.  

    What Timo_ said above is worrying because replacing the old DC's isn't going to fix the problem and may potentially accelerate the rate at which we see issues on machines.

    Has anyone seen this aftecting workstations?  So far I just see talk about servers.

    Wednesday, July 26, 2017 9:24 AM
  • Hi MarkDa,

    I have had this on Win7 workstations and now a Print server(2016). We have 1 2003 DC left and the rest are 2016(Still at functional level of 2003 of course). So yes, it does occur on workstations!

    I am looking at applying the GPO for Domain Members, but wonder if I should also apply this to Domain Controllers. Has anyone done this!?

    Rgds,

    Rob

    Wednesday, November 8, 2017 10:29 AM
  • Same scenario. No fix and running 2008 R2 DC and 2016 DC 2 of each. No resolve except to disable machine password changes. No word from MS and not testing of hotfix on 2016.
    Wednesday, November 8, 2017 1:14 PM
  • I applied this (Disable machine account password changes) to all machines on our AD, including DC's.
    Monday, November 13, 2017 6:12 AM
  • We have the exact issue , exact scenario but we didn't restart the DC instead we restarted the device/member server which were unable to login then it works .No 2003 dc's in our environment after upgrading . 
    Tuesday, April 17, 2018 7:17 AM
  • We have the exact issue , exact scenario but we didn't restart the DC instead we restarted the device/member server which were unable to login then it works .No 2003 dc's in our environment after upgrading . 
    The problem at least we had is that you will need to restart the device/member servers every time they change their machine account password, which by default is 60 days. That is unless you disable the password changes.

    • Edited by Timo_ Wednesday, May 16, 2018 6:41 AM
    Wednesday, May 16, 2018 5:47 AM
  • Hi there,

    i have the same problem after an Active Directory DS 2003 to 2016 migration.

    Is there a patch for 2016 or something ??

    Monday, January 21, 2019 9:08 AM
  • I have a similar problem. In December 2018 I migrated from 2003 to 2012R2. I transferred all roles to the 2012R2 DC demoted the 2003 DC.  After that I installed an additional 2016 server as "Backup" DC.

    Now with the change of the machine account password (30 days) the problem occurs on the member servers.

    Any suggestions?

    Thursday, February 7, 2019 4:09 PM
  • So it's been 5 years since this thread was started, and there is still no solution to this? Is anyone able to create a ticket about this to Microsoft?
    Friday, August 23, 2019 5:40 AM
  • So it's been 5 years since this thread was started, and there is still no solution to this? Is anyone able to create a ticket about this to Microsoft?
    After removing old domain controlers and having for 2 times the logon impossible, it's gone now.
    Friday, August 23, 2019 7:37 AM