cannot logon after dcpromo

  • Thread starter Thread starter peter
  • Start date Start date
P

peter

I installed win2k server on a new machine, ran dcpromo a
made the computer an additional domain controller.
there were no errors during that process

the errors came later:
i could not log on to the domain, the system
gave me the message claiming that there are some
time related problems (scrrenshot available here:
http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)

when i turned off that machine (so i had my old dc
only) everything was ok
when i restarted that machine everything was ok (for 2
days. after that the situation occured again)

i ensured that i have got synchronized time in my domain i
checked the clients and they also have correct time

i had a critical situation and i had to make
"the crippled controller" the only controller
in my domain. when i did so the situation now is as
follows : everything is ok for about 48 hours after that
no one can log on to a domain, when i restart dc the
situation improves for 48 hours then the errors appear
again.

any ideas?
 
the time is synchronized properly,
i tried a lot of methods (NET TIME /SETSNTP: etc.)
i tried to synchronoze server with external source
i tried to not synchronize server with external source
doesn't help

it is the real problem, i cannot logon to any machine in
my domain including the domain controller
i recieve the same error

i use the program called "poweroff" to restart my dc and
then everything come to "ok state" but it is only a matter
of time for it to get bad
 
Peter

Hi sorry for the later reply.
Okay Can we just review the situation here.

You had 1 domain with 1 domain controller as you have had some hardware
issues with it, so you recently added another and since then every 2 days
your getting a domain wide problem, that every client on the domain cannot
login. and they all report the same time error. is this correct ?

Now to clear the error you restart the newly promoted Domain Controller is
this correct, or are you restarting all of the domain controllers or the old
DC.

You say that you have now made the crippled DC the only dc in the domain and
the problem still exists is this also correct?
How did you achieve this did your demote the old domain controller or switch
it off ?

Did you have the problem before you added the new DC ?

I think that you now need to review the event logs on the Domain controller
/controllers and the clients and see what errors are reporting in the event
logs look in all of them to begin on both the DC's and at least 2 of the
affected clients they are bound to give you some clues.

You have a pattern forming so you just need to review the logs around the
time the problem occurs, if you look back you may find some information that
will help trace the cause of the problem.

Increase the size of all the logs if you don't have enough space to collect
at least 4 days worth of logs minimum to see if you can identify a pattern
(we keep at least 6 months work to review for trend analysis)

I would also think you will need to perform some tests such as running
DCDiag on the domain controllers, also check the dc promo log for any errors
from the promoting / demoting of the new DC. Also use Repmon to check your
AD replication, check to ensure all your FSMO roles are available and check
you have a working Global Catalog.
Ensure you have the support tools installed on the DC's also the Win2k
Server resource kit if you have it as these tools are a must.
If you need a help to identify any errors that are reported then just post
them back to the group for assistance.



rgds
Steve
 
Hi Peter,

Thanks for your posting here.

As you mentioned that the problem occur on all the DCs and clients in your
network. When the problem occur is your old DC online? Did you have DNS
service installed on the new DC?

If so, I recommend that you point all the DCs to itself in the DNS settings
and point all the clients to the old DC as the DNS server. Please do not
point any server to the public DNS server.

Now refer to the following document to set the time service on DCs and
clients.

How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216734

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I am very glad to hear that the problem has been resolved.

If you have any further questions or concerns, please feel free to post
here. It is our pleasure to be of assistance.

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "peter" <[email protected]>
Subject: Re: cannot logon after dcpromo
Date: Thu, 19 Aug 2004 08:20:00 -0700
Newsgroups: microsoft.public.win2000.advanced_server

the problem has probably been solved,
i will post again if it hasnt

thanks for your help
 
I figured out that turning off settings
for Kerberos policy fixed the situation

adm tools -> domain security -> kerberos policy

i turned off everything and the issue
is under control by now


thanks for your help guys
 
Hi Peter,

Do you mean the "Enforce User Logon Restrictions" setting in Kerberos
policy? By default, the policy is enabled and should only be disabled in
rare circumstances.

Here is the information on the Kerberos policy settings themselves:

http://www.microsoft.com/technet/Security/topics/issues/w2kccadm/Win2kpol/w2
kadm09.mspx

Please make sure that you have those policies correctly configured in the
"Default Domain Policy"

In addition, Kerberos security depends on time, if the times are over 5
minutes apart then kerberos fails.

To configure an authoritative time server in Windows, please refer to the
following articles.

How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/?id=216734

The Windows Time Service
http://www.microsoft.com/windows2000/docs/wintimeserv.doc

Wish it helps.

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "peter" <[email protected]>
Subject: SOLUTION Re: cannot logon after dcpromo
Date: Fri, 27 Aug 2004 02:14:33 -0700
Newsgroups: microsoft.public.win2000.advanced_server

I figured out that turning off settings
for Kerberos policy fixed the situation

adm tools -> domain security -> kerberos policy

i turned off everything and the issue
is under control by now


thanks for your help guys
 
Back
Top