Unable to logon to DC in a site

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I promoted last friday 2 DCs in a site, i configured one of them as GC. When
i left office everything seems to be working just fine, but this monday i
returned to office I wasnt able to logon to them with any account with
administrative privilegies. As a part of my site DC deployment checklist I
add a key to the registry in Currencontrolset\control\LSA named
IgnoreGCFailuresin order to avoid this failures caused to port restrictions
in my wan deployment. This key is added correctly but i cant still logon to
DCs. Clients in that site does not have problems to logon.

Any help would be greatly appreciated
Oswaldo.
 
Oswaldo. said:
I promoted last friday 2 DCs in a site, i configured one of them as GC.
Click to expand...

Did they replicate? -- or finish DCPromo?

When
i left office everything seems to be working just fine, but this monday i
returned to office I wasnt able to logon to them with any account with
administrative privilegies.
Click to expand...

Are you absolutely certain you ADDED both of them
to the existing domain, rather than accidentally creating
a new domain?
As a part of my site DC deployment checklist I
add a key to the registry in Currencontrolset\control\LSA named
IgnoreGCFailuresin order to avoid this failures caused to port restrictions
in my wan deployment.
Click to expand...

The admin accounts can bypass GC problems anyway.
This key is added correctly but i cant still logon to
DCs. Clients in that site does not have problems to logon.
Click to expand...

Sounds like you never replicated fully.

Most such problems are really DNS issues, UNLESS you
have restrictive firewalls as you seem to do.

Generally it is a good idea to stay LOGGED on until
such finished.

Worst case you can return these to servers (use the
Directory Services Restore mode if you must) and
re-promote them.
 
Herb Martin said:
The admin accounts can bypass GC problems anyway.
Click to expand...

Only the built-in AD admin accounts though.
Use UPN such as (e-mail address removed) to login.
 
Yes it finished replication, and created sysvol.

Herb Martin said:
Did they replicate? -- or finish DCPromo?



Are you absolutely certain you ADDED both of them
to the existing domain, rather than accidentally creating
a new domain?


The admin accounts can bypass GC problems anyway.


Sounds like you never replicated fully.

Most such problems are really DNS issues, UNLESS you
have restrictive firewalls as you seem to do.

Generally it is a good idea to stay LOGGED on until
such finished.

Worst case you can return these to servers (use the
Directory Services Restore mode if you must) and
re-promote them.
Click to expand...
 
Oswaldo. said:
Yes it finished replication, and created sysvol.
Click to expand...

Well, if that happened then you can logon with the
domain Admin account.

My suspicion (if the above is true), is that you created
a new domain.
 
Oswaldo. said:
Yes it finished replication, and created sysvol.
Click to expand...

So did you get to login successfully to the *correct* domain (on any of the
new DCs itself) using the built-in domain administrator account?

Note that clients may still be authenticated by an existing DC in the AD
site (where you added the 2 new DCs). Check the LOGONSERVER environment
variable and ensure at least that the network login script actually ran off
from the correct DC.
 
Back
Top