Unable to logon to DC in a site

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I promoted last friday 2 DCs in a site, i configured one of them as GC. When
i left office everything seems to be working just fine, but this monday i
returned to office I wasnt able to logon to them with any account with
administrative privilegies. As a part of my site DC deployment checklist I
add a key to the registry in Currencontrolset\control\LSA named
IgnoreGCFailuresin order to avoid this failures caused to port restrictions
in my wan deployment. This key is added correctly but i cant still logon to
DCs. Clients in that site does not have problems to logon.

Any help would be greatly appreciated
Oswaldo.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Oswaldo." <Oswaldo@discussions.microsoft.com> wrote in message
news:928F7769-834D-4AF4-A665-1A33A912E22D@microsoft.com...
>
> I promoted last friday 2 DCs in a site, i configured one of them as GC.

Did they replicate? -- or finish DCPromo?


> When
> i left office everything seems to be working just fine, but this monday i
> returned to office I wasnt able to logon to them with any account with
> administrative privilegies.

Are you absolutely certain you ADDED both of them
to the existing domain, rather than accidentally creating
a new domain?

> As a part of my site DC deployment checklist I
> add a key to the registry in Currencontrolset\control\LSA named
> IgnoreGCFailuresin order to avoid this failures caused to port
restrictions
> in my wan deployment.

The admin accounts can bypass GC problems anyway.

> This key is added correctly but i cant still logon to
> DCs. Clients in that site does not have problems to logon.

Sounds like you never replicated fully.

Most such problems are really DNS issues, UNLESS you
have restrictive firewalls as you seem to do.

Generally it is a good idea to stay LOGGED on until
such finished.

Worst case you can return these to servers (use the
Directory Services Restore mode if you must) and
re-promote them.


--
Herb Martin


>
> Any help would be greatly appreciated
> Oswaldo.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Herb Martin" wrote:

> The admin accounts can bypass GC problems anyway.

Only the built-in AD admin accounts though.
Use UPN such as admin@domainname.com to login.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes it finished replication, and created sysvol.

"Herb Martin" wrote:

> "Oswaldo." <Oswaldo@discussions.microsoft.com> wrote in message
> news:928F7769-834D-4AF4-A665-1A33A912E22D@microsoft.com...
> >
> > I promoted last friday 2 DCs in a site, i configured one of them as GC.
>
> Did they replicate? -- or finish DCPromo?
>
>
> > When
> > i left office everything seems to be working just fine, but this monday i
> > returned to office I wasnt able to logon to them with any account with
> > administrative privilegies.
>
> Are you absolutely certain you ADDED both of them
> to the existing domain, rather than accidentally creating
> a new domain?
>
> > As a part of my site DC deployment checklist I
> > add a key to the registry in Currencontrolset\control\LSA named
> > IgnoreGCFailuresin order to avoid this failures caused to port
> restrictions
> > in my wan deployment.
>
> The admin accounts can bypass GC problems anyway.
>
> > This key is added correctly but i cant still logon to
> > DCs. Clients in that site does not have problems to logon.
>
> Sounds like you never replicated fully.
>
> Most such problems are really DNS issues, UNLESS you
> have restrictive firewalls as you seem to do.
>
> Generally it is a good idea to stay LOGGED on until
> such finished.
>
> Worst case you can return these to servers (use the
> Directory Services Restore mode if you must) and
> re-promote them.
>
>
> --
> Herb Martin
>
>
> >
> > Any help would be greatly appreciated
> > Oswaldo.
> >
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Oswaldo." <Oswaldo@discussions.microsoft.com> wrote in message
news:716D1E5E-4716-436C-BF88-9F915F3C0524@microsoft.com...
> Yes it finished replication, and created sysvol.

Well, if that happened then you can logon with the
domain Admin account.

My suspicion (if the above is true), is that you created
a new domain.

--
Herb Martin


>
> "Herb Martin" wrote:
>
> > "Oswaldo." <Oswaldo@discussions.microsoft.com> wrote in message
> > news:928F7769-834D-4AF4-A665-1A33A912E22D@microsoft.com...
> > >
> > > I promoted last friday 2 DCs in a site, i configured one of them as
GC.
> >
> > Did they replicate? -- or finish DCPromo?
> >
> >
> > > When
> > > i left office everything seems to be working just fine, but this
monday i
> > > returned to office I wasnt able to logon to them with any account with
> > > administrative privilegies.
> >
> > Are you absolutely certain you ADDED both of them
> > to the existing domain, rather than accidentally creating
> > a new domain?
> >
> > > As a part of my site DC deployment checklist I
> > > add a key to the registry in Currencontrolset\control\LSA named
> > > IgnoreGCFailuresin order to avoid this failures caused to port
> > restrictions
> > > in my wan deployment.
> >
> > The admin accounts can bypass GC problems anyway.
> >
> > > This key is added correctly but i cant still logon to
> > > DCs. Clients in that site does not have problems to logon.
> >
> > Sounds like you never replicated fully.
> >
> > Most such problems are really DNS issues, UNLESS you
> > have restrictive firewalls as you seem to do.
> >
> > Generally it is a good idea to stay LOGGED on until
> > such finished.
> >
> > Worst case you can return these to servers (use the
> > Directory Services Restore mode if you must) and
> > re-promote them.
> >
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Any help would be greatly appreciated
> > > Oswaldo.
> > >
> >
> >
> >

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Oswaldo." wrote:

> Yes it finished replication, and created sysvol.
>

So did you get to login successfully to the *correct* domain (on any of the
new DCs itself) using the built-in domain administrator account?

Note that clients may still be authenticated by an existing DC in the AD
site (where you added the 2 new DCs). Check the LOGONSERVER environment
variable and ensure at least that the network login script actually ran off
from the correct DC.