cannot logon after dcpromo

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

I installed win2k server on a new machine, ran dcpromo a
made the computer an additional domain controller.
there were no errors during that process

the errors came later:
i could not log on to the domain, the system
gave me the message claiming that there are some
time related problems (scrrenshot available here:
http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)

when i turned off that machine (so i had my old dc
only) everything was ok
when i restarted that machine everything was ok (for 2
days. after that the situation occured again)

i ensured that i have got synchronized time in my domain i
checked the clients and they also have correct time

i had a critical situation and i had to make
"the crippled controller" the only controller
in my domain. when i did so the situation now is as
follows : everything is ok for about 48 hours after that
no one can log on to a domain, when i restart dc the
situation improves for 48 hours then the errors appear
again.

any ideas?
8 answers Last reply
More about cannot logon dcpromo
  1. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Peter
    http://support.microsoft.com/?kbid=232386
    is the error and KB article

    http://labmice.techtarget.com/windows2000/timesynch.htm

    resources on time sync
    rgds
    Steve

    "peter" <majcher@news.postalias> wrote in message
    news:127b01c47bb1$2f6320f0$a301280a@phx.gbl...
    > I installed win2k server on a new machine, ran dcpromo a
    > made the computer an additional domain controller.
    > there were no errors during that process
    >
    > the errors came later:
    > i could not log on to the domain, the system
    > gave me the message claiming that there are some
    > time related problems (scrrenshot available here:
    > http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)
    >
    > when i turned off that machine (so i had my old dc
    > only) everything was ok
    > when i restarted that machine everything was ok (for 2
    > days. after that the situation occured again)
    >
    > i ensured that i have got synchronized time in my domain i
    > checked the clients and they also have correct time
    >
    > i had a critical situation and i had to make
    > "the crippled controller" the only controller
    > in my domain. when i did so the situation now is as
    > follows : everything is ok for about 48 hours after that
    > no one can log on to a domain, when i restart dc the
    > situation improves for 48 hours then the errors appear
    > again.
    >
    > any ideas?
  2. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    the time is synchronized properly,
    i tried a lot of methods (NET TIME /SETSNTP: etc.)
    i tried to synchronoze server with external source
    i tried to not synchronize server with external source
    doesn't help

    it is the real problem, i cannot logon to any machine in
    my domain including the domain controller
    i recieve the same error

    i use the program called "poweroff" to restart my dc and
    then everything come to "ok state" but it is only a matter
    of time for it to get bad


    >-----Original Message-----
    >Peter
    >http://support.microsoft.com/?kbid=232386
    >is the error and KB article
    >
    >http://labmice.techtarget.com/windows2000/timesynch.htm
    >
    >resources on time sync
    >rgds
    >Steve
    >
    >"peter" <majcher@news.postalias> wrote in message
    >news:127b01c47bb1$2f6320f0$a301280a@phx.gbl...
    >> I installed win2k server on a new machine, ran dcpromo a
    >> made the computer an additional domain controller.
    >> there were no errors during that process
    >>
    >> the errors came later:
    >> i could not log on to the domain, the system
    >> gave me the message claiming that there are some
    >> time related problems (scrrenshot available here:
    >> http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)
    >>
    >> when i turned off that machine (so i had my old dc
    >> only) everything was ok
    >> when i restarted that machine everything was ok (for 2
    >> days. after that the situation occured again)
    >>
    >> i ensured that i have got synchronized time in my
    domain i
    >> checked the clients and they also have correct time
    >>
    >> i had a critical situation and i had to make
    >> "the crippled controller" the only controller
    >> in my domain. when i did so the situation now is as
    >> follows : everything is ok for about 48 hours after that
    >> no one can log on to a domain, when i restart dc the
    >> situation improves for 48 hours then the errors appear
    >> again.
    >>
    >> any ideas?
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Peter

    Hi sorry for the later reply.
    Okay Can we just review the situation here.

    You had 1 domain with 1 domain controller as you have had some hardware
    issues with it, so you recently added another and since then every 2 days
    your getting a domain wide problem, that every client on the domain cannot
    login. and they all report the same time error. is this correct ?

    Now to clear the error you restart the newly promoted Domain Controller is
    this correct, or are you restarting all of the domain controllers or the old
    DC.

    You say that you have now made the crippled DC the only dc in the domain and
    the problem still exists is this also correct?
    How did you achieve this did your demote the old domain controller or switch
    it off ?

    Did you have the problem before you added the new DC ?

    I think that you now need to review the event logs on the Domain controller
    /controllers and the clients and see what errors are reporting in the event
    logs look in all of them to begin on both the DC's and at least 2 of the
    affected clients they are bound to give you some clues.

    You have a pattern forming so you just need to review the logs around the
    time the problem occurs, if you look back you may find some information that
    will help trace the cause of the problem.

    Increase the size of all the logs if you don't have enough space to collect
    at least 4 days worth of logs minimum to see if you can identify a pattern
    (we keep at least 6 months work to review for trend analysis)

    I would also think you will need to perform some tests such as running
    DCDiag on the domain controllers, also check the dc promo log for any errors
    from the promoting / demoting of the new DC. Also use Repmon to check your
    AD replication, check to ensure all your FSMO roles are available and check
    you have a working Global Catalog.
    Ensure you have the support tools installed on the DC's also the Win2k
    Server resource kit if you have it as these tools are a must.
    If you need a help to identify any errors that are reported then just post
    them back to the group for assistance.


    rgds
    Steve


    <anonymous@discussions.microsoft.com> wrote in message
    news:176e01c47c04$3e6bc4a0$a301280a@phx.gbl...
    > the time is synchronized properly,
    > i tried a lot of methods (NET TIME /SETSNTP: etc.)
    > i tried to synchronoze server with external source
    > i tried to not synchronize server with external source
    > doesn't help
    >
    > it is the real problem, i cannot logon to any machine in
    > my domain including the domain controller
    > i recieve the same error
    >
    > i use the program called "poweroff" to restart my dc and
    > then everything come to "ok state" but it is only a matter
    > of time for it to get bad
    >
    >
    >
    >
    > >-----Original Message-----
    > >Peter
    > >http://support.microsoft.com/?kbid=232386
    > >is the error and KB article
    > >
    > >http://labmice.techtarget.com/windows2000/timesynch.htm
    > >
    > >resources on time sync
    > >rgds
    > >Steve
    > >
    > >"peter" <majcher@news.postalias> wrote in message
    > >news:127b01c47bb1$2f6320f0$a301280a@phx.gbl...
    > >> I installed win2k server on a new machine, ran dcpromo a
    > >> made the computer an additional domain controller.
    > >> there were no errors during that process
    > >>
    > >> the errors came later:
    > >> i could not log on to the domain, the system
    > >> gave me the message claiming that there are some
    > >> time related problems (scrrenshot available here:
    > >> http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)
    > >>
    > >> when i turned off that machine (so i had my old dc
    > >> only) everything was ok
    > >> when i restarted that machine everything was ok (for 2
    > >> days. after that the situation occured again)
    > >>
    > >> i ensured that i have got synchronized time in my
    > domain i
    > >> checked the clients and they also have correct time
    > >>
    > >> i had a critical situation and i had to make
    > >> "the crippled controller" the only controller
    > >> in my domain. when i did so the situation now is as
    > >> follows : everything is ok for about 48 hours after that
    > >> no one can log on to a domain, when i restart dc the
    > >> situation improves for 48 hours then the errors appear
    > >> again.
    > >>
    > >> any ideas?
    > >
    > >
    > >.
    > >
  4. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Hi Peter,

    Thanks for your posting here.

    As you mentioned that the problem occur on all the DCs and clients in your
    network. When the problem occur is your old DC online? Did you have DNS
    service installed on the new DC?

    If so, I recommend that you point all the DCs to itself in the DNS settings
    and point all the clients to the old DC as the DNS server. Please do not
    point any server to the public DNS server.

    Now refer to the following document to set the time service on DCs and
    clients.

    How to Configure an Authoritative Time Server in Windows 2000
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;216734

    Have a nice day!

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  5. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    the problem has probably been solved,
    i will post again if it hasnt

    thanks for your help


    >-----Original Message-----
    >Hi Peter,
    >
    >Thanks for your posting here.
    >
    >As you mentioned that the problem occur on all the DCs
    and clients in your
    >network. When the problem occur is your old DC online?
    Did you have DNS
    >service installed on the new DC?
    >
    >If so, I recommend that you point all the DCs to itself
    in the DNS settings
    >and point all the clients to the old DC as the DNS
    server. Please do not
    >point any server to the public DNS server.
    >
    >Now refer to the following document to set the time
    service on DCs and
    >clients.
    >
    >How to Configure an Authoritative Time Server in Windows
    2000
    >http://support.microsoft.com/default.aspx?scid=kb;EN-
    US;216734
    >
    >Have a nice day!
    >
    >Regards,
    >Bob Qin
    >Microsoft Online Partner Support
    >
    >Get Secure! - www.microsoft.com/security
    >
    >====================================================
    >When responding to posts, please "Reply to Group" via
    your newsreader so
    >that others may learn and benefit from your issue.
    >====================================================
    >This posting is provided "AS IS" with no warranties, and
    confers no rights.
    >
    >.
    >
  6. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    I am very glad to hear that the problem has been resolved.

    If you have any further questions or concerns, please feel free to post
    here. It is our pleasure to be of assistance.

    Have a nice day!

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    From: "peter" <anonymous@discussions.microsoft.com>
    Subject: Re: cannot logon after dcpromo
    Date: Thu, 19 Aug 2004 08:20:00 -0700
    Newsgroups: microsoft.public.win2000.advanced_server

    the problem has probably been solved,
    i will post again if it hasnt

    thanks for your help


    >-----Original Message-----
    >Hi Peter,
    >
    >Thanks for your posting here.
    >
    >As you mentioned that the problem occur on all the DCs
    and clients in your
    >network. When the problem occur is your old DC online?
    Did you have DNS
    >service installed on the new DC?
    >
    >If so, I recommend that you point all the DCs to itself
    in the DNS settings
    >and point all the clients to the old DC as the DNS
    server. Please do not
    >point any server to the public DNS server.
    >
    >Now refer to the following document to set the time
    service on DCs and
    >clients.
    >
    >How to Configure an Authoritative Time Server in Windows
    2000
    >http://support.microsoft.com/default.aspx?scid=kb;EN-
    US;216734
    >
    >Have a nice day!
    >
    >Regards,
    >Bob Qin
    >Microsoft Online Partner Support
    >
    >Get Secure! - www.microsoft.com/security
    >
    >====================================================
    >When responding to posts, please "Reply to Group" via
    your newsreader so
    >that others may learn and benefit from your issue.
    >====================================================
    >This posting is provided "AS IS" with no warranties, and
    confers no rights.
    >
    >.
    >
  7. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    I figured out that turning off settings
    for Kerberos policy fixed the situation

    adm tools -> domain security -> kerberos policy

    i turned off everything and the issue
    is under control by now


    thanks for your help guys


    >-----Original Message-----
    >I am very glad to hear that the problem has been resolved.
    >
    >If you have any further questions or concerns, please
    feel free to post
    >here. It is our pleasure to be of assistance.
    >
    >Have a nice day!
    >
    >Regards,
    >Bob Qin
    >Microsoft Online Partner Support
    >
    >Get Secure! - www.microsoft.com/security
    >
    >====================================================
    >When responding to posts, please "Reply to Group" via
    your newsreader so
    >that others may learn and benefit from your issue.
    >====================================================
    >This posting is provided "AS IS" with no warranties, and
    confers no rights.
    >
    >--------------------
    > From: "peter" <anonymous@discussions.microsoft.com>
    > Subject: Re: cannot logon after dcpromo
    > Date: Thu, 19 Aug 2004 08:20:00 -0700
    > Newsgroups: microsoft.public.win2000.advanced_server
    >
    > the problem has probably been solved,
    > i will post again if it hasnt
    >
    > thanks for your help
    >
    >
    > >-----Original Message-----
    > >Hi Peter,
    > >
    > >Thanks for your posting here.
    > >
    > >As you mentioned that the problem occur on all the
    DCs
    > and clients in your
    > >network. When the problem occur is your old DC
    online?
    > Did you have DNS
    > >service installed on the new DC?
    > >
    > >If so, I recommend that you point all the DCs to
    itself
    > in the DNS settings
    > >and point all the clients to the old DC as the DNS
    > server. Please do not
    > >point any server to the public DNS server.
    > >
    > >Now refer to the following document to set the
    time
    > service on DCs and
    > >clients.
    > >
    > >How to Configure an Authoritative Time Server in
    Windows
    > 2000
    > >http://support.microsoft.com/default.aspx?
    scid=kb;EN-
    > US;216734
    > >
    > >Have a nice day!
    > >
    > >Regards,
    > >Bob Qin
    > >Microsoft Online Partner Support
    > >
    > >Get Secure! - www.microsoft.com/security
    > >
    >
    >====================================================
    > >When responding to posts, please "Reply to Group"
    via
    > your newsreader so
    > >that others may learn and benefit from your issue.
    >
    >====================================================
    > >This posting is provided "AS IS" with no
    warranties, and
    > confers no rights.
    > >
    > >.
    > >
    >
    >
    >.
    >
  8. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Hi Peter,

    Do you mean the "Enforce User Logon Restrictions" setting in Kerberos
    policy? By default, the policy is enabled and should only be disabled in
    rare circumstances.

    Here is the information on the Kerberos policy settings themselves:

    http://www.microsoft.com/technet/Security/topics/issues/w2kccadm/Win2kpol/w2
    kadm09.mspx

    Please make sure that you have those policies correctly configured in the
    "Default Domain Policy"

    In addition, Kerberos security depends on time, if the times are over 5
    minutes apart then kerberos fails.

    To configure an authoritative time server in Windows, please refer to the
    following articles.

    How to Configure an Authoritative Time Server in Windows 2000
    http://support.microsoft.com/?id=216734

    The Windows Time Service
    http://www.microsoft.com/windows2000/docs/wintimeserv.doc

    Wish it helps.

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    From: "peter" <anonymous@discussions.microsoft.com>
    Subject: SOLUTION Re: cannot logon after dcpromo
    Date: Fri, 27 Aug 2004 02:14:33 -0700
    Newsgroups: microsoft.public.win2000.advanced_server

    I figured out that turning off settings
    for Kerberos policy fixed the situation

    adm tools -> domain security -> kerberos policy

    i turned off everything and the issue
    is under control by now


    thanks for your help guys



    >-----Original Message-----
    >I am very glad to hear that the problem has been resolved.
    >
    >If you have any further questions or concerns, please
    feel free to post
    >here. It is our pleasure to be of assistance.
    >
    >Have a nice day!
    >
    >Regards,
    >Bob Qin
    >Microsoft Online Partner Support
    >
    >Get Secure! - www.microsoft.com/security
    >
    >====================================================
    >When responding to posts, please "Reply to Group" via
    your newsreader so
    >that others may learn and benefit from your issue.
    >====================================================
    >This posting is provided "AS IS" with no warranties, and
    confers no rights.
    >
    >--------------------
    > From: "peter" <anonymous@discussions.microsoft.com>
    > Subject: Re: cannot logon after dcpromo
    > Date: Thu, 19 Aug 2004 08:20:00 -0700
    > Newsgroups: microsoft.public.win2000.advanced_server
    >
    > the problem has probably been solved,
    > i will post again if it hasnt
    >
    > thanks for your help
    >
    >
    > >-----Original Message-----
    > >Hi Peter,
    > >
    > >Thanks for your posting here.
    > >
    > >As you mentioned that the problem occur on all the
    DCs
    > and clients in your
    > >network. When the problem occur is your old DC
    online?
    > Did you have DNS
    > >service installed on the new DC?
    > >
    > >If so, I recommend that you point all the DCs to
    itself
    > in the DNS settings
    > >and point all the clients to the old DC as the DNS
    > server. Please do not
    > >point any server to the public DNS server.
    > >
    > >Now refer to the following document to set the
    time
    > service on DCs and
    > >clients.
    > >
    > >How to Configure an Authoritative Time Server in
    Windows
    > 2000
    > >http://support.microsoft.com/default.aspx?
    scid=kb;EN-
    > US;216734
    > >
    > >Have a nice day!
    > >
    > >Regards,
    > >Bob Qin
    > >Microsoft Online Partner Support
    > >
    > >Get Secure! - www.microsoft.com/security
    > >
    >
    >====================================================
    > >When responding to posts, please "Reply to Group"
    via
    > your newsreader so
    > >that others may learn and benefit from your issue.
    >
    >====================================================
    > >This posting is provided "AS IS" with no
    warranties, and
    > confers no rights.
    > >
    > >.
    > >
    >
    >
    >.
    >
Ask a new question

Read More

Domain Servers Windows