cannot logon after dcpromo

[peter]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

I installed win2k server on a new machine, ran dcpromo a
made the computer an additional domain controller.
there were no errors during that process

the errors came later:
i could not log on to the domain, the system
gave me the message claiming that there are some
time related problems (scrrenshot available here:
http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)

when i turned off that machine (so i had my old dc
only) everything was ok
when i restarted that machine everything was ok (for 2
days. after that the situation occured again)

i ensured that i have got synchronized time in my domain i
checked the clients and they also have correct time

i had a critical situation and i had to make
"the crippled controller" the only controller
in my domain. when i did so the situation now is as
follows : everything is ok for about 48 hours after that
no one can log on to a domain, when i restart dc the
situation improves for 48 hours then the errors appear
again.

any ideas?

 

[steve]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Peter
http://support.microsoft.com/?kbid=232386
is the error and KB article

http://labmice.techtarget.com/windows2000/timesynch.htm

resources on time sync
rgds
Steve

"peter" <majcher@news.postalias> wrote in message
news:127b01c47bb1$2f6320f0$a301280a@phx.gbl...
> I installed win2k server on a new machine, ran dcpromo a
> made the computer an additional domain controller.
> there were no errors during that process
>
> the errors came later:
> i could not log on to the domain, the system
> gave me the message claiming that there are some
> time related problems (scrrenshot available here:
> http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)
>
> when i turned off that machine (so i had my old dc
> only) everything was ok
> when i restarted that machine everything was ok (for 2
> days. after that the situation occured again)
>
> i ensured that i have got synchronized time in my domain i
> checked the clients and they also have correct time
>
> i had a critical situation and i had to make
> "the crippled controller" the only controller
> in my domain. when i did so the situation now is as
> follows : everything is ok for about 48 hours after that
> no one can log on to a domain, when i restart dc the
> situation improves for 48 hours then the errors appear
> again.
>
> any ideas?

 

[Guest]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

the time is synchronized properly,
i tried a lot of methods (NET TIME /SETSNTP: etc.)
i tried to synchronoze server with external source
i tried to not synchronize server with external source
doesn't help

it is the real problem, i cannot logon to any machine in
my domain including the domain controller
i recieve the same error

i use the program called "poweroff" to restart my dc and
then everything come to "ok state" but it is only a matter
of time for it to get bad




>-----Original Message-----
>Peter
>http://support.microsoft.com/?kbid=232386
>is the error and KB article
>
>http://labmice.techtarget.com/windows2000/timesynch.htm
>
>resources on time sync
>rgds
>Steve
>
>"peter" <majcher@news.postalias> wrote in message
>news:127b01c47bb1$2f6320f0$a301280a@phx.gbl...
>> I installed win2k server on a new machine, ran dcpromo a
>> made the computer an additional domain controller.
>> there were no errors during that process
>>
>> the errors came later:
>> i could not log on to the domain, the system
>> gave me the message claiming that there are some
>> time related problems (scrrenshot available here:
>> http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)
>>
>> when i turned off that machine (so i had my old dc
>> only) everything was ok
>> when i restarted that machine everything was ok (for 2
>> days. after that the situation occured again)
>>
>> i ensured that i have got synchronized time in my
domain i
>> checked the clients and they also have correct time
>>
>> i had a critical situation and i had to make
>> "the crippled controller" the only controller
>> in my domain. when i did so the situation now is as
>> follows : everything is ok for about 48 hours after that
>> no one can log on to a domain, when i restart dc the
>> situation improves for 48 hours then the errors appear
>> again.
>>
>> any ideas?
>
>
>.
>

 

[steve]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Peter

Hi sorry for the later reply.
Okay Can we just review the situation here.

You had 1 domain with 1 domain controller as you have had some hardware
issues with it, so you recently added another and since then every 2 days
your getting a domain wide problem, that every client on the domain cannot
login. and they all report the same time error. is this correct ?

Now to clear the error you restart the newly promoted Domain Controller is
this correct, or are you restarting all of the domain controllers or the old
DC.

You say that you have now made the crippled DC the only dc in the domain and
the problem still exists is this also correct?
How did you achieve this did your demote the old domain controller or switch
it off ?

Did you have the problem before you added the new DC ?

I think that you now need to review the event logs on the Domain controller
/controllers and the clients and see what errors are reporting in the event
logs look in all of them to begin on both the DC's and at least 2 of the
affected clients they are bound to give you some clues.

You have a pattern forming so you just need to review the logs around the
time the problem occurs, if you look back you may find some information that
will help trace the cause of the problem.

Increase the size of all the logs if you don't have enough space to collect
at least 4 days worth of logs minimum to see if you can identify a pattern
(we keep at least 6 months work to review for trend analysis)

I would also think you will need to perform some tests such as running
DCDiag on the domain controllers, also check the dc promo log for any errors
from the promoting / demoting of the new DC. Also use Repmon to check your
AD replication, check to ensure all your FSMO roles are available and check
you have a working Global Catalog.
Ensure you have the support tools installed on the DC's also the Win2k
Server resource kit if you have it as these tools are a must.
If you need a help to identify any errors that are reported then just post
them back to the group for assistance.



rgds
Steve





<anonymous@discussions.microsoft.com> wrote in message
news:176e01c47c04$3e6bc4a0$a301280a@phx.gbl...
> the time is synchronized properly,
> i tried a lot of methods (NET TIME /SETSNTP: etc.)
> i tried to synchronoze server with external source
> i tried to not synchronize server with external source
> doesn't help
>
> it is the real problem, i cannot logon to any machine in
> my domain including the domain controller
> i recieve the same error
>
> i use the program called "poweroff" to restart my dc and
> then everything come to "ok state" but it is only a matter
> of time for it to get bad
>
>
>
>
> >-----Original Message-----
> >Peter
> >http://support.microsoft.com/?kbid=232386
> >is the error and KB article
> >
> >http://labmice.techtarget.com/windows2000/timesynch.htm
> >
> >resources on time sync
> >rgds
> >Steve
> >
> >"peter" <majcher@news.postalias> wrote in message
> >news:127b01c47bb1$2f6320f0$a301280a@phx.gbl...
> >> I installed win2k server on a new machine, ran dcpromo a
> >> made the computer an additional domain controller.
> >> there were no errors during that process
> >>
> >> the errors came later:
> >> i could not log on to the domain, the system
> >> gave me the message claiming that there are some
> >> time related problems (scrrenshot available here:
> >> http://www.wszim-sochaczew.edu.pl/piotrm/error.jpg)
> >>
> >> when i turned off that machine (so i had my old dc
> >> only) everything was ok
> >> when i restarted that machine everything was ok (for 2
> >> days. after that the situation occured again)
> >>
> >> i ensured that i have got synchronized time in my
> domain i
> >> checked the clients and they also have correct time
> >>
> >> i had a critical situation and i had to make
> >> "the crippled controller" the only controller
> >> in my domain. when i did so the situation now is as
> >> follows : everything is ok for about 48 hours after that
> >> no one can log on to a domain, when i restart dc the
> >> situation improves for 48 hours then the errors appear
> >> again.
> >>
> >> any ideas?
> >
> >
> >.
> >

 

[Guest]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Hi Peter,

Thanks for your posting here.

As you mentioned that the problem occur on all the DCs and clients in your
network. When the problem occur is your old DC online? Did you have DNS
service installed on the new DC?

If so, I recommend that you point all the DCs to itself in the DNS settings
and point all the clients to the old DC as the DNS server. Please do not
point any server to the public DNS server.

Now refer to the following document to set the time service on DCs and
clients.

How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216734

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[peter]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

the problem has probably been solved,
i will post again if it hasnt

thanks for your help


>-----Original Message-----
>Hi Peter,
>
>Thanks for your posting here.
>
>As you mentioned that the problem occur on all the DCs
and clients in your
>network. When the problem occur is your old DC online?
Did you have DNS
>service installed on the new DC?
>
>If so, I recommend that you point all the DCs to itself
in the DNS settings
>and point all the clients to the old DC as the DNS
server. Please do not
>point any server to the public DNS server.
>
>Now refer to the following document to set the time
service on DCs and
>clients.
>
>How to Configure an Authoritative Time Server in Windows
2000
>http://support.microsoft.com/default.aspx?scid=kb;EN-
US;216734
>
>Have a nice day!
>
>Regards,
>Bob Qin
>Microsoft Online Partner Support
>
>Get Secure! - www.microsoft.com/security
>
>====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

I am very glad to hear that the problem has been resolved.

If you have any further questions or concerns, please feel free to post
here. It is our pleasure to be of assistance.

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "peter" <anonymous@discussions.microsoft.com>
Subject: Re: cannot logon after dcpromo
Date: Thu, 19 Aug 2004 08:20:00 -0700
Newsgroups: microsoft.public.win2000.advanced_server

the problem has probably been solved,
i will post again if it hasnt

thanks for your help


>-----Original Message-----
>Hi Peter,
>
>Thanks for your posting here.
>
>As you mentioned that the problem occur on all the DCs
and clients in your
>network. When the problem occur is your old DC online?
Did you have DNS
>service installed on the new DC?
>
>If so, I recommend that you point all the DCs to itself
in the DNS settings
>and point all the clients to the old DC as the DNS
server. Please do not
>point any server to the public DNS server.
>
>Now refer to the following document to set the time
service on DCs and
>clients.
>
>How to Configure an Authoritative Time Server in Windows
2000
>http://support.microsoft.com/default.aspx?scid=kb;EN-
US;216734
>
>Have a nice day!
>
>Regards,
>Bob Qin
>Microsoft Online Partner Support
>
>Get Secure! - www.microsoft.com/security
>
>====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>.
>

 

[peter]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

I figured out that turning off settings
for Kerberos policy fixed the situation

adm tools -> domain security -> kerberos policy

i turned off everything and the issue
is under control by now


thanks for your help guys



>-----Original Message-----
>I am very glad to hear that the problem has been resolved.
>
>If you have any further questions or concerns, please
feel free to post
>here. It is our pleasure to be of assistance.
>
>Have a nice day!
>
>Regards,
>Bob Qin
>Microsoft Online Partner Support
>
>Get Secure! - www.microsoft.com/security
>
>====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>--------------------
> From: "peter" <anonymous@discussions.microsoft.com>
> Subject: Re: cannot logon after dcpromo
> Date: Thu, 19 Aug 2004 08:20:00 -0700
> Newsgroups: microsoft.public.win2000.advanced_server
>
> the problem has probably been solved,
> i will post again if it hasnt
>
> thanks for your help
>
>
> >-----Original Message-----
> >Hi Peter,
> >
> >Thanks for your posting here.
> >
> >As you mentioned that the problem occur on all the
DCs
> and clients in your
> >network. When the problem occur is your old DC
online?
> Did you have DNS
> >service installed on the new DC?
> >
> >If so, I recommend that you point all the DCs to
itself
> in the DNS settings
> >and point all the clients to the old DC as the DNS
> server. Please do not
> >point any server to the public DNS server.
> >
> >Now refer to the following document to set the
time
> service on DCs and
> >clients.
> >
> >How to Configure an Authoritative Time Server in
Windows
> 2000
> >http://support.microsoft.com/default.aspx?
scid=kb;EN-
> US;216734
> >
> >Have a nice day!
> >
> >Regards,
> >Bob Qin
> >Microsoft Online Partner Support
> >
> >Get Secure! - www.microsoft.com/security
> >
>
>====================================================
> >When responding to posts, please "Reply to Group"
via
> your newsreader so
> >that others may learn and benefit from your issue.
>
>====================================================
> >This posting is provided "AS IS" with no
warranties, and
> confers no rights.
> >
> >.
> >
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

Hi Peter,

Do you mean the "Enforce User Logon Restrictions" setting in Kerberos
policy? By default, the policy is enabled and should only be disabled in
rare circumstances.

Here is the information on the Kerberos policy settings themselves:

http://www.microsoft.com/technet/Security/topics/issues/w2kccadm/Win2kpol/w2
kadm09.mspx

Please make sure that you have those policies correctly configured in the
"Default Domain Policy"

In addition, Kerberos security depends on time, if the times are over 5
minutes apart then kerberos fails.

To configure an authoritative time server in Windows, please refer to the
following articles.

How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/?id=216734

The Windows Time Service
http://www.microsoft.com/windows2000/docs/wintimeserv.doc

Wish it helps.

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "peter" <anonymous@discussions.microsoft.com>
Subject: SOLUTION Re: cannot logon after dcpromo
Date: Fri, 27 Aug 2004 02:14:33 -0700
Newsgroups: microsoft.public.win2000.advanced_server

I figured out that turning off settings
for Kerberos policy fixed the situation

adm tools -> domain security -> kerberos policy

i turned off everything and the issue
is under control by now


thanks for your help guys



>-----Original Message-----
>I am very glad to hear that the problem has been resolved.
>
>If you have any further questions or concerns, please
feel free to post
>here. It is our pleasure to be of assistance.
>
>Have a nice day!
>
>Regards,
>Bob Qin
>Microsoft Online Partner Support
>
>Get Secure! - www.microsoft.com/security
>
>====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>--------------------
> From: "peter" <anonymous@discussions.microsoft.com>
> Subject: Re: cannot logon after dcpromo
> Date: Thu, 19 Aug 2004 08:20:00 -0700
> Newsgroups: microsoft.public.win2000.advanced_server
>
> the problem has probably been solved,
> i will post again if it hasnt
>
> thanks for your help
>
>
> >-----Original Message-----
> >Hi Peter,
> >
> >Thanks for your posting here.
> >
> >As you mentioned that the problem occur on all the
DCs
> and clients in your
> >network. When the problem occur is your old DC
online?
> Did you have DNS
> >service installed on the new DC?
> >
> >If so, I recommend that you point all the DCs to
itself
> in the DNS settings
> >and point all the clients to the old DC as the DNS
> server. Please do not
> >point any server to the public DNS server.
> >
> >Now refer to the following document to set the
time
> service on DCs and
> >clients.
> >
> >How to Configure an Authoritative Time Server in
Windows
> 2000
> >http://support.microsoft.com/default.aspx?
scid=kb;EN-
> US;216734
> >
> >Have a nice day!
> >
> >Regards,
> >Bob Qin
> >Microsoft Online Partner Support
> >
> >Get Secure! - www.microsoft.com/security
> >
>
>====================================================
> >When responding to posts, please "Reply to Group"
via
> your newsreader so
> >that others may learn and benefit from your issue.
>
>====================================================
> >This posting is provided "AS IS" with no
warranties, and
> confers no rights.
> >
> >.
> >
>
>
>.
>