Oct 25 2020 09:02 PM
Hi,
I have two DC with W2K12 and W2K16. Recently, I've promoted a new server W2K19 as a domain controller.
All the process was successfully executed and after the first reboot, I can't do an interactive login.
I get the message "The user name or password is incorrect. Try again"
If I stop KDC service, I'm able to login to VM.
And when I try to change a user password, connected in this new DC, I get this message:
"Windows cannot complete the password change for <user> because: The security database has not been started"
I've checked DNS with DCDIAG, Replication with Ad Replication Status Tool.. everything seems to be ok
Someone could help me, please?
Oct 26 2020 03:05 AM - edited Oct 26 2020 03:06 AM
Please run;
- Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
- repadmin /showrepl >C:\repl.txt
- ipconfig /all > C:\dc1.txt
- ipconfig /all > C:\dc2.txt
- ipconfig /all > C:\dc3.txt
then put **unzipped** text files up on OneDrive and share a link.
Oct 26 2020 06:17 PM
Hi @Dave Patrick . I really appreciate any help.
Log files are on: https://1drv.ms/u/s!Am8pbgsXRHYGiNxIIAqLPaNB7l64Zw?e=bgZEy1
SRVASA-DC01 - Old DC W2K19
SRVASA-DC03- Old DC W2K16
SRVASA-DC04 - New DC WK19 with problems
SRVASA-DC05 - it was another try, unsuccessful too. I already demoted it.
I found this error messages in DCDIAG on DC04:
SRVASA-DC03.isGlobalCatalogReady = 1
Got error while checking if the DC is using FRS or DFSR. Error:
The operation being requested was not performed because the user has not been authenticated.T
he VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this
error.
Testing server: Matriz\SRVASA-DC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Failure Analysis: SRVASA-DC01 ... OK.
* Active Directory RPC Services Check
[SRVASA-DC01] DsBindWithSpnEx() failed with error 5,
Access is denied..
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... SRVASA-DC01 failed test Connectivity
Testing server: Filial\SRVASA-DC03
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Failure Analysis: SRVASA-DC03 ... OK.
* Active Directory RPC Services Check
[SRVASA-DC03] DsBindWithSpnEx() failed with error 5,
Access is denied..
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... SRVASA-DC03 failed test Connectivity
There is no firewall enabled on both servers.
Oct 26 2020 06:25 PM
Please do not zip the files.
Oct 27 2020 12:27 PM
Oct 27 2020 12:34 PM
SRVASA-DC01 has the RRAS role installed.
SRVASA-DC03 has the RRAS role installed.
Multi homing a domain controller will always cause no end to grief for active directory domain DNS. Remove RRAS role and if its still needed then stand up dedicated member servers for this role. I did not look at other files since these are show stoppers. After correcting these problems if issues persist then put up a new set of files to look at.
(please don't forget to mark helpful replies)
Nov 01 2020 05:12 PM
I've disabled RRAS role in both DC and didn't work.
After, I demoted SRVASA-DC04 and create a new VM called SRVASA-DC02 and promote to a DC but didn't work too.
Please find the logs below
https://1drv.ms/u/s!Am8pbgsXRHYGiNxGCTpBO7GmtSzzAw?e=PuMcRk
Thanks for helping.
Nov 01 2020 05:15 PM
Link is broken. This item might have been deleted, expired, or you might not have permission to view it. Contact the owner of this item for more information.
Nov 02 2020 06:00 AM
Nov 02 2020 06:15 AM
- SRVASA-DC01 has multiple ip addresses which will cause no end to confusion
- SRVASA-DC02 should also have own static (192.168.1.250) ip address listed for DNS
- SRVASA-DC03 should also have own static (192.168.2.250) ip address listed for DNS
- Also check the route betwwen 192.168.1.254 <-> 192.168.2.254 exists and doesn't block required ports
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains...
- SRVASA-DC02 has many KDC errors so I'd check the event logs for more details and correct problems
Nov 02 2020 01:23 PM
Nov 02 2020 01:36 PM
>>>I had 127.0.0.1 IP listed for DNS. Now, I replaced for their IPs accordingly to your suggestion. But no success.
Each domain controller should have its own static ip address listed for DNS plus loopback (127.0.0.1)
>>> Next step: Fix 2 IPs in DC01 and try again
this will always cause no end to grief for active directory domain services. What purpose does this serve?
>>>security database has not been started
Seems you caused it by stopping KDC service
Nov 03 2020 07:18 PM
Nov 04 2020 12:37 PM - edited Nov 04 2020 02:50 PM
>>> but doesn't make sense setting to its own static IP and loopback
Regardless it is correct.
>>> security database has not been started
seems you may have brought this on yourself by killing KDC service
>>> Link with new logs:
SRVASA-DC01, SRVASA-DC02, SRVASA-DC03 also should add own static ip address listed for DNS on connection properties
Still many event log errors to work through, I did not bother trying to translate them, the source and event IDs are unknown without looking in event logs
Dec 08 2020 08:32 PM
@fernandomichels Hi Fernando.
We have the same problem on a customer's domain. We went through weeks of support with MS to no avail. Did you sort it out?
Sep 21 2021 04:00 PM
@adriansheedy did you ever figure this out? I'm facing the same issue now...
Sep 21 2021 04:09 PM
@MichaelMcClintock Sorry no I have no useful direction for you. MS Support was similarly unable to fix the issue. Their final recommendation was to rebuild from scratch. Grrrrr...
Nov 28 2021 05:51 PM
@adriansheedy Thats a shame, I've got a server with the same issues and I've been banging my head against a wall for 4 days now trying to sort it.
Dec 05 2021 06:34 AM
Oct 01 2023 02:47 PM
I legit just made an account to thank you. This has been the bane of my existence all weekend. I raised the functional level of our domain/forest from 2003 to 2012 and the "Password Settings Container" object did not get created - which was preventing me from logging into a new DC I am deploying. All other computers/servers would accept login requests except for this new DC. Adding this object solved my problem.