Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

"The security database has not been started" after promote new DC

Copper Contributor

Hi,

I have two DC with W2K12 and W2K16. Recently, I've promoted a new server W2K19 as a domain controller.

All the process was successfully executed and after the first reboot, I can't do an interactive login.

I get the message "The user name or password is incorrect. Try again"

 

If I stop KDC service, I'm able to login to VM.


And when I try to change a user password, connected in this new DC, I get this message:

"Windows cannot complete the password change for <user> because: The security database has not been started"

 

I've checked DNS with DCDIAG, Replication with Ad Replication Status Tool.. everything seems to be ok

 

Someone could help me, please?

20 Replies

Please run;

- Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
- repadmin /showrepl >C:\repl.txt
- ipconfig /all > C:\dc1.txt
- ipconfig /all > C:\dc2.txt
- ipconfig /all > C:\dc3.txt



then put **unzipped** text files up on OneDrive and share a link.

 

 

 

Hi @Dave Patrick . I really appreciate any help.

 

Log files are on: https://1drv.ms/u/s!Am8pbgsXRHYGiNxIIAqLPaNB7l64Zw?e=bgZEy1

 

SRVASA-DC01 - Old DC W2K19

SRVASA-DC03- Old DC W2K16

SRVASA-DC04 - New DC WK19 with problems

SRVASA-DC05 - it was another try, unsuccessful too. I already demoted it.

 

I found this error messages in DCDIAG on DC04:

SRVASA-DC03.isGlobalCatalogReady = 1 
Got error while checking if the DC is using FRS or DFSR. Error: 
The operation being requested was not performed because the user has not been authenticated.T 
he VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this 
error.

 

   Testing server: Matriz\SRVASA-DC01

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         Failure Analysis: SRVASA-DC01 ... OK.
         * Active Directory RPC Services Check
         [SRVASA-DC01] DsBindWithSpnEx() failed with error 5,

         Access is denied..
         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... SRVASA-DC01 failed test Connectivity

Testing server: Filial\SRVASA-DC03

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         Failure Analysis: SRVASA-DC03 ... OK.
         * Active Directory RPC Services Check
         [SRVASA-DC03] DsBindWithSpnEx() failed with error 5,

         Access is denied..
         Got error while checking LDAP and RPC connectivity. Please check your

         firewall settings.

         ......................... SRVASA-DC03 failed test Connectivity

 There is no firewall enabled on both servers.

Please do not zip the files.

 

 

 

SRVASA-DC01 has the RRAS role installed.
SRVASA-DC03 has the RRAS role installed.
Multi homing a domain controller will always cause no end to grief for active directory domain DNS. Remove RRAS role and if its still needed then stand up dedicated member servers for this role. I did not look at other files since these are show stoppers. After correcting these problems if issues persist then put up a new set of files to look at.

 

 (please don't forget to mark helpful replies)

 

 

 

 

Hi @Dave Patrick 

I've disabled RRAS role in both DC and didn't work.

After, I demoted SRVASA-DC04 and create a new VM called SRVASA-DC02 and promote to a DC but didn't work too.

Please find the logs below

https://1drv.ms/u/s!Am8pbgsXRHYGiNxGCTpBO7GmtSzzAw?e=PuMcRk

 

Thanks for helping.

Link is broken. This item might have been deleted, expired, or you might not have permission to view it. Contact the owner of this item for more information.

 

 

 

- SRVASA-DC01 has multiple ip addresses which will cause no end to confusion
- SRVASA-DC02 should also have own static (192.168.1.250) ip address listed for DNS
- SRVASA-DC03 should also have own static (192.168.2.250) ip address listed for DNS
- Also check the route betwwen 192.168.1.254 <-> 192.168.2.254 exists and doesn't block required ports
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains...

- SRVASA-DC02 has many KDC errors so I'd check the event logs for more details and correct problems

 

 

 

I don't think the problem is multiple IPs on DC01, but I will fix it.

I had 127.0.0.1 IP listed for DNS. Now, I replaced for their IPs accordingly to your suggestion. But no success.

Communications between two sites are OK.
KDC Errors are because security database is not ready and can't login.

Next step: Fix 2 IPs in DC01 and try again, but I'm running out of hope :(
Could you suggest something new?

>>>I had 127.0.0.1 IP listed for DNS. Now, I replaced for their IPs accordingly to your suggestion. But no success.

Each domain controller should have its own static ip address listed for DNS plus loopback (127.0.0.1)

>>> Next step: Fix 2 IPs in DC01 and try again

this will always cause no end to grief for active directory domain services. What purpose does this serve?

>>>security database has not been started

 Seems you caused it by stopping KDC service

 

 

Hi Dave,

Step1: I changed DNS, but the in my opinion the correct recommendation is: Each DC have another static ip address plus loopback (127.0.0.1).
Sorry, but doesn't make sense setting to its own static IP and loopback, righ?

Step2: I've removed second IP in DC01. There was no reason to have 2 IPs.

Step3: I've promoted DC02 again as Domain Controller and I getting same message error:
I can't login over RDP and if I choose this new Domain Controller on ADUC console I'm receiving "The security database has not been started" when creating or changing a user password.
I'm just able to login over RDP if I stop KDC service, otherwise I receive message the user or password are incorrect.

Link with new logs:
https://1drv.ms/u/s!Am8pbgsXRHYGiNxGJfi3_djRITXsZg?e=SMXjZP

>>> but doesn't make sense setting to its own static IP and loopback

Regardless it is correct.

 

>>> security database has not been started

seems you may have brought this on yourself by killing KDC service

 

>>> Link with new logs:

SRVASA-DC01, SRVASA-DC02, SRVASA-DC03 also should add own static ip address listed for DNS on connection properties


Still many event log errors to work through, I did not bother trying to translate them, the source and event IDs are unknown without looking in event logs

 

 

@fernandomichels Hi Fernando.

 

We have the same problem on a customer's domain. We went through weeks of support with MS to no avail. Did you sort it out?

@adriansheedy did you ever figure this out? I'm facing the same issue now...

@MichaelMcClintock Sorry no I have no useful direction for you. MS Support was similarly unable to fix the issue. Their final recommendation was to rebuild from scratch. Grrrrr...

@adriansheedy Thats a shame, I've got a server with the same issues and I've been banging my head against a wall for 4 days now trying to sort it.

Finally got this sorted. It turns out that during the domain functional level raise operation, the "Password Settings Container" object did not get created.

I used ADSIEdit to create this manually (object type is msDs-PasswordsettingsContainer and the DN for the object is: CN=Password Settings Container,CN=System,DC=MYDOMAIN,DC=local

Hope this helps someone in the future.

@themoblin 

 

I legit just made an account to thank you. This has been the bane of my existence all weekend. I raised the functional level of our domain/forest from 2003 to 2012 and the "Password Settings Container" object did not get created - which was preventing me from logging into a new DC I am deploying. All other computers/servers would accept login requests except for this new DC. Adding this object solved my problem.