Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 750
  • Last Modified:

Domain controller unable to log into Windows error

Dear Experts,

First of all let me explain that for the purpose of this post I shall be talking about PDC (primary domain controller) I know this doedn't exist in the Win 2003 world but for ease of explaining this post it kind of makes sense to me, I hope it does to you.

on Saturday I had to do some maintenence that involved turning All servers OFF.
This is because the KVM switch need replacing.
I gracefully closed all servers down with the Primary DC being last.

I have my Active Directory spread over 3 DC's with FSMO roles on ONE PDC, I have not yet spread the FSMO rolls across DC's, the 3 DC's replicate themselves. I have done this by running DCPROMO on a member server X2 and followed instructions.

I have DNS running on 2 servers and 3 DC's are Global Catalogues as well (as it is not a particularly huge domain)

Ok, I plugged the PDC in to the new KVM switch and turned it on.
Because I was having trouble with the KVM switch displaying on the monitor, I was only able to log onto the PDC using Remote Desktop.
This was ok until......message = "Domain Unavailable please contact your administrator"
Please note that I was loggin onto the PDC with Domain admin login.....and so effectivly the PDC couldn't log onto its own self?????

So I panicked and things started going in slow motion....I thought I had lost the domain, and I felt sick.

Please can someone explain why it is that the PDC took 25mins to allow me to finally log in to it and bring the domain back up?

Also, IF the unthinkable had happened and the PDC was dead (thank goodness it decided to play ball) what would be the procedure for bringing 1 of the other 2 DC's into the roll of PDC if I was unable to log in to the domain on the PDC what hope would I have had finding the domain on the other DC's?

My nerves are shredded I can tell you.

Thanks
Miff
0
Miffanwee
Asked:
Miffanwee
3 Solutions
 
cohenphilCommented:
HI Miff,

Glad to hear that your not posting out of desperation but just the thirst for knowledge..

Your "PDC" may have stalled for a variety of reasons, did you check the event logs for clues? Primarily slow boots are related to network resources being unavailable. Most likely cause is a DNS misconfiguration -- DO you have your "PDC" pointing to it self or another DC?
additionally, System services may have been relying on a file that was unavailable, if its hosting exchange the store might have had some issues loading..

Now in regards to recovery in the event of a disaster, -- Since your pretty well setup with multiple DC's and Global catalogs you wouldnt have to many things to worry about besides a bit of down time.
What you would need to do is bring up your other DC's they will continue to function being that they are holding replica's of the domain.. However you would have to transfer the operational master role and a few others....(technically its seize really, since your 'pdc' is offline)

In short this is done using the command NTDSUTIL on a backup dc... once the roles have been transferred to the bdc it will actually be the PDC. Then you can go about rebuilding it and rejoining it as a member server, dcpromo and transfer the roles back....

rather that re-write www i'll give you a link or two to explain the process in detail.

http://geekswithblogs.net/mhamilton/archive/2007/04/15/111674.aspx
http://technet.microsoft.com/en-us/library/cc535164.aspx

Btw. Why did you shut down all your servers to replace a KVM? Monitor, KB, Mouse.. Not essential to operations, I would have changed on the fly......

Anyways hope this helps, let me know if you need some clarification its late and I should be asleep long ago.

Cheers,
Philco
0
 
leegclystvaleCommented:
You would need to seize the fsmo roles of the dead DC on another DC.
This article is a step by step guide http://www.petri.co.il/seizing_fsmo_roles.htm
You would also need to setup your DNS again and I would use AD Intergrated zones to do this. Also DHCP will be a slight problem although not insurmountable. I personally would look at having DNS and DHCP on different servers but that's just me.
DHCP cannot be restored frm a backup so you have to recreate it losing all your reservations which is a PAIN! You can however move it gracefully but you need to pre-empt a server crash :o)
I can't say why it takes so long to login, but I know that when I have shut all my servers down, it can ages for everything to come back up again and that includes loggin gonto the DC. Not sure 25mins though but certainly long enough to sometimes worry about :o) You also need to consider that when the servers are shut off, the traffic from clients is potentially vast and when they are booted up again, aslo pretty large as everything will start to see everything else and mentalness may occur.
Hope that helps a bit. Cheers
0
 
SweetJ21Commented:
First off, check the event viewer for errors or warnings related to your attempted logins earlier. Usually a good google will tell you exactly what happened, and if not the Experts here are pretty good with error codes.

As for seizing the FSMO roles from another machine, check these KB articles:
http://support.microsoft.com/kb/324801
http://support.microsoft.com/kb/255504/en-us
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
MiffanweeAuthor Commented:
Thanks for quick responses from All.

@ CohenPhil - Sorry to keep you awake, goodness know what country you are in....
In answer to your DNS question it is pointing to iteslf as primary DNS and the secondary is the other DC that was turned off at the time.
Miff
0
 
MiffanweeAuthor Commented:
@cohenphil, again....the Exchange Server was turned off at the time.

also I turned everything off as I was following the instructions on the Belkin Pro3 8port KVM switch which stated that the servers must be brought up one by one.
You mention "bring up your other DC's" my question still stands......How? if I cannot log onto the domain with the PDC.
Would I have to log onto the other DC using the system recovery login?

@sweetJ21..... I checked the event logs for the login error and here is the result..

Event Type:      Error
Event Source:      Winlogon
Event Category:      None
Event ID:      1219
Date:            15/11/2008
Time:            10:18:03
User:            N/A
Computer:      servername
Description:
Logon rejected for DOMAINNAME\admin. Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.
 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 4b 05 00 00               K...    

Event Type:      Error
Event Source:      Userenv
Event Category:      None
Event ID:      1053
Date:            15/11/2008
Time:            10:23:21
User:            NT AUTHORITY\SYSTEM
Computer:      servername
Description:
Windows cannot determine the user or computer name. (The system detected a possible attempt to compromise security.  Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And in the DNS Log --
Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            15/11/2008
Time:            10:03:27
User:            N/A
Computer:      servername
Description:
The DNS server was unable to complete directory service enumeration of zone domainname.local.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    

@leegclystvale ---- This was all done at Saturday, no clients were using the network, remote users told not to log on for duration. So Network traffice would have been nothing to talk about I think as ALL servers were switched off.
Thanks
Miff
0
 
leegclystvaleCommented:
All your machines will be authenticating and renewal for DHCP etc, DC may try replicating etc when brought back up etc, there can be a fair amount of traffic when Servers go missing and a network of machines are turned on.....
0
 
MiffanweeAuthor Commented:
Understood, however this was the PDC only, unable to log into itself or recognise its own domain, and no other server or client were turned on.

Miff
0
 
MiffanweeAuthor Commented:
thank you all very much for your prompt help and advise.
Kind Regards
Miff
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now