?
Solved

SBS2003 User Cannot Access companyweb or Network Shares After Password Change with Server Offline

Posted on 2013-06-25
7
Medium Priority
?
998 Views
Last Modified: 2016-11-23
We had this company's Dell PowerEdge 840 in for repair (PERC Card failed). While the server was offline, a user got a prompt to change his password (domain password policy), which he did. We put the server back in today and everything worked as expected with the other users. They were able to access shares, companyweb, etc. But this one user that changed his password while the server was offline, we cannot get him to connect to anything on the server. Tried changing the password from the server, from the client, nothing works. He can log into the domain with whatever the password is set to, BUT when he attempts to access a share or companyweb, he gets a login prompt and NOTHING we use there will get him access. Client OS is either XP or Win 7. Attempting to verify that now.

Additional config info: DHCP is being handled by the router, not SBS2003. DHCP delivers the server IP address as primary DNS and Google's public DNS server as secondary. This is so, with the server down, the IP phones and Internet browsing from the clients still works.
0
Comment
Question by:tcianflone
7 Comments
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39277517
DHCP is being handled by the router, not SBS2003. DHCP delivers the server IP address as primary DNS and Google's public DNS server as secondary.

I sense that you may know this, but this is not a supported configuration.  DHCP on SBS (so it knows where the computers are and can update DNS appropriately) and only the SBS svr configured as DNS svr is the supported config.
0
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 39277639
Agreeing that DHCP should be on the SBS.  adding that all the nics in all the systems should point to the SBS for DNS and in the DNS app on the SBS you use the ISP DNS servers, (or other known good DNS servers) as forwarders.  The CEICW wizard fixes all that for you after you turn off DHCP on the router.

It the SBS is off line then you can turn on the DHCP server on the router, turning it off again when the SBS comes back on line.

As for your current condition, sounds like the user is out of sync in AD.  There are probably solutions to all of this but I would most like export his OST to pst, verify that as the admin I could move his redirected documents to a safe place, then remove the user, create a new one, import the mail and put the documents back in his My Documents folder.  They will redirect if that policy is in place.  Should be less complicated than messing with the AD.

You can read more about tombstoned objects here:

http://windowsitpro.com/windows-server-2003/ad-tombstone-objects
0
 
LVL 27

Accepted Solution

by:
Steve earned 1500 total points
ID: 39278254
password resets are updated on the DC (PDC) but as the DC was not available at the time it's all gone wrong. I'm surprised it let them change the password without the DC in the first place!

try logging into webmail as the user to establish if the user account is screwed or not, and also to confirm exactly which password is currently active on the DC.

You probably best to remove the PC from the domain via a PC local administrator account, and then re add it.

This may reset accounts and force it to refresh the AD uses that can log on.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:tcianflone
ID: 39280076
Yes, I know about the recommended SBS configuration regarding DHCP services. I inherited this site and all the while it has been running fine with the non-recommended config, i.e., the router running DHCP. I checked the DNS records for the PC's today, including the problem PC. The DNS records are up to date, meaning they have the correct IP addresses. The client can ping the SBS by short name and fqdn, and vice versa. The login from the problem PC works fine as well, the password change is being registered by the DC.

I tried creating another account for this user, logged into it, and then I could access the SBS shares no problem. BUT, I still could NOT access the companyweb site!!! Got the login prompt for that and could not connect no matter what I tried from that prompt. Why would the DC authenticate me for login, shares, but NOT the companyweb???
0
 
LVL 27

Expert Comment

by:Steve
ID: 39280592
as advised above, just remove the PC from the domain. chuck in a reboot and re add it. this should reset its security cache etc.
0
 
LVL 1

Author Comment

by:tcianflone
ID: 39296314
The plan is to rebuild the client machine from scratch because there are a lot of other issues with it. Once I do that then rejoin it to the domain, I will report back with results and close the question. Thanks.
0
 
LVL 27

Expert Comment

by:Steve
ID: 39300182
If the PC has issues anyway then rebuilding certainly isnt a bad idea.
rebuilding it will also work as the security cache will be created from scratch anyway.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Organisation is organized in a pattern to flow the day to day business, every application and system is interdepended on each other and when very important “Exchange Server downtime” happened.
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.
If you are looking for an automated solution for backup single or multiple Office 365 user mailboxes to Outlook data file, then you can use Kernel Office 365 Backup & Restore tool. Go through the video to check out the steps to backup single or mult…
Suggested Courses
Course of the Month6 days, 20 hours left to enroll

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question