question

EnricoZocca-2446 avatar image
0 Votes"
EnricoZocca-2446 asked ·

Unable logon to Domain Controller after reboot

Hello, in a large AD environment we have same issues reported on the page below:

https://social.technet.microsoft.com/Forums/en-US/912d062b-3168-4782-a128-604223fd0636/unable-to-log-into-domain-controller-after-reboot?forum=ws2016

Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue:

System is restarted using the restart option in Windows. Server appears to start normally. Press CTRL-ALT-DEL to get a login prompt. User is administrator (or any other domain admin account), enter password and hit enter or click the arrow. The cursor is moved back to the beginning of the password field and the previously entered password remains.

This issue seems start happens after we raise the domain functionality level from 2003 to 2008 R2. Note: PDC is still on 2008 R2
After that no way to logon on DC's, only after many and many reboot server accepts credentials. Same issue if I try to isolate domain controller from network.
New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect

Same errors in the event viewer reported on the thread.

We are working around this issue from many days, time is correct on every DC's.

Thanks in advance for the help to resolve this issue.
Enrico Z.


28023-screenshot-at-sep-24-12-53-27.png28082-screenshot-at-sep-24-12-53-11.png


windows-active-directorywindows-server-securitywindows-server-2012
· 4
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you run "dcdiag /e /c /v /f:c:\temp\dcdiag.txt" and post the output

0 Votes 0 · ·

Hello Fabian-7704, thank you for reply.
Here attached log generated in a DC with issue.
Let me know if you need some other kind of informations

Enrico

28318-dcdiag.txt


0 Votes 0 · ·
dcdiag.txt (1.1 MiB)
Fabian-7704 avatar image Fabian-7704 EnricoZocca-2446 ·

As a community user I can only advise you to either search the dciag log for "failed test" and work through the errors one by one. You can start with the simple test (dcdiag /e /c without /v). Due to the number of domain controllers your environment does not seem to be very small, so I suggest opening a ticket at Microsoft.

0 Votes 0 · ·
Show more comments
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @EnricoZocca-2446,

Thank you for posting here.

1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue?

2.Or only reboot this specific DC, this DC will have such issue?

3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest?

Meanwhile, check the information below:

  1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.

  2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC.

  3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.

  4. Check we can update gpupdate /force on each DC successfully.


Best Regards,
Daisy Zhou

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @EnricoZocca-2446,

Thank you for posting here.

1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue?

2.Or only reboot this specific DC, this DC will have such issue?

3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest?

Meanwhile, check the information below:

  1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.

  2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC.

  3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.

  4. Check we can update gpupdate /force on each DC successfully.


Best Regards,
Daisy Zhou

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @EnricoZocca-2446,

Thank you for posting here.

1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue?

2.Or only reboot this specific DC, this DC will have such issue?

3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest?

Meanwhile, check the information below:

  1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.

  2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC.

  3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.

  4. Check we can update gpupdate /force on each DC successfully.


Best Regards,
Daisy Zhou

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EnricoZocca-2446 avatar image
0 Votes"
EnricoZocca-2446 answered ·

Hello @DaisyZhou-MSFT,

Thank you for reply

1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue? No, all 2012 R2 DC's are affects. 2008 R2 seems ok.

2.Or only reboot this specific DC, this DC will have such issue? No, all DC's 2012 R2 have this issue

3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest? Yes. For testing purpose we promoted a fresh new 2012 R2 server to DC, after first reboot logon is "hang", instead a fresh new DC 2008 R2 works without any issue

We notice that AD replicate correctly on all DC's, also when DC's are in this strange "stall mode".
Keep in mind that this issue is observed immediatly time after we demote all 2003 DC's and raise forest/domain functional level to 2008 R2
The condition in which the domain controllers are after the reboot is strange, some services do not start (for example MSDTC) if you type the password, at logon screen, and press enter it does not work, even if you press the arrow next to the password field it does not work.
If you reboot the DC 10-20 or 30 times it may be that the services start and accept the credentials. the only condition in which you can logon is safe mode. When the DC starts correctly and you restart "Active Directory Domain Services" the services do not restart, you have to restart the DC and start again.
When the DC is in "stalled mode" you can remotely manage the event viewer but not the services or the registry

Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC. We checking log as suggest by @Fabian-7704. file is attached28290-dcdiag-full.txt

Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC. Replication works fine

Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC. Up and running on all DC's

Check we can update gpupdate /force on each DC successfully. Update is successfully

Regards.

Enrico



dcdiag-full.txt (1.1 MiB)
· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @EnricoZocca-2446,

Thank you for your update.

1.Do you install any third-part apps or programs on all the 2012 R2 DCs?

2.Or do you run any third-part services on all the 2012 R2 DCs?

3.Do you install all the updates on all the 2012 R2 DCs?

4.Do you install the same image for these 2012 R2 DCs?

5.Are all these 2012 R2 DCs running the same operating system (run winver to check)?



Best Regards,
Daisy Zhou

0 Votes 0 · ·
EnricoZocca-2446 avatar image
0 Votes"
EnricoZocca-2446 answered ·

Hello @DaisyZhou-MSFT

1.Do you install any third-part apps or programs on all the 2012 R2 DCs? NO, AV was removed for test purpose

2.Or do you run any third-part services on all the 2012 R2 DCs? No

3.Do you install all the updates on all the 2012 R2 DCs? Yes cause production DC's are up to date, and no we also test with a fresh installation without patch

4.Do you install the same image for these 2012 R2 DCs? Fresh install with 2 different ISO

5.Are all these 2012 R2 DCs running the same operating system (run winver to check)? Yes

Thank you
Enrico



· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @EnricoZocca-2446,

We can try to add a 2016 DC in the existing domain, then check if the issue persists on new 2016 DC.


Best Regards,
Daisy Zhou


0 Votes 0 · ·
EnricoZocca-2446 avatar image
0 Votes"
EnricoZocca-2446 answered ·

No, we don't want to add 2016 DC because it require an schema extention and, at this moment, we wouldn't like to create a new point of failure. Anyone has this kind of issue? Could you please give us some help to open a case?

Regards
Enrico Zocca

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @EnricoZocca-2446,

Thank you for your update.

We can open a case based on the following link.

https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

Thank you for your understanding and support.


Best Regards,
Daisy Zhou

0 Votes 0 · ·