question

WillySmyth-3505 avatar image
0 Votes"
WillySmyth-3505 asked DSPatrick answered

Cannot log into member server when DC is off

My customer has a small office network with a hyper 2019 running 2VM's - 1 DC and 1 app server.
The hyperv host has been joined to the domain. The problem is that when the DC is switch off we cannot log into the host server
as a domain user. (local accounts still work) It reports that there is no authentication server.

We have this configuration on several sites and there is never an issue logging into the host when the DC is off.
In fact this customer has just migrated from a 2012r2 host that was running the same 2 VM's and domain users could always
log into the host regardless of whether the DC was on or off.

windows-serverwindows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

A couple to check here.

Number of previous > 1
Allow storage of passwords = Disabled

--please don't forget to Accept as answer if the reply is helpful--



92272-image.png






image.png (679.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WillySmyth-3505 avatar image
0 Votes"
WillySmyth-3505 answered

I have checked the group policy for the domain and it is set as per your screenshot.
If you are referring to the local policy I will need to investigate how to access on 2019 core OS.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

Yes, also check local policy. Definitely not an out of box behavior. Might stand one up a new one for a quick test.


--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WillySmyth-3505 avatar image
0 Votes"
WillySmyth-3505 answered

I agree, it is very definitely not normal behaviour. It is normal practice to be able to log into a domain joined Windows PC ( any flavour) when the DC is off, so long as the user profile exists. I have checked further and domain joined Window 10 clients are also failing to log in if the DC is off. I have never seen this before! It is catch 22 situation, as if I shut down the DC I cannot get access to host. The only way into the system is to reboot the host as I have the DC VM set to auto start. I am able to reboot the host by accessing via RMC or local non domain profile

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

What happens exactly when you try?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Which GPO did you tried to check for the following settings?
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Network access: Do not allow storage of passwords and credentials for network authentication

We need to confirm the settings on the server by:
Run CMD as administrator and type command: gpresult /h report.html
And then check the output of the command to make sure if there are any settings to prevent the cache of the credentials.
Please note that the domain users logon to the server need to logon to the server when connected to DCs to cache the credentials. If it is the first time for domain users to logon when DC is off, the authentication will fail.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WillySmyth-3505 avatar image
0 Votes"
WillySmyth-3505 answered

gpresult does not show any errors and when the policy is checked on a domain member it appears correct.

A bit more background. Until last weekend the host was 2012r2 and logon was possible whether DC was on or off - normally expected behaviour.

A new 2019 hyperv host was joined to the network. The apps server was migrated using the hyperv move options. The DC was backed up and restored using Altaro as the move option was failing. There were no changes made to the VM's

As the network is in production I will need to check tonight (GMT time) to verify the exact error when trying to login when the DC is powered off. Thanks for the offers of help to date.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

The DC was backed up and restored

This is never a good move. The cleaner and much safer method is to stand up a new one for replacement at destination.

--please don't forget to Accept as answer if the reply is helpful--









5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WillySmyth-3505 avatar image
0 Votes"
WillySmyth-3505 answered

I accept that the documented way is to stand up a new DC. The client has office files stored on existing DC with comprehensive folder which would have needed to be reconfigured. Surely with a single DC backing up and restoring with Altaro should not be an issue - it is a supported and documented procedure within the Altaro software.
If this has caused the problem and there is no other solution I can deploy another VM and promote to DC.
I will get the exact logon error message later this evening.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

If this has caused the problem

Hard to say really, just a bad practice. In a virtual world there's really no reason to complicate things by storing office files and such on domain controller.

I will get the exact logon error message later this evening.

Sounds good





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.