RE: SOLUTION Re: cannot logon after dcpromo

From: Bob Qin [MSFT] (bobqin_at_online.microsoft.com)
Date: 08/30/04

Next message: Bob Qin [MSFT]: "RE: [Q] How to list files in an installed software package"

Previous message: Jerold Schulman: "Re: [Q] How to list files in an installed software package"
In reply to: peter: "SOLUTION Re: cannot logon after dcpromo"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 30 Aug 2004 03:03:40 GMT

Hi Peter,

Do you mean the "Enforce User Logon Restrictions" setting in Kerberos
policy? By default, the policy is enabled and should only be disabled in
rare circumstances.

Here is the information on the Kerberos policy settings themselves:

http://www.microsoft.com/technet/Security/topics/issues/w2kccadm/Win2kpol/w2
kadm09.mspx

Please make sure that you have those policies correctly configured in the
"Default Domain Policy"

In addition, Kerberos security depends on time, if the times are over 5
minutes apart then kerberos fails.

To configure an authoritative time server in Windows, please refer to the
following articles.

How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/?id=216734

The Windows Time Service
http://www.microsoft.com/windows2000/docs/wintimeserv.doc

Wish it helps.

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
      From: "peter" <anonymous@discussions.microsoft.com>
      Subject: SOLUTION Re: cannot logon after dcpromo
      Date: Fri, 27 Aug 2004 02:14:33 -0700
      Newsgroups: microsoft.public.win2000.advanced_server

      I figured out that turning off settings
      for Kerberos policy fixed the situation

      adm tools -> domain security -> kerberos policy

      i turned off everything and the issue
      is under control by now


      thanks for your help guys



>-----Original Message-----
>I am very glad to hear that the problem has been resolved.
>
>If you have any further questions or concerns, please
      feel free to post
>here. It is our pleasure to be of assistance.
>
>Have a nice day!
>
>Regards,
>Bob Qin
>Microsoft Online Partner Support
>
>Get Secure! - www.microsoft.com/security
>
>====================================================
>When responding to posts, please "Reply to Group" via
      your newsreader so
>that others may learn and benefit from your issue.
>====================================================
>This posting is provided "AS IS" with no warranties, and
      confers no rights.
>
>--------------------
> From: "peter" <anonymous@discussions.microsoft.com>
> Subject: Re: cannot logon after dcpromo
> Date: Thu, 19 Aug 2004 08:20:00 -0700
> Newsgroups: microsoft.public.win2000.advanced_server
>
> the problem has probably been solved,
> i will post again if it hasnt
>
> thanks for your help
>
>
> >-----Original Message-----
> >Hi Peter,
> >
> >Thanks for your posting here.
> >
> >As you mentioned that the problem occur on all the
      DCs
> and clients in your
> >network. When the problem occur is your old DC
      online?
> Did you have DNS
> >service installed on the new DC?
> >
> >If so, I recommend that you point all the DCs to
      itself
> in the DNS settings
> >and point all the clients to the old DC as the DNS
> server. Please do not
> >point any server to the public DNS server.
> >
> >Now refer to the following document to set the
      time
> service on DCs and
> >clients.
> >
> >How to Configure an Authoritative Time Server in
      Windows
> 2000
> >http://support.microsoft.com/default.aspx?
      scid=kb;EN-
> US;216734
> >
> >Have a nice day!
> >
> >Regards,
> >Bob Qin
> >Microsoft Online Partner Support
> >
> >Get Secure! - www.microsoft.com/security
> >
>
>====================================================
> >When responding to posts, please "Reply to Group"
      via
> your newsreader so
> >that others may learn and benefit from your issue.
>
>====================================================
> >This posting is provided "AS IS" with no
      warranties, and
> confers no rights.
> >
> >.
> >
>
>
>.
>

Next message: Bob Qin [MSFT]: "RE: [Q] How to list files in an installed software package"

Previous message: Jerold Schulman: "Re: [Q] How to list files in an installed software package"
In reply to: peter: "SOLUTION Re: cannot logon after dcpromo"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: scripted logon
... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
(microsoft.public.windows.terminal_services)
Re: GPO Update Problem (SYSVOL access via UNC)
... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
(microsoft.public.win2000.group_policy)
Re: GPO Update Problem (SYSVOL access via UNC)
... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
(microsoft.public.win2000.group_policy)
Re: GPO Update Problem (SYSVOL access via UNC)
... >> Server Security and Auditing Policy ... >> The settings in this GPO can only apply to the following groups, users, ... >> Windows Firewall: Allow file and printer sharing exception Enabled ...
(microsoft.public.win2000.group_policy)
Re: GP settings questions?
... I made a domain policy and all settings took ... Administering Group Policy by Using the Group Policy ... This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
(microsoft.public.windows.server.sbs)