Re: unable to logon to server 2003
- From: Taz1972 <Taz1972@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 11 Jun 2009 05:06:01 -0700
OK – I did an rsop and check what policies were being applied the problem DC,
and there are none. This is obviously a replication issue because the domain
policies have not replicated to the DC. I did the same rsop check on another
DC and the domain policies define that admins, rdesktop users are allowed to
logon to the DC’s but since no policies are being applied to then DC then it
won’t work – that includes no local logon.
And when I try to force replication I get errors – now this could be because
either theres a problem with the DC itself or the RPC errors we are getting
worldwide at the moment. This is something we are looking into at the moment
to see what traffic is being allowed through the gateways.
This server is behaving very strangely - dns and other stuff will not
install correctly either.
What we've decided to do is demote the DC via dcpromo /forceremoval (because
it wouldn't remove gracefully), remove the metadata, reformat the machine (it
did have a lot of rubbish on it before it became a DC) and do the AD
promotion again.
Thanks,
Taz
"Paul Bergson [MVP-DS]" wrote:
I would be curious to see a ipconfig /all on a good dc and this the failing.
dc plus the following:
DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
Post dcdiag.log
You can change the first couple of octets and the domain name before
posting, just keep things consistent, so it is readable.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Taz1972" <Taz1972@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C2FBF6A8-13E1-4E5D-8733-A8AE14E2965D@xxxxxxxxxxxxxxxx
Hi,
We recently installed a new 2003 server to act as a DC in one of our
sites.
But once dcpromo was done and a reboot was required, we now cannot logon
and
get the following error:
'unable to logon because of an account restriction'
This is strange because we don't get this problem when logging onto on any
other of our DC's via remote desktop, or any other server for that matter.
Our default domain policy and DC policy is set to 'allow users to logon
through terminal services' for domain admins and remote desktop groups,
and
the deny option is blank.
Furthermore, the "Allow users to remotely connect to this computer"
Remote
Desktop option is grayed out - why is this?? The registry key on the
affected
server is set to
HKLM\System\CurrentControlSet\Control\TerminalServ er\FDenyTSConnections
Set DWord to 0
I am only able to logon to the server using the enterprise admin password,
but if we try to logon as domain admin etc we just cannot - it give the
above
'account restriction' error.
Please can someone shed some light on this, because I have searched the
web
without success, and I am pulling my hair out about this issue.
Thanks,
Taz
- Follow-Ups:
- Re: unable to logon to server 2003
- From: Paul Bergson [MVP-DS]
- Re: unable to logon to server 2003
- References:
- unable to logon to server 2003
- From: Taz1972
- Re: unable to logon to server 2003
- From: Paul Bergson [MVP-DS]
- unable to logon to server 2003
- Prev by Date: Re: Moving domain and exchange
- Next by Date: Re: Allow Terminal Server RDP Access to Servers via Group Policy
- Previous by thread: Re: unable to logon to server 2003
- Next by thread: Re: unable to logon to server 2003
- Index(es):
Relevant Pages
|
