Unable logon to Domain Controller after reboot

Enrico Zocca 11 Reputation points
2020-09-24T11:00:17.843+00:00

Hello, in a large AD environment we have same issues reported on the page below:

https://social.technet.microsoft.com/Forums/en-US/912d062b-3168-4782-a128-604223fd0636/unable-to-log-into-domain-controller-after-reboot?forum=ws2016

Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue:

System is restarted using the restart option in Windows. Server appears to start normally. Press CTRL-ALT-DEL to get a login prompt. User is administrator (or any other domain admin account), enter password and hit enter or click the arrow. The cursor is moved back to the beginning of the password field and the previously entered password remains.

This issue seems start happens after we raise the domain functionality level from 2003 to 2008 R2. Note: PDC is still on 2008 R2
After that no way to logon on DC's, only after many and many reboot server accepts credentials. Same issue if I try to isolate domain controller from network.
New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect

Same errors in the event viewer reported on the thread.

We are working around this issue from many days, time is correct on every DC's.

Thanks in advance for the help to resolve this issue.
Enrico Z.

28023-screenshot-at-sep-24-12-53-27.png28082-screenshot-at-sep-24-12-53-11.png

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,599 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,644 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,852 questions
{count} votes

8 answers

Sort by: Most helpful
  1. Alireza Marjanmehr 6 Reputation points
    2021-02-23T08:59:10.23+00:00

    Hi Enrico,

    did you find a solution?
    I have a similar problem with DC with OS 2016.
    I think, something is wrong with our previous domain controllers (2008 or 2003).

    1 person found this answer helpful.

  2. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2020-09-25T09:30:51.167+00:00

    Hello @Enrico Zocca ,

    Thank you for posting here.

    1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue?

    2.Or only reboot this specific DC, this DC will have such issue?

    3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest?

    Meanwhile, check the information below:

    1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.
    2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC.
    3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    4. Check we can update gpupdate /force on each DC successfully.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  3. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2020-09-25T09:32:23.12+00:00

    Hello @Enrico Zocca ,

    Thank you for posting here.

    1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue?

    2.Or only reboot this specific DC, this DC will have such issue?

    3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest?

    Meanwhile, check the information below:

    1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.
    2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC.
    3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    4. Check we can update gpupdate /force on each DC successfully.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  4. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2020-09-25T09:34:48.163+00:00

    Hello @Enrico Zocca ,

    Thank you for posting here.

    1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue?

    2.Or only reboot this specific DC, this DC will have such issue?

    3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest?

    Meanwhile, check the information below:

    1. Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC.
    2. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC.
    3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    4. Check we can update gpupdate /force on each DC successfully.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  5. Enrico Zocca 11 Reputation points
    2020-09-25T10:31:21.487+00:00

    Hello @Daisy Zhou ,

    Thank you for reply

    1.Based on "Often when I reboot domain controller on branch office I'm not be able to logon, with the same issue", do you mean when reboot any one DC in the forest, this DC will have such issue? No, all 2012 R2 DC's are affects. 2008 R2 seems ok.

    2.Or only reboot this specific DC, this DC will have such issue? No, all DC's 2012 R2 have this issue

    3.Based on "New domain controllers are also affects by this problem, immediatly after promotion still not be able to connect", do you mean the issue is replicated between all the DCs in the forest? ****Yes.** For testing purpose we promoted a fresh new 2012 R2 server to DC, after first reboot logon is "hang", instead a fresh new DC 2008 R2 works without any issue **

    We notice that AD replicate correctly on all DC's, also when DC's are in this strange "stall mode".
    Keep in mind that this issue is observed immediatly time after we demote all 2003 DC's and raise forest/domain functional level to 2008 R2
    The condition in which the domain controllers are after the reboot is strange, some services do not start (for example MSDTC) if you type the password, at logon screen, and press enter it does not work, even if you press the arrow next to the password field it does not work.
    If you reboot the DC 10-20 or 30 times it may be that the services start and accept the credentials. the only condition in which you can logon is safe mode. When the DC starts correctly and you restart "Active Directory Domain Services" the services do not restart, you have to restart the DC and start again.
    When the DC is in "stalled mode" you can remotely manage the event viewer but not the services or the registry

    Check if AD environment is healthy. Check whether all DCs in this domain is working fine by running Dcdiag /v on each DC. We checking log as suggest by @Fabian . file is attached28290-dcdiag-full.txt

    Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum on each DC. Replication works fine

    Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC. Up and running on all DC's

    Check we can update gpupdate /force on each DC successfully. Update is successfully

    Regards.

    Enrico


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.