This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 28.000000000000004%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
We currently have a single domain with 2 domain controllers. One DC is running Server 2012R2 and the other is running Server 2016. I am in the process of upgrading all of our servers to Server 2019. The DCs are some of the last servers to be done. I built up a new server in VMware and loaded Server 2019 Datacenter. I have it on the network and fully patched. I joined it to the domain. I went to Server Manager -> Add Roles and Features -> and selected Active Directory Domain Services and clicked next. The Roles and Feature installer added DNS and proceeded to install everything and rebooted. After reboot, Server Manager said I need to Promote to a Domain Controller so I clicked the button and went through the steps and entered a DSRM password. Server rebooted when everything was complete.
When I go to the virtual machine console, I cannot log into the server. It says "Incorrect password". I know the password is correct because I can log onto other servers using the same credentials. If I try to use any domain account, I get the same message. If I try to use RDP to log in, I get the same message. I can connect to the server using Server Manager or Powershell and manage it that way so I know authentication is working. I have built two different servers and had the same issue both times. Using Server Manager I removed the Active Directory Domain Services role and after the server rebooted, I was able to log in again. I added the role again and had the same result.
I am at a loss on this. Searching the Internet hasn't produced any useful answers.
Hi
When you promote are your DNS record set correctly into the server ? and from another DC can you run repadmin /replsummary to make sure the replication is ok ?
I would add, can you check to make sure the keyboard layout is ok for the "new account", or check to see the password after you typed it ? I ask as for the domain profile I know if your domain admin password contain special entry, an error in the keyboard layout can hurt your login.
Thanks
Philippe
Yes, server records are showing up correctly in DNS. Repadmin /replsummary is OK. No errors
I created a temp admin account with a simple password and entered it. I clicked the "eye" button to view the password and it is correct.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
After reboot, Server Manager said I need to Promote to a Domain Controller so I clicked the button and went through the steps and entered a DSRM password
This sounds problematic, if it were me I'd clean install it, patch fully and try it again. Perform the cleanup here if necessary before stand up the new oe again.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564
--please don't forget to upvote and Accept as answer if the reply is helpful--
Already did that... several times. Does the same thing every time.
Please run;
Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\dc3.txt
then put unzipped text files up on OneDrive and share a link.