DC: Applying computer settings

[chicagotech]

We are running windows 2008 Domain. One of windows 2003 server can’t login with Applying Computer settings message forever. Here are what I tested.

1.I can login safe mode.
2.Verify the network and DNS settings are correct.
3.I have changed the TCP/IP settings from static IP to DHCP.
4.I have tried to clean boot.

[chicagotech]

Before moving on, please let us clarify that is the Windows 2003 server a DC in your domain? Based on my experience, if the server stop at “Applying computer settings”, the problem is possible related to the apply the GPO or startup script failed during the startup. In this case, I recommend you can do the following steps to troubleshooting: 1. Power off the server, unplug the network cable, and then power on the server and check if the server can be login successfully. 2. If the Windows 2003 server is not a DC, you can move the server to a OU which without any GPO, and then try to check if the server can be login successfully.

[chicagotech]

If no network connection, it boots fine too. One of our consultants tried to fix it, but he made it even worst.

[chicagotech]

Since the server can login successfully when we unplug the network cable, the problem is possible like there is any errors about the apply GPO or startup script failed, so it is always "time out".

[chicagotech]

Update - We found the problem. The DC is running as VM with two NICs and one of them was disabled. For some reasons, it is enabled so that it gets an IP address from DHCP. That IP also conflict with one of our Mac computer. For some reasons, the DC computer account password was changed. We have to re-built the DC to fix the problem. Note: when demoting a DC and re-promoting it, it is better to change the DC hostname because the Active Directory may not clear all demoted DC information.

[chicagotech]

We have two windows 2008 Domaon controllers. One of them has this problems:

1. Some users can`t login their computer with username or password incorrect message.

2. Some of servers receive fail to access the 2088dc2~ message.

3. We can`t logon the DC from the console.

4. We can ping the dc.

5. We have rebooted the dc for mny times.

6. Some computers can`t map network drive.

7. We can loginanother dc, 2008dc1.

Another working dc, 2008dc1 also receive this message\;


Log Name: System

Source: Microsoft-Windows-Security-Kerberos

Date: 3/20/2012 4:33:52 PM

Event ID: 4

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: 2008DC1.

Description:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server 2008dc2$. The target name used was ldap/2008dc2.chicagobotanic.org. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (CHICAGO) is different from the client domain (CHICAGO), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

How can we fix it?


--------------------------------------------------------------------------------

[chicagotech]

If you want to add a Windows 2008 R2 to Windows 2008 based on Domain, we need to run some commands to upgrade the schema version, since the schema version on both 2008 and 2008 R2 are difference:

2008 based schema version is 44 ; but the 2008 R2 based schema version is 47

Forest schema version 47: Windows Server 2008 R2 Adprep /forestprep

http://blogs.technet.com/b/activedirect ... tprep.aspx

For you reference, you need to run the following command to on your DC to update Schema version.

adprep /forestprep on the schema operations master

adprep /domainprep on the infrastructure operations master

adprep /domainprep /gpprep on the infrastructure operations master

For more information about Adprep on Windows Server 2008 R2, please refer to:

http://technet.microsoft.com/en-us/libr ... 4018(WS.10).aspx



First of all, just based on the Event 4, we know that the Kerberos authentication run into trouble between 2008dc1 and 2008dc2.

Then, to start with troubleshooting, we should reset the security channel between two DCs:

1.Stop the Kerberos Key Distribution Center service and set its startup type to Manual on problematic DC 2008dc2
2.Remove the Kerberos ticket cache on the domain controller where you receive the errors. You can do this by restarting the computer or by using the KLIST, Kerbtest, or KerbTray tools. KLIST is included in Windows Server 2008 R2 and in Windows Server 2008. For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools. To obtain the tools, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/deta ... 4ae7-96ee- b18c4790cffd&displaylang=en

3. run command: Netdom resetpwd /server:2008dc1 /userd:ms\admin /passwordd:*

4. Restart this problematic DC 2008dc2, the set the KDC service to automatically

You can refer to the following article to get more info:

How to use Netdom.exe to reset machine account passwords of a Windows Server domain controller

http://support.microsoft.com/kb/325850/en-us