Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » unable to logon to server 2003
unable to logon to server 2003 [message #155833] Fri, 05 June 2009 08:58 Go to next message
Taz1972  is currently offline Taz1972
Messages: 18
Registered: October 2009
Junior Member
Hi,

We recently installed a new 2003 server to act as a DC in one of our sites.
But once dcpromo was done and a reboot was required, we now cannot logon and
get the following error:

'unable to logon because of an account restriction'

This is strange because we don't get this problem when logging onto on any
other of our DC's via remote desktop, or any other server for that matter.
Our default domain policy and DC policy is set to 'allow users to logon
through terminal services' for domain admins and remote desktop groups, and
the deny option is blank.

Furthermore, the "Allow users to remotely connect to this computer" Remote
Desktop option is grayed out - why is this?? The registry key on the affected
server is set to

HKLM\System\CurrentControlSet\Control\TerminalServ er\FDenyTSConnections
Set DWord to 0

I am only able to logon to the server using the enterprise admin password,
but if we try to logon as domain admin etc we just cannot - it give the above
'account restriction' error.

Please can someone shed some light on this, because I have searched the web
without success, and I am pulling my hair out about this issue.

Thanks,
Taz
Re: unable to logon to server 2003 [message #155853 is a reply to message #155833] Fri, 05 June 2009 11:28 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Taz1972" <Taz1972@discussions.microsoft.com> wrote in message
news:C2FBF6A8-13E1-4E5D-8733-A8AE14E2965D@microsoft.com...
> Hi,
>
> We recently installed a new 2003 server to act as a DC in one of our
> sites.
> But once dcpromo was done and a reboot was required, we now cannot logon
> and
> get the following error:
>
> 'unable to logon because of an account restriction'
>
> This is strange because we don't get this problem when logging onto on any
> other of our DC's via remote desktop, or any other server for that matter.
> Our default domain policy and DC policy is set to 'allow users to logon
> through terminal services' for domain admins and remote desktop groups,
> and
> the deny option is blank.
>
> Furthermore, the "Allow users to remotely connect to this computer"
> Remote
> Desktop option is grayed out - why is this?? The registry key on the
> affected
> server is set to
>
> HKLM\System\CurrentControlSet\Control\TerminalServ er\FDenyTSConnections
> Set DWord to 0
>
> I am only able to logon to the server using the enterprise admin password,
> but if we try to logon as domain admin etc we just cannot - it give the
> above
> 'account restriction' error.
>
> Please can someone shed some light on this, because I have searched the
> web
> without success, and I am pulling my hair out about this issue.
>
> Thanks,
> Taz


Have you also set it to allow Logon Interactively rights?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: unable to logon to server 2003 [message #155931 is a reply to message #155833] Mon, 08 June 2009 08:16 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I would be curious to see a ipconfig /all on a good dc and this the failing
dc plus the following:

DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log

Post dcdiag.log

You can change the first couple of octets and the domain name before
posting, just keep things consistent, so it is readable.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Taz1972" <Taz1972@discussions.microsoft.com> wrote in message
news:C2FBF6A8-13E1-4E5D-8733-A8AE14E2965D@microsoft.com...
> Hi,
>
> We recently installed a new 2003 server to act as a DC in one of our
> sites.
> But once dcpromo was done and a reboot was required, we now cannot logon
> and
> get the following error:
>
> 'unable to logon because of an account restriction'
>
> This is strange because we don't get this problem when logging onto on any
> other of our DC's via remote desktop, or any other server for that matter.
> Our default domain policy and DC policy is set to 'allow users to logon
> through terminal services' for domain admins and remote desktop groups,
> and
> the deny option is blank.
>
> Furthermore, the "Allow users to remotely connect to this computer"
> Remote
> Desktop option is grayed out - why is this?? The registry key on the
> affected
> server is set to
>
> HKLM\System\CurrentControlSet\Control\TerminalServ er\FDenyTSConnections
> Set DWord to 0
>
> I am only able to logon to the server using the enterprise admin password,
> but if we try to logon as domain admin etc we just cannot - it give the
> above
> 'account restriction' error.
>
> Please can someone shed some light on this, because I have searched the
> web
> without success, and I am pulling my hair out about this issue.
>
> Thanks,
> Taz
Re: unable to logon to server 2003 [message #156155 is a reply to message #155931] Thu, 11 June 2009 08:06 Go to previous messageGo to next message
Taz1972  is currently offline Taz1972
Messages: 18
Registered: October 2009
Junior Member
OK – I did an rsop and check what policies were being applied the problem DC,
and there are none. This is obviously a replication issue because the domain
policies have not replicated to the DC. I did the same rsop check on another
DC and the domain policies define that admins, rdesktop users are allowed to
logon to the DC’s but since no policies are being applied to then DC then it
won’t work – that includes no local logon.

And when I try to force replication I get errors – now this could be because
either theres a problem with the DC itself or the RPC errors we are getting
worldwide at the moment. This is something we are looking into at the moment
to see what traffic is being allowed through the gateways.

This server is behaving very strangely - dns and other stuff will not
install correctly either.

What we've decided to do is demote the DC via dcpromo /forceremoval (because
it wouldn't remove gracefully), remove the metadata, reformat the machine (it
did have a lot of rubbish on it before it became a DC) and do the AD
promotion again.

Thanks,
Taz

"Paul Bergson [MVP-DS]" wrote:

> I would be curious to see a ipconfig /all on a good dc and this the failing
> dc plus the following:
>
> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>
> Post dcdiag.log
>
> You can change the first couple of octets and the domain name before
> posting, just keep things consistent, so it is readable.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Taz1972" <Taz1972@discussions.microsoft.com> wrote in message
> news:C2FBF6A8-13E1-4E5D-8733-A8AE14E2965D@microsoft.com...
> > Hi,
> >
> > We recently installed a new 2003 server to act as a DC in one of our
> > sites.
> > But once dcpromo was done and a reboot was required, we now cannot logon
> > and
> > get the following error:
> >
> > 'unable to logon because of an account restriction'
> >
> > This is strange because we don't get this problem when logging onto on any
> > other of our DC's via remote desktop, or any other server for that matter.
> > Our default domain policy and DC policy is set to 'allow users to logon
> > through terminal services' for domain admins and remote desktop groups,
> > and
> > the deny option is blank.
> >
> > Furthermore, the "Allow users to remotely connect to this computer"
> > Remote
> > Desktop option is grayed out - why is this?? The registry key on the
> > affected
> > server is set to
> >
> > HKLM\System\CurrentControlSet\Control\TerminalServ er\FDenyTSConnections
> > Set DWord to 0
> >
> > I am only able to logon to the server using the enterprise admin password,
> > but if we try to logon as domain admin etc we just cannot - it give the
> > above
> > 'account restriction' error.
> >
> > Please can someone shed some light on this, because I have searched the
> > web
> > without success, and I am pulling my hair out about this issue.
> >
> > Thanks,
> > Taz
>
>
>
Re: unable to logon to server 2003 [message #156158 is a reply to message #156155] Thu, 11 June 2009 09:02 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
That will definetely clean up the current issue but hopefully it won't
pickup where it left off and start over. You want to try and figure out why
this happened.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Taz1972" <Taz1972@discussions.microsoft.com> wrote in message
news:EA04F0E5-FF34-4258-B376-0777C711BAC7@microsoft.com...
> OK - I did an rsop and check what policies were being applied the problem
> DC,
> and there are none. This is obviously a replication issue because the
> domain
> policies have not replicated to the DC. I did the same rsop check on
> another
> DC and the domain policies define that admins, rdesktop users are allowed
> to
> logon to the DC's but since no policies are being applied to then DC then
> it
> won't work - that includes no local logon.
>
> And when I try to force replication I get errors - now this could be
> because
> either theres a problem with the DC itself or the RPC errors we are
> getting
> worldwide at the moment. This is something we are looking into at the
> moment
> to see what traffic is being allowed through the gateways.
>
> This server is behaving very strangely - dns and other stuff will not
> install correctly either.
>
> What we've decided to do is demote the DC via dcpromo /forceremoval
> (because
> it wouldn't remove gracefully), remove the metadata, reformat the machine
> (it
> did have a lot of rubbish on it before it became a DC) and do the AD
> promotion again.
>
> Thanks,
> Taz
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I would be curious to see a ipconfig /all on a good dc and this the
>> failing
>> dc plus the following:
>>
>> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>
>> Post dcdiag.log
>>
>> You can change the first couple of octets and the domain name before
>> posting, just keep things consistent, so it is readable.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Taz1972" <Taz1972@discussions.microsoft.com> wrote in message
>> news:C2FBF6A8-13E1-4E5D-8733-A8AE14E2965D@microsoft.com...
>> > Hi,
>> >
>> > We recently installed a new 2003 server to act as a DC in one of our
>> > sites.
>> > But once dcpromo was done and a reboot was required, we now cannot
>> > logon
>> > and
>> > get the following error:
>> >
>> > 'unable to logon because of an account restriction'
>> >
>> > This is strange because we don't get this problem when logging onto on
>> > any
>> > other of our DC's via remote desktop, or any other server for that
>> > matter.
>> > Our default domain policy and DC policy is set to 'allow users to logon
>> > through terminal services' for domain admins and remote desktop groups,
>> > and
>> > the deny option is blank.
>> >
>> > Furthermore, the "Allow users to remotely connect to this computer"
>> > Remote
>> > Desktop option is grayed out - why is this?? The registry key on the
>> > affected
>> > server is set to
>> >
>> > HKLM\System\CurrentControlSet\Control\TerminalServ
>> > er\FDenyTSConnections
>> > Set DWord to 0
>> >
>> > I am only able to logon to the server using the enterprise admin
>> > password,
>> > but if we try to logon as domain admin etc we just cannot - it give the
>> > above
>> > 'account restriction' error.
>> >
>> > Please can someone shed some light on this, because I have searched the
>> > web
>> > without success, and I am pulling my hair out about this issue.
>> >
>> > Thanks,
>> > Taz
>>
>>
>>
Previous Topic:List printer in active directory on other side of VPN
Next Topic:Functional Levels
Goto Forum:
  


Current Time: Thu Sep 21 08:23:02 EDT 2017

Total time taken to generate the page: 0.02735 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software