[SOLVED] Can't logon to DC - Server 2016 Standard

[seedubya]

New customer, first onsite visit today.

They are tiny - 3 PCs and a server running 2016 Standard and serving AD\DHCP\DNS, their accounting software and a single fileshare. This morning they found they were unable to access the fileshares or run their accounting software. Trying to log onto the server via RDP or locally gives the error "there are currently no logon servers available to service the logon request". Current tech support has been AWOL for weeks and the ONLY thing I have is the Domain Administrator credentials - no DSRM, backups are not running etc. etc. Couldn't be much worse really.

Also, how the hell do you start DSRM on a Proliant 150 running Server 2016 Standard when you can't login to access msconfig?
EDIT: Ok, figured this out and got in

All ideas welcome...

 

[Sky-Knight]

Seems like you sorted this out? But just in case... You need to login on the DC itself, and fix its DNS and DHCP to properly support the domain and reboot all the end points.

There are BUCKETS of AD installs out there that were done flat wrong, so this sort of thing is really common.

 

[seedubya]

Yeah, I got logged in but figuring out what the hell is going on and why AD is not loading hasn't happened yet. I'll try to figure it out over the weekend. If you have any pointers on how to get AD running on a DC with no state backups, I'd be grateful!

 

[YeOldeStonecat]

Hard to say from far away, without looking at many things and gathering intel.

We can assume AD was installed...as, workstations appear to be logging into a domain, right? Not local logins at the workstations? Username is DOMAINNAME\USERNAME?

Event viewer....pour through there.

Check TCP/IP properties v4, make sure that Primary DNS is either 127.0.0.1....or...the actual IP of the server. Not the ISPs DNS, not the routers LAN IP, not some other public DNS. Just...the IP of the server itself (or the loopback address of 127.0.0.1 which is just a way of holding a mirror up to the server and telling it to use its own LAN IP).

If that's correct, I'd see what a reboot brings.
I bet it just had a big uptime, and...it's a low spec server, probably SATA disks (it's a 100 series server which means glorified desktop computer)....not well configured, so...services start to halt.

 

[SAFCasper]

Windows may have decided the domain controller is located in a café and set your firewall profile to public. I hate that this is a real thing. Bump the "network location awareness" service if this is the case. Should kick it back over to a domain profile.

Also check what the workstations are picking up for DNS servers. If it's anything but the DC there is your issue. Might find someone with "enough knowledge to be dangerous" swapped them over to 8.8.8.8 thinking it would make the internet work better. Or they threw in a router/ap with DHCP enabled sending out the wrong DNS settings. Both examples have happened to us before... on multiple occasions

 

[HCHTech]

Windows may have decided the domain controller is located in a café and set your firewall profile to public.

I saw this last month! It was truly a "WTF, Microsoft!" moment.

 

[seedubya]

So I fixed this once I paid attention to what was actually happening. The server was continuously booting into Safe\DSR Mode because, somehow, the /safeboot switch was stuck in the "on" position and changing it in MSCONFIG made no difference. One command bcdedit /deletevalue safeboot and we're back in business. This issue may be related to Veeam backups failing - Veeam, when backing up a DC, temporarily sets this value and, if the backup fails (which they are on this server) then apparently the switch doesn't get removed.

Might help someone else some other time.

 

[SAFCasper]

Good to know. We use Veeam and I've never seen this behaviour before although I've never went looking for it either. Guess you would never notice until it causes an issue.