No desktop after running DC Promo on 2008 R2 Domain Controller

Had the pleasure of install our first 2008 R2 Domain Controller today. All went splendidly, after following through the various MS documents on how to do it and what to check beforehand. Adprep had been run over a year ago as the project was sidelined several times due to other things getting in the way.


Only glitch was that after running DCPromo on the new DC it restarted and whilst I could logon I couldn't get a desktop just a normal blue wallpaper. Only option was Ctrl+Alt+Del and to log off, even task manager wouldn’t run.  A reboot to safe mode with networking and all was well. 
So I had a look in the event logs and spotted the following error


The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:\Windows\system32\userinit.exe



Lots of Googling lead me to a MS kb article (http://support.microsoft.com/kb/970879) which explains that if the Interactive and Authenticated users were not in the Local Users group this is what happens. Now as any admin will know when you make a server a DC all the local users or groups are removed (Some AV programs use local user accounts to run processes so this may be why Sophos threw some errors on the server as well and will probably need to be reinstalled to function properly). Which makes things a bit difficult to add the required users in to the group.

What to do then? Well DCs use the AD groups and users rather than local, if you add IIS to a DC you will get a IWAM_DCNAME user added into the User OU in AD. So I had a look in the Builtin OU in AD and there is a User group in there so I added Interactive and Authenticated users in to that, and I was then able to get a desktop up when I logged on to the DC. 

As the other DCs were fine all along I can only surmise this is an issue with UAC and the twin token security for Admins that Vista introduced to the (much annoyed) world.

I have no idea how or why the users were removed from this group or if they were ever there at all, I don't have a way to look back, though this problem didn't occur in our test domain and there seems to be little documentation covering it, so I guess it is likely they should have been there or should have been put there by the upgrade but were either removed by some kindly sole at some stage or that bit failed for some reason.

If anyone knows the answers let me know via the comments as it may prove useful to someone.

Comments

  1. Anonymous10 August 2011 at 20:43

    I ran into the same issue. Your post was a great help. I ended up joining the domain with the server. Then adding the admin account to the local admin group before adding the AD role.

    ReplyDelete
  2. Anonymous11 August 2011 at 14:08

    I am a user of a program called spiceworks. I have added your info here to spiceworks so that others may find it like I did. I also added a link to your blog at the beginning to give you credit for the answer and maybe send more traffic to your blog. I hope that is ok.

    ReplyDelete
  3. Lorribot12 August 2011 at 02:00

    Always glad to help someone. it's even better when they let you know.

    ReplyDelete
  4. helpplease11 November 2011 at 14:09

    I having exact problem right now. But, when I followed your instruction to add interactive and authenticated users I get account error msg specified account ready exist. I can't find this accounts any either. Any ideas and did you ever see anything like this.

    ReplyDelete
  5. Lorribot11 November 2011 at 20:17

    I take it this is on a domain controller.

    The accounts should be in AD already, you just need to add them in to the AD group Users which should also exist.

    If they are already in the group, then I don't know.

    If it is on a ordinary server then you need to add the local accounts in to the local users group.

    Sorry I can't help further.

    ReplyDelete
  6. Anonymous25 December 2011 at 23:56

    I've checked another domain running 2008 R2 and found that there are Interactive and Authenticated Users included by default in Built-in\Users. Thanks a lot for the solution.

    ReplyDelete
  7. JayInJersey11 April 2012 at 20:15

    Hey all. Realize I'm coming late to this party, but here are the official MS support responces to correct the issue.

    Either using remote command line or on the machine its (I was able to log in remotely using the built in domain Administrator account) run these two commands on your DC

    Net localgroup Users Interactive /add
    Net localgroup Users "Authenticated Users" /add


    That will add the needed groups to the machine and you will be good to go.

    -JayInJersey

    ReplyDelete

Post a Comment

Popular posts from this blog

Scripting DNS entries

For reasons to do with DR we needed to change our IP addressing scheme, either for our servers or for our PCs and printers and what not. Obviously changing PCs and printers was a whole lot easier due to the possible issues of inept developers’ hard coding IP addresses causing no end of problems with re-addressing the servers. This has entailed changing all the DNS entries for our printers, (whatever happened to the paperless office?) That in itself is no real challenge, they all have web interfaces so a quick connect and amend the setting then next printer. Updating the DNS entries was going to be a bit tiresome so I did a quick Google on how to do this with a script and up popped DNSCMD. You can run this from a CMD box on your PC, the main options you need to know are /recorddelete and /recordadd. To delete a record you simple need to type dnscmd <ServerName> /recorddelete <ZoneName> <NodeName> <RRType> <RRData>[/f] What does all that mean? Well i
Read more

Enterprise Vault - Failed Exchange Task

Here's another weird one. Enterprise Vault, we use this for e-mail archiving. It does a reasonable job. Probably no better or worse than any similar product. A couple of days ago I noticed that there was warning that it hadn't archived anything from one of our mailbox servers for a couple of days, not big issue as there is just a couple mailboxes on there as it used for testing at the moment. I had a look at the associated task and it was stopped. Started it and it failed. Error in the event log looked something like below The Task 'Exchange Mailbox Archiving Task for EXCH' failed to log on to Exchange server 'EXCH' using mailbox 'SMTP:EnterpriseVault@symantec.local'. Please ensure the mailbox has not been hidden, that the server is running and that the Vault account has sufficient permissions on the server. I went through every conceivable setting in AD, EV and Exchange trying to work out what had happened and why it wasn't working on thi
Read more

Windows Phone to iPhone - a painful transition

Windows Phone died a death due to a whole heap of incompetence from Microsoft.  My phone was an old Nokia 925, about 4 1/2 years old and bought and paid by my company. There were always low requirements for company phones, if it rung and you answered it, all was good. Then Hangouts reared its head (Google want to destroy MS, so WP support) but third-party support gave a stay of execution. The final nail was a requirement for out of hours support software that had no app for Windows Phone. I had to be “downgraded” to an iPhone 6s (yes, it is a low spec 2 version old iPhone, better hardware than my 925 but not really up there as a current version, how my company loves their staff, buy expensive crap rather than cheap crap). Stuff that just worked on my old phone, now needs 'me' to be re-engineered to work the Apple way.  This is only slightly less bad than the Google eat all your life and sell it back to you way, but it is like stepping back in to the 1990s Microsoft way
Read more