As of the 25th I have been unable to login to my two DC's. There were OK and now when loging in to them I get access denied. Can login OK to all other servers.

The DC's are vm's running server 2008 r2. The services are all still running and working fine can still access things like AD users and computers from mmc's no problem just unable to actually login to them. Can access them in safe mode with the same network account OK.

It's a bit of a head scratcher this one. Checked all group membership and policies all as they should be as far as I can see. Removed the last batch of windows updates just in case but this had no affect.

Any ideas would be most helpful.

Hi,

Can you provide us complete error message or screenshot? Meantime, please have a look into the below link which may help you.

http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx

-Umesh.S.K

• Proposed as answer by Umesh S K Thursday, August 06, 2015 8:46 AM

Hi the error/message is quite simple Access Denied with a red cross. We could access these two domain controllers a couple of days before no problem. Then with nothing changed (as far as I know) we get the access denied when trying to login to them either via rdp or via the console connection on vShere.

Look at the Default Domain Controllers GPO and make sure nothing has changed with Security Settings as far as who can log on (Remote Logon, Interactive Logon, etc.).  Can you log on with other Domain accounts?  What about the Administrator account?

Make sure your account is still in the proper groups to access Domain Controllers; Domain Admins, Administrators, or any group you may have added.

Update:

Sorry, my comments reflect what Umesh said.  Did not read his post closely enough. 

• Edited by vaadadmin2010 Friday, July 31, 2015 2:18 PM

Hi,

Any update on the issue?

-Umesh.S.K

Hello,

"them I get access denied"

This isn't an error message when trying to login with Remote Desktop or locally on the console. Which one exactly is shown?

Have you assured that the VMWare hosts using the correct time settings. During boot from VMs by default the configured time will be used on the machine until the PDCEmulator updates the other DCs?

Are you sure that there was none DC reverted to a taken snapshot from earlier times? Of course snapshots are not recommended type from DCs, but still people use this option.

Well we managed to demote the DC remotely and guess what it's still the same. Even the new local admin account created during the demotion will not let us login to this server. Can still get in using safe mode.

Any more ideas as dont want to go down the route of forcibly cleaning out a DC if I can avoid it.

Thanks