I am a systems administrator of a Windows 2000 Server AD with multiple W2k and W2k3 Terminal Server member servers and a Windows Server 2003 AD only with multiple W2k3 Terminal Server member servers. The domain controller and member servers of the W2k3 AD are all Windows Server 2003 R2 with SP2. I am having the same challenge in both domains in that users are unable to remotely log on to the terminal servers when the domain controllers are turned off. As an extra bit of information, the domain controllers in both domains also function as the DNS servers in both domains. I have already confirmed that the default domain GPO for both domains as well as the Local Computer Policy for the member servers has the "Number of previous logons to cache (in case domain controller is not available " policy set to the default of 10. As of yet, I have found no articles or forum posts on any web site detailing steps of what to check when all settings appear correct yet the resulting function is incorrect. If the domain controllers in both domains are shut down and a user attempts to log on, the user receives an error stating they could not log on because a domain controller could not be contacted to authenticate them. A new event is then generated in the Application Event Viewer log (Event ID 1219) of the target Terminal Server stating: "Logon rejected for "domain name"\"user name". Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.". Thank you in advance for any assistance that may be provided. j

Hi Roy, For some reason I received an e-mail alert with your reply in it that I have copied below. I am not sure why though that your reply did not show up in this forum as a formal reply. The Replies counter in the Statistics chart still showed as zero prior to my posting this, which I presume will increment the Replies counter by 1. In either case, you stated in your reply that I received via e-mail alert: "Reply: I think cached credentials only allow for local resources when not DC is available. Why are you turning off the domain controllers? The Microsoft Developer Network" You are correct in that cached credentials are designed to only allow you to log on to the domain member server and access local resources as shared network resource access may not be authenticated without the DC. I understand that. The problem I am having specifically is that without a DC, neither I as a domain admin or local admin may log on to the domain member server with cached domain admin credentials when the DC is offline. To answer your question as to why I would turn off the DC, at the moment in the developing state of the domain I am building, I was only provided enough resources to build one VM host with, among other mission critical VM guests, one VM guest DC. A few nights ago, the VM Host crashed taking the guest DC down with it. While I was in the process of getting the VM host backup along with the VM guest DC, users were unable to log on to member application servers using cached credentials. As I stated in the initial question post, I have ensured that all GPO and local policy settings have the "Number of previous logons to cache..." setting set to 10, yet the cached credentials log on function still does not work. Thank you for your reply Roy, j

Hi, As far as I know, in order to utilize cached logons on the Terminal Server, users will have to logon directly to the console but not via RDP. RDP connections are Network accessed, thus cached logons will not work properly. You can try logon the server via console and check if the cached credential works. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Joson, Thank you for the solution. While researching the challenge, I had read multiple times that network resources were unavailable while the DC is unavailable due to lack of authentication and as such only local resources were available. I suppose I did not take that so literally to mean that Microsoft would include the ability to remotely log on as being a network resource function, though now it certainly makes sense. Thank you, j