# How to Enable Windows Server 2k8 Domain Authentication



## royhq (Jul 24, 2012)

Hi all,
I do have some experience in the field, but its been quite some time since I build a network on my own. I'm hoping someone could help me out. The project that I am currently working contain 3 servers on a fairly simple network. All servers have Windows Server 2k8 Standard R2 fully patch.

Server A - SQL Server, AD/DC, DNS
Server B - Application Server and File Share Server
Server C - TS Web and TS Gateway (Yet to deploy, just running the Windows OS)

I have successfully installed AD/DC and DNS server. I have created some user accounts which are located on their proper OUs and I have enforced minimal policies in GPOs. However, at the moment the other two Servers (B/C) won't use domain authentication when a user logs in. I have successfully added both servers to the domain, but I can't get Server B and C to use domain authentication. I have read that I needed Local Authentication to be enabled on the GPOs, but that also doesn't seem to work. 
In addition, I have changed the admin pwd in Active Directory and since the other two server wont use domain authentication I'm forced to use the local Windows passwords that I used during installation.

If someone could point me to the right direction that would be greatly appreciated.

Thanks,
R


----------



## peterh40 (Apr 15, 2007)

For domain login to be successful the member servers must be:
a) Joined to the domain
b) Has the TCP/IP v4 properties configured so that the primary DNS is pointing to the DNS server, so they can resolve DC, GC and Kerberos SRV and Host (A) records properly.
c) When logging into a member server, to either select the Domain you are logging into or type the domain in the username field e.g. MyDOMAIN\User or use the other format [email protected] or whatever.


----------



## royhq (Jul 24, 2012)

Hi Peterh40
Thanks you so much for your reply !! 

I have added both servers to the domain. Both computers are listed under the Computer Group in AD
IPv4 is a static IP with the primary DNS pointing to the DC. No secondary DNS
IPv6 Disabled at this time.
I have checked DNS by pinging by name and IP and both return the correct value.
I have done a nslookup and the output is the correct server ServerA.Domain.local

I have also checked the following and I find it quite strange.
When I looked at the Local Users and Groups on both Server B and C I notice that the Admin Group and the user Group do not have the Domain Admin and the Domain User groups that should automatically be added when the computer joins the domain. I tried adding both groups manually but I get an error saying that both Domain accounts are already part of the Local Admin and Local Users group, and yet they are not visible.

I also tired adding an actual Domain user to the Local Admin group (Both Server B and C) and that user failed to authenticate to the Servers. However, when I looked back at the Local Admin group on Server B and C I notice that the domain user that I just added was not showing its name but it was showing its SID. So all I can think at this time is that both servers are failing to retrieve information from the DC and therefore showing the SID instead of the actual Domain user name.

Any other thoughts? 

Thanks
R


----------



## peterh40 (Apr 15, 2007)

Some other things to check:
1. Make sure that firewalls are turned off.
2. Make sure that the regional info, date and time are all synced up and not more than a couple of minutes out between the servers.
3. Check event logs and if there are errors about bad trust between clients and the server then you will need to remove and re-add the servers to the domain.
4. Check that computer accounts have been created in the domain and are usually shown in the 'Computer' container.

If possible download a Best Practise Analyzer tool from Microsoft to discover any other issues in your domain.
lso you can try dcdiag.exe on your domain controller to look for errors.


----------



## royhq (Jul 24, 2012)

Windows firewalls are disable.
The regional date and time are all withing + - 5seconds
I don't see any errors in Event Viewer nor any errors when I ran dcdiag
Both Servers B and C computers accounts are automatically created once they joined the domain and they are visible in AD.

I could try using the "tool analyzer" and advise on what happened. At this point I have a feeling that the SYSVOL might of got corrupted during installation so I was thinking of re-installing the domain. 

I will advise if the tool analyzer found anything or if the re-install solved the problem

Thanks !


----------



## Squashman (Apr 4, 2003)

I don't want to sound like I don't trust you but could you post a screen shot of the system properties of the members servers showing that they are indeed joined to the domain.

I guess basically what I am saying is did you follow these instructions for joining the Servers to the domain?
http://technet.microsoft.com/en-us/library/cc770919(v=ws.10).aspx#bkmk_NetFndtn_Pln_JoinDom08


----------



## royhq (Jul 24, 2012)

Hi Squashman

I'm not an expert but I do know few things here and there .
Yes, I did follow the same steps that are posted on your link so I did join the computers to the domain correctly.

I just finished re-installing the domain and now I'm able to authenticate to all servers using domain accounts. At this point I have no idea what went wrong or if it was something that I caused during installation. It is quite annoying on that end but the good news is that it is now working 

By the way Peterh40 I ran the Best Practise Analyzer tool that comes with the OS and found nothing besides some warnings. 

Thanks for all the input and help.

Cheers,
R


----------

