Authentication Oddities after a Windows Server 2008 Upgrade

Here’s an “interesting” feature I ran into after upgrading one of a client’s domain controllers to Windows Server 2008.  (All DCs were on Windows Server 2003, and all except this one remain on Windows Server 2003 for the time being.)

I got a call the next day stating that three things were broken:  Backup Exec would error out in the middle of a backup job, you could not use RDP to log in to the Windows Server 2008 DC, and the client’s Websense Admin Console would not let the domain administrator login.  (We’ll save the BackupExec issue for another time.)

When investigating the login issues, I noticed that when you tried to use the domain administrator account to log into the server from the server console, it worked fine.  When you attempted to use RDP to log in, it failed.  When looking at the security event log, it reported that the domain administrator account was disabled.

Even though I knew the domain admin account was NOT disabled, I took a look at its properties anyway, and discovered that the Pre-Windows 2000 Login Name (SAMAccountName for those of your who script or program) was populated, but for some reason, the Login Name field and UPN Suffix was not.  Simply filling out those two fields made the login work, and fixed the Websense Admin Console login problem as well.

 Hope this helps someone else;


Leave a Reply

You must be logged in to post a comment.