Last known good bug

Background:  This is an issue seen in Windows 2008 r2 and Windows 7.  It is probably also seen in Windows 2012, 2012 R2, Windows 8 and now Windows 8.1.  While we’ve seen it most often in Small Business Server, (Amy Babinchak just hit it the other day and inspired this blog post) it can also happen in workstations.  A past forum post showcases this issue is not new:  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8210cfc3-f424-4550-86a9-b0a70a1569b3/last-known-good-changed-the-computer-name  
Normally last known good will work as it should and allow you to boot into the last time you had a successful boot as noted in http://blogs.technet.com/b/askcore/archive/2011/08/05/last-known-good.aspx  But in a fact pattern I’ll call the “Last Known Good” bug, there’s a sequence of issues that will cause a major issue with the booting of the domain controller.  This will impact anyone outside of the Pacific time zone – that is anywhere from UTC-7 to UTC+11:30
Symptoms:  The computer name is correct when viewed in properties of Computer. However the DNS server shows a computer name Win-XXXXXXX, Active Directory is unable to start and NetLogon Service doesn’t not start.  Your event log is filled with errors such as:
Log Name:      System
Source:        NETLOGON
Date:          9/20/2013 11:13:43 PM
Event ID:      5602
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server.domain.local
Description:
An internal error occurred while accessing the computer’s local or network security database.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          9/20/2013 10:54:22 PM
Event ID:      1110
Task Category: None
Level:         Error
Keywords:     
User:          DOMAIN\Administrator
Computer:      Server.domain.local
Description:

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

Log Name:      System
Source:        Microsoft-Windows-DfsSvc
Date:          9/20/2013 10:50:16 PM
Event ID:      14548
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server.domain.local
Description:
The DFS Namespace service could not initialize the trusted domain information on this domain controller, but it will periodically retry the operation. The return code is in the record data.



Symptoms you will see is that nothing works as expected.  When you log in if you try to switch to the local machine, you will see the wrong computer name.  If you are in this situation you will need to fix the registry keys, and will have to dig through the current set that are wrong.  If you are fixing the registry offline, you will need to find the proper hive that is the current one and fix that.

Remedy:
Before starting a server installation, go into the machine BIOS (if on physical hardware) and set the time as if it were in PST (UTC-8), so If it is say 5 p.m in the central time zone where you are, set the computer to be 3 p.m pacific time on the server before you start installing the machine from the first DVD.
If you are using a virtualized server, leave the sync time option running in the hypervisor in Server 2008r2 and higher.  If this is not possible, set the host to PST during the setup.



To detect and prevent the issue:
24 hours after the initial deployment of a SBS installation, if you ever plan to use the last known good boot option check and compare the control set values:
Click on start, run type in regedit and run as admin
•    Compare the values in Current and last known good for the following entries:
•    HKEY_LOCAL_MACHINE\SYSTEM\Select
•     
•    As you can see Current is a value of 1, LastKnownGood as a value of 2
•    Now expand the trees for Current and LastKnownGood and compare the values in:
•    HKEY_LOCAL_MACHINE\SYSTEM\ControlSetnnn\Control\ComputerName\ComputerName
•     
•     If they don’t match, then you are exposed to this and if you happened to use the Last Known Good Configuration you will boot your server and find out its name has reverted to its original deployment name.
To correct this issue:
1.    You will need to refresh the current control set, by opening the following path:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName.  Select it, and then select File->Export, save it locally just in case.
2.    In that same ComputerName key, create a NEW string value (right click, now click on new string value). Take the default name and leave the value blank.
3.    Delete the newly created string value. So at the end of step 2 and 3 you are left with everything looking just like it did back in step 1.
4.    Close regedit and reboot.
5.    After reboot, check the last known good set values as per the first set of steps.

One Thought on “Last known good bug

  1. Joe Raby on September 25, 2013 at 3:00 pm said:

    “Last known good bug”

    :)

Post Navigation