|
View Full Version : issue accessing an AD server
Hi
I have an issue accessing an AD server; do to hardware failure I needed to
restore the server from tape. Veritas BE was unable to restore the sysvol
share point, but it did restore the files and folders. I created the share
and right however as an end user I cannot logon to the server. When I browse
the network places to the server I cannot access the server. I receive the
error Logon failure: the target account name is incorrect. This happens as
the admin as well.
I feel it could be a permission issue. Can anyone tell me how to reset the
security permission on an AD server? I want to set them to the same level as
it would be after you promote the server to an AD I know its doable I jus
went brain dead on the syntax.
I posted this in the
Thanks
Scott
|
You can reset local security settings to default defined levels as described
in the link below. However on a domain controller, Domain Controller
Security Policy will override user rights assignments. The second link shows
how to restore Domain Controller Security Policy user rights to default or
otherwise modify it.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://support.microsoft.com/?kbid=267553
Having said that, I think your problem is not with security policy, but
probably due to the fact that your computer accounts may have been corrupted
or the comuter passwords on the backup have expired. I would first install
the support tools on your domain controller and a domain member from the
install disk under support/tools where you will need to run setup or the
..msi package there. The run first netdiag and then dcdiag on your domain
controller looking for failed tests/fatal errors particularly in regards to
dns, domain membership, dclist, and trust relationship. If all looks well
for the dc, run netdiag on a domain member that is experiencing problems
looking for the same. You may simply need to rejoing the computers to the
domain or otherwise try to reset their accounts using netdom which may be
easier but does not always work. If you find a lot of problems with the dc,
look in Event Viewer for event ID error numbers and search the Knowledge
Base or http://eventid.net for what you find. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393
"ScottS" wrote in message
news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
> Hi
>
> I have an issue accessing an AD server; do to hardware failure I needed to
> restore the server from tape. Veritas BE was unable to restore the sysvol
> share point, but it did restore the files and folders. I created the share
> and right however as an end user I cannot logon to the server. When I
browse
> the network places to the server I cannot access the server. I receive the
> error Logon failure: the target account name is incorrect. This happens as
> the admin as well.
>
>
>
> I feel it could be a permission issue. Can anyone tell me how to reset the
> security permission on an AD server? I want to set them to the same level
as
> it would be after you promote the server to an AD I know its doable I jus
> went brain dead on the syntax.
>
>
>
> I posted this in the
>
>
>
> Thanks
>
> Scott
>
>
|
Thank you
All the other servers are reachable by the users. The only server that is
having the issue is the restored one.
Not knowing what this means, the following items failed during the netdiag
and DCdiag.
What would be the next steps?
Global results:
Domain membership test . . . . . . : Failed
[WARNING] Ths system volume has not been completely replicated to the
local machine. This machine is not working properly as a DC.
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain 'RCAL' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for SPEAKER$.
------------------------------------------------
DC Diagnosis
Performing initial setup:
[speaker] LDAP bind failed with error 31,
A device attached to the system is not functioning..
"Steven L Umbach" wrote in message
news:OeIzc.59193$Sw.2529@attbi_s51...[color=blue]
> You can reset local security settings to default defined levels as[/color]
described[color=blue]
> in the link below. However on a domain controller, Domain Controller
> Security Policy will override user rights assignments. The second link[/color]
shows[color=blue]
> how to restore Domain Controller Security Policy user rights to default or
> otherwise modify it.
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
> http://support.microsoft.com/?kbid=267553
>
> Having said that, I think your problem is not with security policy, but
> probably due to the fact that your computer accounts may have been[/color]
corrupted[color=blue]
> or the comuter passwords on the backup have expired. I would first install
> the support tools on your domain controller and a domain member from the
> install disk under support/tools where you will need to run setup or the
> .msi package there. The run first netdiag and then dcdiag on your domain
> controller looking for failed tests/fatal errors particularly in regards[/color]
to[color=blue]
> dns, domain membership, dclist, and trust relationship. If all looks well
> for the dc, run netdiag on a domain member that is experiencing problems
> looking for the same. You may simply need to rejoing the computers to the
> domain or otherwise try to reset their accounts using netdom which may be
> easier but does not always work. If you find a lot of problems with the[/color]
dc,[color=blue]
> look in Event Viewer for event ID error numbers and search the Knowledge
> Base or http://eventid.net for what you find. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393
>
> "ScottS" wrote in message
> news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...[color=green]
> > Hi
> >
> > I have an issue accessing an AD server; do to hardware failure I needed[/color][/color]
to[color=blue][color=green]
> > restore the server from tape. Veritas BE was unable to restore the[/color][/color]
sysvol[color=blue][color=green]
> > share point, but it did restore the files and folders. I created the[/color][/color]
share[color=blue][color=green]
> > and right however as an end user I cannot logon to the server. When I[/color]
> browse[color=green]
> > the network places to the server I cannot access the server. I receive[/color][/color]
the[color=blue][color=green]
> > error Logon failure: the target account name is incorrect. This happens[/color][/color]
as[color=blue][color=green]
> > the admin as well.
> >
> >
> >
> > I feel it could be a permission issue. Can anyone tell me how to reset[/color][/color]
the[color=blue][color=green]
> > security permission on an AD server? I want to set them to the same[/color][/color]
level[color=blue]
> as[color=green]
> > it would be after you promote the server to an AD I know its doable I[/color][/color]
jus[color=blue][color=green]
> > went brain dead on the syntax.
> >
> >
> >
> > I posted this in the
> >
> >
> >
> > Thanks
> >
> > Scott
> >
> >[/color]
>
>[/color]
|
Well you have a couple of options.
If you have a recent System State backup of that domain controller you could boot
into Directory Services Restore Mode [similar to safe mode] where you would have to
logon as the local administrator account that was configured when to computer was
first dcpromo and then use ntbackup to restore the System State and after reboot your
domain controller will replicate with the others do get updates.
If you do not have a System State backup for that domain controller. You will have to
reinstall W2K including service packs and then dcpromo it to a domain controller
where it will replicate with other domain controllers. Note that you will have to
clean up entries in AD Sites and Services and do a matadata cleanup of Active
Directory using ntdsutil FIRST if you go that route. See the link below for more info
on Active Directory restore procedures. If the failed dc held any fsmo roles or was
global catalog server, you will need to seize those roles on another domain
controller and create another global catalog server.
You may also want to post in the win2000.Active_directory newsgroup to see if they
have any further advice with a post along the line of "domain controller
ilure". --- Steve
[url]http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx#XSLTsection128121120120[/url]
[url]http://tinyurl.com/28476[/url] -- same link as above, shorter.
"ScottS" wrote in message
news:eskAWHyUEHA.2908@TK2MSFTNGP10.phx.gbl...[color=blue]
> Thank you
>
> All the other servers are reachable by the users. The only server that is
> having the issue is the restored one.
>
>
>
> Not knowing what this means, the following items failed during the netdiag
> and DCdiag.
>
> What would be the next steps?
>
>
>
> Global results:
>
>
>
> Domain membership test . . . . . . : Failed
>
> [WARNING] Ths system volume has not been completely replicated to the
> local machine. This machine is not working properly as a DC.
>
>
>
>
>
> Trust relationship test. . . . . . : Failed
>
> [FATAL] Secure channel to domain 'RCAL' is broken.
> [ERROR_NO_TRUST_SAM_ACCOUNT]
>
>
>
> Kerberos test. . . . . . . . . . . : Failed
>
> [FATAL] Kerberos does not have a ticket for SPEAKER$.
>
>
>
> ------------------------------------------------
>
>
>
> DC Diagnosis
>
>
>
> Performing initial setup:
>
> [speaker] LDAP bind failed with error 31,
>
> A device attached to the system is not functioning..
>
>
>
>
>
> "Steven L Umbach" wrote in message
> news:OeIzc.59193$Sw.2529@attbi_s51...[color=green]
> > You can reset local security settings to default defined levels as[/color]
> described[color=green]
> > in the link below. However on a domain controller, Domain Controller
> > Security Policy will override user rights assignments. The second link[/color]
> shows[color=green]
> > how to restore Domain Controller Security Policy user rights to default or
> > otherwise modify it.
> >
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
> > http://support.microsoft.com/?kbid=267553
> >
> > Having said that, I think your problem is not with security policy, but
> > probably due to the fact that your computer accounts may have been[/color]
> corrupted[color=green]
> > or the comuter passwords on the backup have expired. I would first install
> > the support tools on your domain controller and a domain member from the
> > install disk under support/tools where you will need to run setup or the
> > .msi package there. The run first netdiag and then dcdiag on your domain
> > controller looking for failed tests/fatal errors particularly in regards[/color]
> to[color=green]
> > dns, domain membership, dclist, and trust relationship. If all looks well
> > for the dc, run netdiag on a domain member that is experiencing problems
> > looking for the same. You may simply need to rejoing the computers to the
> > domain or otherwise try to reset their accounts using netdom which may be
> > easier but does not always work. If you find a lot of problems with the[/color]
> dc,[color=green]
> > look in Event Viewer for event ID error numbers and search the Knowledge
> > Base or http://eventid.net for what you find. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393
> >
> > "ScottS" wrote in message
> > news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...[color=darkred]
> > > Hi
> > >
> > > I have an issue accessing an AD server; do to hardware failure I needed[/color][/color]
> to[color=green][color=darkred]
> > > restore the server from tape. Veritas BE was unable to restore the[/color][/color]
> sysvol[color=green][color=darkred]
> > > share point, but it did restore the files and folders. I created the[/color][/color]
> share[color=green][color=darkred]
> > > and right however as an end user I cannot logon to the server. When I[/color]
> > browse[color=darkred]
> > > the network places to the server I cannot access the server. I receive[/color][/color]
> the[color=green][color=darkred]
> > > error Logon failure: the target account name is incorrect. This happens[/color][/color]
> as[color=green][color=darkred]
> > > the admin as well.
> > >
> > >
> > >
> > > I feel it could be a permission issue. Can anyone tell me how to reset[/color][/color]
> the[color=green][color=darkred]
> > > security permission on an AD server? I want to set them to the same[/color][/color]
> level[color=green]
> > as[color=darkred]
> > > it would be after you promote the server to an AD I know its doable I[/color][/color]
> jus[color=green][color=darkred]
> > > went brain dead on the syntax.
> > >
> > >
> > >
> > > I posted this in the
> > >
> > >
> > >
> > > Thanks
> > >
> > > Scott
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]
|
ouch
Thanks I will get to it.
"Steven L Umbach" wrote in message
news:YSKzc.55554$HG.12231@attbi_s53...[color=blue]
> Well you have a couple of options.
>
> If you have a recent System State backup of that domain controller you[/color]
could boot[color=blue]
> into Directory Services Restore Mode [similar to safe mode] where you[/color]
would have to[color=blue]
> logon as the local administrator account that was configured when to[/color]
computer was[color=blue]
> first dcpromo and then use ntbackup to restore the System State and after[/color]
reboot your[color=blue]
> domain controller will replicate with the others do get updates.
>
> If you do not have a System State backup for that domain controller. You[/color]
will have to[color=blue]
> reinstall W2K including service packs and then dcpromo it to a domain[/color]
controller[color=blue]
> where it will replicate with other domain controllers. Note that you will[/color]
have to[color=blue]
> clean up entries in AD Sites and Services and do a matadata cleanup of[/color]
Active[color=blue]
> Directory using ntdsutil FIRST if you go that route. See the link below[/color]
for more info[color=blue]
> on Active Directory restore procedures. If the failed dc held any fsmo[/color]
roles or was[color=blue]
> global catalog server, you will need to seize those roles on another[/color]
domain[color=blue]
> controller and create another global catalog server.
>
> You may also want to post in the win2000.Active_directory newsgroup to see[/color]
if they[color=blue]
> have any further advice with a post along the line of "domain controller
> ilure". --- Steve
>
>[/color]
[url]http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac[/url]
tivedirectory/maintain/opsguide/part1/adogd03.mspx#XSLTsection128121120120[color=blue]
> [url]http://tinyurl.com/28476[/url] -- same link as above, shorter.
>
> "ScottS" wrote in message
> news:eskAWHyUEHA.2908@TK2MSFTNGP10.phx.gbl...[color=green]
> > Thank you
> >
> > All the other servers are reachable by the users. The only server that[/color][/color]
is[color=blue][color=green]
> > having the issue is the restored one.
> >
> >
> >
> > Not knowing what this means, the following items failed during the[/color][/color]
netdiag[color=blue][color=green]
> > and DCdiag.
> >
> > What would be the next steps?
> >
> >
> >
> > Global results:
> >
> >
> >
> > Domain membership test . . . . . . : Failed
> >
> > [WARNING] Ths system volume has not been completely replicated to[/color][/color]
the[color=blue][color=green]
> > local machine. This machine is not working properly as a DC.
> >
> >
> >
> >
> >
> > Trust relationship test. . . . . . : Failed
> >
> > [FATAL] Secure channel to domain 'RCAL' is broken.
> > [ERROR_NO_TRUST_SAM_ACCOUNT]
> >
> >
> >
> > Kerberos test. . . . . . . . . . . : Failed
> >
> > [FATAL] Kerberos does not have a ticket for SPEAKER$.
> >
> >
> >
> > ------------------------------------------------
> >
> >
> >
> > DC Diagnosis
> >
> >
> >
> > Performing initial setup:
> >
> > [speaker] LDAP bind failed with error 31,
> >
> > A device attached to the system is not functioning..
> >
> >
> >
> >
> >
> > "Steven L Umbach" wrote in message
> > news:OeIzc.59193$Sw.2529@attbi_s51...[color=darkred]
> > > You can reset local security settings to default defined levels as[/color]
> > described[color=darkred]
> > > in the link below. However on a domain controller, Domain Controller
> > > Security Policy will override user rights assignments. The second link[/color]
> > shows[color=darkred]
> > > how to restore Domain Controller Security Policy user rights to[/color][/color][/color]
default or[color=blue][color=green][color=darkred]
> > > otherwise modify it.
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
> > > http://support.microsoft.com/?kbid=267553
> > >
> > > Having said that, I think your problem is not with security policy,[/color][/color][/color]
but[color=blue][color=green][color=darkred]
> > > probably due to the fact that your computer accounts may have been[/color]
> > corrupted[color=darkred]
> > > or the comuter passwords on the backup have expired. I would first[/color][/color][/color]
install[color=blue][color=green][color=darkred]
> > > the support tools on your domain controller and a domain member from[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > install disk under support/tools where you will need to run setup or[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > .msi package there. The run first netdiag and then dcdiag on your[/color][/color][/color]
domain[color=blue][color=green][color=darkred]
> > > controller looking for failed tests/fatal errors particularly in[/color][/color][/color]
regards[color=blue][color=green]
> > to[color=darkred]
> > > dns, domain membership, dclist, and trust relationship. If all looks[/color][/color][/color]
well[color=blue][color=green][color=darkred]
> > > for the dc, run netdiag on a domain member that is experiencing[/color][/color][/color]
problems[color=blue][color=green][color=darkred]
> > > looking for the same. You may simply need to rejoing the computers to[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > domain or otherwise try to reset their accounts using netdom which may[/color][/color][/color]
be[color=blue][color=green][color=darkred]
> > > easier but does not always work. If you find a lot of problems with[/color][/color][/color]
the[color=blue][color=green]
> > dc,[color=darkred]
> > > look in Event Viewer for event ID error numbers and search the[/color][/color][/color]
Knowledge[color=blue][color=green][color=darkred]
> > > Base or http://eventid.net for what you find. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393
> > >
> > > "ScottS" wrote in message
> > > news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
> > > > Hi
> > > >
> > > > I have an issue accessing an AD server; do to hardware failure I[/color][/color][/color]
needed[color=blue][color=green]
> > to[color=darkred]
> > > > restore the server from tape. Veritas BE was unable to restore the[/color]
> > sysvol[color=darkred]
> > > > share point, but it did restore the files and folders. I created the[/color]
> > share[color=darkred]
> > > > and right however as an end user I cannot logon to the server. When[/color][/color][/color]
I[color=blue][color=green][color=darkred]
> > > browse
> > > > the network places to the server I cannot access the server. I[/color][/color][/color]
receive[color=blue][color=green]
> > the[color=darkred]
> > > > error Logon failure: the target account name is incorrect. This[/color][/color][/color]
happens[color=blue][color=green]
> > as[color=darkred]
> > > > the admin as well.
> > > >
> > > >
> > > >
> > > > I feel it could be a permission issue. Can anyone tell me how to[/color][/color][/color]
reset[color=blue][color=green]
> > the[color=darkred]
> > > > security permission on an AD server? I want to set them to the same[/color]
> > level[color=darkred]
> > > as
> > > > it would be after you promote the server to an AD I know its doable[/color][/color][/color]
I[color=blue][color=green]
> > jus[color=darkred]
> > > > went brain dead on the syntax.
> > > >
> > > >
> > > >
> > > > I posted this in the
> > > >
> > > >
> > > >
> > > > Thanks
> > > >
> > > > Scott
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]
|
|
|
|