issue accessing an AD server

  • Thread starter Thread starter ScottS
  • Start date Start date
S

ScottS

Hi

I have an issue accessing an AD server; do to hardware failure I needed to
restore the server from tape. Veritas BE was unable to restore the sysvol
share point, but it did restore the files and folders. I created the share
and right however as an end user I cannot logon to the server. When I browse
the network places to the server I cannot access the server. I receive the
error Logon failure: the target account name is incorrect. This happens as
the admin as well.



I feel it could be a permission issue. Can anyone tell me how to reset the
security permission on an AD server? I want to set them to the same level as
it would be after you promote the server to an AD I know its doable I jus
went brain dead on the syntax.



I posted this in the



Thanks

Scott
 
You can reset local security settings to default defined levels as described
in the link below. However on a domain controller, Domain Controller
Security Policy will override user rights assignments. The second link shows
how to restore Domain Controller Security Policy user rights to default or
otherwise modify it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://support.microsoft.com/?kbid=267553

Having said that, I think your problem is not with security policy, but
probably due to the fact that your computer accounts may have been corrupted
or the comuter passwords on the backup have expired. I would first install
the support tools on your domain controller and a domain member from the
install disk under support/tools where you will need to run setup or the
..msi package there. The run first netdiag and then dcdiag on your domain
controller looking for failed tests/fatal errors particularly in regards to
dns, domain membership, dclist, and trust relationship. If all looks well
for the dc, run netdiag on a domain member that is experiencing problems
looking for the same. You may simply need to rejoing the computers to the
domain or otherwise try to reset their accounts using netdom which may be
easier but does not always work. If you find a lot of problems with the dc,
look in Event Viewer for event ID error numbers and search the Knowledge
Base or http://eventid.net for what you find. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;216393
 
Thank you

All the other servers are reachable by the users. The only server that is
having the issue is the restored one.



Not knowing what this means, the following items failed during the netdiag
and DCdiag.

What would be the next steps?



Global results:



Domain membership test . . . . . . : Failed

[WARNING] Ths system volume has not been completely replicated to the
local machine. This machine is not working properly as a DC.





Trust relationship test. . . . . . : Failed

[FATAL] Secure channel to domain 'RCAL' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]



Kerberos test. . . . . . . . . . . : Failed

[FATAL] Kerberos does not have a ticket for SPEAKER$.



------------------------------------------------



DC Diagnosis



Performing initial setup:

[speaker] LDAP bind failed with error 31,

A device attached to the system is not functioning..
 
Well you have a couple of options.

If you have a recent System State backup of that domain controller you could boot
into Directory Services Restore Mode [similar to safe mode] where you would have to
logon as the local administrator account that was configured when to computer was
first dcpromo and then use ntbackup to restore the System State and after reboot your
domain controller will replicate with the others do get updates.

If you do not have a System State backup for that domain controller. You will have to
reinstall W2K including service packs and then dcpromo it to a domain controller
where it will replicate with other domain controllers. Note that you will have to
clean up entries in AD Sites and Services and do a matadata cleanup of Active
Directory using ntdsutil FIRST if you go that route. See the link below for more info
on Active Directory restore procedures. If the failed dc held any fsmo roles or was
global catalog server, you will need to seize those roles on another domain
controller and create another global catalog server.

You may also want to post in the win2000.Active_directory newsgroup to see if they
have any further advice with a post along the line of "domain controller
ilure". --- Steve

http://www.microsoft.com/technet/pr...de/part1/adogd03.mspx#XSLTsection128121120120
http://tinyurl.com/28476 -- same link as above, shorter.

ScottS said:
Thank you

All the other servers are reachable by the users. The only server that is
having the issue is the restored one.



Not knowing what this means, the following items failed during the netdiag
and DCdiag.

What would be the next steps?



Global results:



Domain membership test . . . . . . : Failed

[WARNING] Ths system volume has not been completely replicated to the
local machine. This machine is not working properly as a DC.





Trust relationship test. . . . . . : Failed

[FATAL] Secure channel to domain 'RCAL' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]



Kerberos test. . . . . . . . . . . : Failed

[FATAL] Kerberos does not have a ticket for SPEAKER$.



------------------------------------------------



DC Diagnosis



Performing initial setup:

[speaker] LDAP bind failed with error 31,

A device attached to the system is not functioning..





Steven L Umbach said:
You can reset local security settings to default defined levels as described
in the link below. However on a domain controller, Domain Controller
Security Policy will override user rights assignments. The second link shows
how to restore Domain Controller Security Policy user rights to default or
otherwise modify it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://support.microsoft.com/?kbid=267553

Having said that, I think your problem is not with security policy, but
probably due to the fact that your computer accounts may have been corrupted
or the comuter passwords on the backup have expired. I would first install
the support tools on your domain controller and a domain member from the
install disk under support/tools where you will need to run setup or the
.msi package there. The run first netdiag and then dcdiag on your domain
controller looking for failed tests/fatal errors particularly in regards to
dns, domain membership, dclist, and trust relationship. If all looks well
for the dc, run netdiag on a domain member that is experiencing problems
looking for the same. You may simply need to rejoing the computers to the
domain or otherwise try to reset their accounts using netdom which may be
easier but does not always work. If you find a lot of problems with the dc,
look in Event Viewer for event ID error numbers and search the Knowledge
Base or http://eventid.net for what you find. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;216393

level
Click to expand...
Click to expand...
 
ouch

Thanks I will get to it.


Steven L Umbach said:
Well you have a couple of options.

If you have a recent System State backup of that domain controller you could boot
into Directory Services Restore Mode [similar to safe mode] where you would have to
logon as the local administrator account that was configured when to computer was
first dcpromo and then use ntbackup to restore the System State and after reboot your
domain controller will replicate with the others do get updates.

If you do not have a System State backup for that domain controller. You will have to
reinstall W2K including service packs and then dcpromo it to a domain controller
where it will replicate with other domain controllers. Note that you will have to
clean up entries in AD Sites and Services and do a matadata cleanup of Active
Directory using ntdsutil FIRST if you go that route. See the link below for more info
on Active Directory restore procedures. If the failed dc held any fsmo roles or was
global catalog server, you will need to seize those roles on another domain
controller and create another global catalog server.

You may also want to post in the win2000.Active_directory newsgroup to see if they
have any further advice with a post along the line of "domain controller
ilure". --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/maintain/opsguide/part1/adogd03.mspx#XSLTsection128121120120
http://tinyurl.com/28476 -- same link as above, shorter.

ScottS said:
Thank you

All the other servers are reachable by the users. The only server that is
having the issue is the restored one.



Not knowing what this means, the following items failed during the netdiag
and DCdiag.

What would be the next steps?



Global results:



Domain membership test . . . . . . : Failed

[WARNING] Ths system volume has not been completely replicated to the
local machine. This machine is not working properly as a DC.





Trust relationship test. . . . . . : Failed

[FATAL] Secure channel to domain 'RCAL' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]



Kerberos test. . . . . . . . . . . : Failed

[FATAL] Kerberos does not have a ticket for SPEAKER$.



------------------------------------------------



DC Diagnosis



Performing initial setup:

[speaker] LDAP bind failed with error 31,

A device attached to the system is not functioning..





Steven L Umbach said:
You can reset local security settings to default defined levels as described
in the link below. However on a domain controller, Domain Controller
Security Policy will override user rights assignments. The second link shows
how to restore Domain Controller Security Policy user rights to default or
otherwise modify it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://support.microsoft.com/?kbid=267553

Having said that, I think your problem is not with security policy, but
probably due to the fact that your computer accounts may have been corrupted
or the comuter passwords on the backup have expired. I would first install
the support tools on your domain controller and a domain member from the
install disk under support/tools where you will need to run setup or the
.msi package there. The run first netdiag and then dcdiag on your domain
controller looking for failed tests/fatal errors particularly in
Click to expand...
regards
to
dns, domain membership, dclist, and trust relationship. If all looks well
for the dc, run netdiag on a domain member that is experiencing problems
looking for the same. You may simply need to rejoing the computers to the
domain or otherwise try to reset their accounts using netdom which may be
easier but does not always work. If you find a lot of problems with
Click to expand...
the
dc,
look in Event Viewer for event ID error numbers and search the Knowledge
Base or http://eventid.net for what you find. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;216393

Hi

I have an issue accessing an AD server; do to hardware failure I
Click to expand...
needed
to
restore the server from tape. Veritas BE was unable to restore the sysvol
share point, but it did restore the files and folders. I created the share
and right however as an end user I cannot logon to the server. When I
browse
the network places to the server I cannot access the server. I
Click to expand...
receive
the
error Logon failure: the target account name is incorrect. This
Click to expand...
happens
as
the admin as well.



I feel it could be a permission issue. Can anyone tell me how to
Click to expand...
reset
the
security permission on an AD server? I want to set them to the same level
as
it would be after you promote the server to an AD I know its doable
Click to expand...
I
jus
went brain dead on the syntax.



I posted this in the



Thanks

Scott
Click to expand...
Click to expand...
Click to expand...
 
Back
Top