Operation Master ERROR

[Tony]

We managed to get a corrupted ntds.dit file, we also managed to to have a
decent backup.

I have used 'esentutl' to repair the file which appears to be succesful.

However when I use the 'Active Directory Users and Computers' snap-in, I get
error messages regarding 'target principal name incorrect' etc. when I open
it.
When I disable the KDC service it then comes up as usual and I can see all
the users etc.


We have another DC on the system, can I use this to sort the main one?

Sorry to be vague but I am out of my depth on this.

Tony

 

[Steve Dodson [MSFT]]

If you have a good replica DC, I would dcpromo this bad one down, verify
the metadata for the DC is removed from the good DC, and repromote. That
way you know everything is ok. I avoid using esentutil unless there is no
other way.

Steve Dodson [MSFT]
Directory Services

--------------------

From: "Tony" <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Subject: Operation Master ERROR
Date: Thu, 30 Oct 2003 04:27:47 -0000
Lines: 22
Message-ID: <[email protected]>
NNTP-Posting-Host: gnburgess.demon.co.uk
X-Trace: news.demon.co.uk 1067488084 29018 62.49.25.145 (30 Oct 2003 04:28:04 GMT)
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Thu, 30 Oct 2003 04:28:04 +0000 (UTC)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Priority: 3
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MSMail-Priority: Normal
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!kibo.news.demon.net!news.demon.co.uk!demon!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:53936
X-Tomcat-NG: microsoft.public.win2000.active_directory

We managed to get a corrupted ntds.dit file, we also managed to to have a
decent backup.

I have used 'esentutl' to repair the file which appears to be succesful.

However when I use the 'Active Directory Users and Computers' snap-in, I get
error messages regarding 'target principal name incorrect' etc. when I open
it.
When I disable the KDC service it then comes up as usual and I can see all
the users etc.


We have another DC on the system, can I use this to sort the main one?

Sorry to be vague but I am out of my depth on this.

Tony

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Ray Lava [MSFT]]

Tony,

It sounds like your recovered DC has lost its secure channel. If it is not
the PDC emulator, then do the following:

1. Stop the Kerberos Key Distribution Service and set it to disabled.

2. Open a command prompt and run the following command:
"netdom resetpwd /server:<server_name>
/userd:<domain_name>\administrator /passwordd:<administrator_password>"
(without the quotation marks)

Where <server_name> is the name of the server that is the PDC Emulator
operations master role holder.

After you reset the secure channel, restart the domain controller. Even if
you attempt to reset the secure channel using the Netdom utility, and the
command does not complete successfully, proceed with the restart process.

If only the PDC Emulator operations master role holder is running, the KDC
forces the other domain controllers to resynchronize with this computer,
instead of issuing themselves a new Kerberos ticket.

After the computers have finished restarting, start the Services program,
restart the KDC service, and then attempt replication again. You do not
want to leave the KDC service stopped on a DC.

I hope this helps.

Ray Lava
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights