Problems after Restore System State

[Guest]

current environment: 2 x Windows 2000 Domain Controllers with CA services
running.

This morning, I have performed the non-authoritative system state restore on
DC2 because no users can request new certificate. The system state restore
solved the CA problem but introduced other new non-trusted errors & DNS
errors . DC1 complaint "The session setup from the computer DC02 failed to
authenticate. The name of the account referenced in the security database is
SSRADCERT02$. The following error occurred: Access is denied." I can ping the
DC by host & fqdn but why cant I do net time \\DC02computername /set /y from
ssradcert02 encounters errors “access deniedâ€. I have to run "net time
\\DC02IPaddress /set /y.

Any clues why? I have coldfeet really. Thanks !

 

[Guest]

Oh yes, I got this error on DC02 server, "Failed to authenticate with
\\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller for
domain "XYZ". I am so scared to make more changes because that may break
certificate service cant do new certificate. I am very desperate to hear
anyone that knew why. Thanks muchly.

 

[Ace Fekay [MVP]]

In

Oh yes, I got this error on DC02 server, "Failed to authenticate with
\\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
for domain "XYZ". I am so scared to make more changes because that
may break certificate service cant do new certificate. I am very
desperate to hear anyone that knew why. Thanks muchly.

:

How old was the system state that you restored?

What errors are in the event logs of both DCs?

Does DC01.ssict.org.au exist as a record and do the SRV records reference
this as a DC hosting services under the zone?

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Hi Ace,
Thanks for your email. The system state that I restored was from 1Aug05 tape.

DC01 errors are: (1) ID5722 from NETLOGON "The session setup from the
computer DC02 failed to authenticate. The name of the account referenced in
the security database is DC02$. The following error occurred: Access is
denied." (2) ID3034 from MRxSMB "The redirector was unable to initialize
security context or query context attributes". (3) ID13508 from NfFrs "File
Replication Service is having trouble enabling replication from DC02 to DC01
for c:\winnt\sysvol\domain using the DNS name DC02.ssict.org.au. FRS will
keep retrying.

DC02 errors are: (1) ID1000 from Userenv "Windows cannot determine the user
or computer name. Return value (-2146893022)" (2) ID3034 from MRxSMB "The
redirector was unable to initialize security context or query context
attributes". (3) ID16650 from SAM "The account-identifier allocator failed to
initialize properly. The record data contains the NT error code that caused
the failure. Windows 2000 will retry the initialization until it succeeds;
until that time, account creation will be denied on this Domain Controller.
Please look for other SAM event logs that may indicate the exact reason for
the failure"

I am not sure if this is DNS related issue because my nslookup works fine.
Is this to do with the security channel need resetting? What is the right
command & run from where? Thanks a bunch really :-/

Seeker01

 

[Jorge_de_Almeida_Pinto]

Oh yes, I got this error on DC02 server, "Failed to
authenticate with
\DC01.ssict.org.au, a Windows NT or Windows 2000 domain
controller for
domain "XYZ". I am so scared to make more changes because
that may break
certificate service cant do new certificate. I am very
desperate to hear
anyone that knew why. Thanks muchly.


\DC02computername /set /y from

what does DCDIAG /V say?

 

[Guest]

Hi Jorge,
Thanks for your email. I was afraid of running anything but I think should
be safe to run "DCDIAG /V" from DC02. I will inform you the status later on.

Regards,
Seeker01

 

[Guest]

Hi Jorge, below is the Dcdiag /v results from DC01 & DC02. Thanks for your
help.

[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
The replication generated an error (1908):
Win32 Error 1908
The failure occurred at 2005-09-21 14:50.17.
The last success occurred at 2005-09-20 09:56.03.
Kerberos Error.
A KDC was not found to authenticate the call.
[DC02] DsBind() failed with error -2146893022,
Win32 Error -2146893022.
Warning: DC01 is not advertising as a time server.
w32time Service is stopped on [DC01]
Starting test: frssysvol
* The File Replication Service Event log test
An Warning Event occured. EventID: 0x800034C4
Time Generated: 09/20/2005 17:07:48
enabling replication from DC02 to DC01 for c:\winnt\sysvol\domain using the
DNS name DC02.ssict.org.au. FRS will keep retrying.
[1] FRS can not correctly resolve the DNS name DC02.ssict.org.au from this
computer.
[2] FRS is not running on DC02.ssict.org.au.
[3] The topology information in the Active Directory for this replica has
not yet replicated to all the Domain Controllers.
Starting test: FsmoCheck
GC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
PDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
KDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd......... ssict.org.au failed test FsmoCheck
=========================
[Replications Check,DC02] A recent replication attempt failed:
From DC01 to DC02
The replication generated an error (1326):
Logon failure: unknown user name or bad password.
The failure occurred at 2005-09-21 14:46.52.
The last success occurred at 2005-08-01 16:59.20.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
[DC01] DsBind() failed with error -2146893022,
The target principal name is incorrect..
Warning: DsGetDcName returned information for \\DC01.ssict.org.au, when we
were trying to reach DC02.
Server is not responding or is not considered suitable.
Warning: DC02 is not advertising as a time server.
Warning: DC01 is the Schema Owner, but is not responding to DS RPC Bind.
[DC01] LDAP bind failed with error 31,
A device attached to the system is not functioning..
DC01 is the Schema Owner, but is not responding to LDAP Bind.
DC01 is the Domain Owner, but is not responding to DS RPC & LDAP Bind.
DC01 is the PDC Owner, but is not responding to DS RPC & LDAP Bind.
DC01 is the Rid Owner, but is not responding to DS RPC & LDAP Bind
DC01 is the Infrastructure Update Owner, but is not responding to DS RPC &
LDAP Bind.
Starting test: RidManager
[DC02] DsBindWithCred() failed with error -2146893022. The target principal
name is incorrect.
* The File Replication Service Event log test
Error: No record of File Replication System, SYSVOL started.
An Warning Event occured. EventID: 0x800034FD
Time Generated: 09/20/2005 16:50:11
An Warning Event occured. EventID: 0x800034D0
Time Generated: 09/20/2005 16:50:11
Event String: The File Replication Service moved the preexisting files in
c:\winnt\sysvol\domain to
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
The File Replication Service may delete the files in
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog
at any time. Files can be saved from deletion by copying them out of
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
Copying the files into c:\winnt\sysvol\domain may lead to name conflicts if
the files already exist on some other replicating partner.
In some cases, the File Replication Service may copy a file from
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog into
c:\winnt\sysvol\domain instead of replicating the file from some other
replicating partner.
Space can be recovered at any time by deleting the files in
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 09/20/2005 16:51:52
Event String: The File Replication Service is having trouble
enabling replication from DC01 to DC02 for c:\winnt\sysvol\domain using the
DNS name DC01.ssict.org.au. FRS will keep retrying.
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000410A
Time Generated: 09/21/2005 14:38:20
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000C8A
Time Generated: 09/21/2005 14:52:45
Event String: Failed to authenticate with \\DC01.ssict.org.au, a Windows NT
or Windows 2000 domain controller for domain SSICT.
An Error Event occured. EventID: 0xC0000021
Starting test: FsmoCheck
Warning: Couldn't verify this server as a GC in this servers AD.
GC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
PDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
KDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd ........ ssict.org.au failed test FsmoCheck

 

[Guest]

Hi Jorge,

When I try to open active directory users and computers on DC02, I receive
the following error: "Naming information cannot be located because: The
specified directory service attribute or value does not exist. Contact your
system administrator to verify that your domain is properly configured and is
currently online." When I run net share, there is no "NETLOGON" & "SYSVOL"
share. Is this DNS related? How to determine if DNS because I can run
nslookup fine. Also the Policy & Scripts folder are actually found under the
folder of c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog. Is this
causing the problem why & should I just remove this folder? Thanks.

 

[Guest]

Hi Ace,
Both DC01 & DC02 already running with SP4 before 1Aug05. After the system
state restore on DC02, am I supposed to re-apply the SP4 because I didnt. Is
this the reason why? There were no more changes made on both DNS servers
since the built more than a year ago. Can it be the DNS problem? Or perhaps
the problem will go away if I run nltest to reset the security channel on
DC02 since I have error "access denied" & "logon failure: unknown username or
bad password"? Thanks heaps.

 

[Ace Fekay [MVP]]

In

Hi Ace,
Both DC01 & DC02 already running with SP4 before 1Aug05. After the
system state restore on DC02, am I supposed to re-apply the SP4
because I didnt. Is this the reason why? There were no more changes
made on both DNS servers since the built more than a year ago. Can it
be the DNS problem? Or perhaps the problem will go away if I run
nltest to reset the security channel on DC02 since I have error
"access denied" & "logon failure: unknown username or bad password"?
Thanks heaps.

August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
the date? After 60 days, the backup is useless. Also, the dcdiag you posted
upon Jorge's request, shows numerous issues related to out-of-date data. You
can try the nltest command, which should reset the channel:

nltest /sc_verify:[YourDomainName]

if that doesn't work, try:
nltest /sc_reset:[YourDomainName]

More info on it here:

About nltest:
http://www.microsoft.com/technet/pr...Ref/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx

nltest syntax:
http://www.microsoft.com/technet/pr...Ref/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx

Ace

 

[Guest]

Hi Ace,
Thanks for your email, I will try it though afraid to modify on this
production domain. Because it is still within the 60 days limit, why do I
receive these messages? What is the normal days for machine password to stay
valid, is it 30 days? I suspect this could be the issue. Do u think so ?

In

Hi Ace,
Both DC01 & DC02 already running with SP4 before 1Aug05. After the
system state restore on DC02, am I supposed to re-apply the SP4
because I didnt. Is this the reason why? There were no more changes
made on both DNS servers since the built more than a year ago. Can it
be the DNS problem? Or perhaps the problem will go away if I run
nltest to reset the security channel on DC02 since I have error
"access denied" & "logon failure: unknown username or bad password"?
Thanks heaps.

August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
the date? After 60 days, the backup is useless. Also, the dcdiag you posted
upon Jorge's request, shows numerous issues related to out-of-date data. You
can try the nltest command, which should reset the channel:

nltest /sc_verify:[YourDomainName]

if that doesn't work, try:
nltest /sc_reset:[YourDomainName]

More info on it here:

About nltest:
http://www.microsoft.com/technet/pr...Ref/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx

nltest syntax:
http://www.microsoft.com/technet/pr...Ref/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx

Ace

 

[Guest]

Hi Ace,
I have ID4001 error "The DNS server was unable to open zone ssict.org.au in
the Active Directory. This DNS Server is configured to obtain and use
information from the directory for this zone and is unable to load the zone
without it. Check that the Active Directory is functioning properly and
reload the zone. The event data is the error code" But do you think my
problems is DNS related or aging related issue?

In

Hi Ace,
Both DC01 & DC02 already running with SP4 before 1Aug05. After the
system state restore on DC02, am I supposed to re-apply the SP4
because I didnt. Is this the reason why? There were no more changes
made on both DNS servers since the built more than a year ago. Can it
be the DNS problem? Or perhaps the problem will go away if I run
nltest to reset the security channel on DC02 since I have error
"access denied" & "logon failure: unknown username or bad password"?
Thanks heaps.

August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
the date? After 60 days, the backup is useless. Also, the dcdiag you posted
upon Jorge's request, shows numerous issues related to out-of-date data. You
can try the nltest command, which should reset the channel:

nltest /sc_verify:[YourDomainName]

if that doesn't work, try:
nltest /sc_reset:[YourDomainName]

More info on it here:

About nltest:
http://www.microsoft.com/technet/pr...Ref/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx

nltest syntax:
http://www.microsoft.com/technet/pr...Ref/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx

Ace

 

[Guest]

Ace,
I got the following results. Is it still safe to run nltest
/sc_reset:[domain name] from DC02? Thanks.

The results when I run “nltest†from DC02
nltest /server:ssradcert02 /sc_query:ssict
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
The command completed successfully

The results when run from DC01
C:\>nltest /sc_query:ssict
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

In

Hi Ace,
Both DC01 & DC02 already running with SP4 before 1Aug05. After the
system state restore on DC02, am I supposed to re-apply the SP4
because I didnt. Is this the reason why? There were no more changes
made on both DNS servers since the built more than a year ago. Can it
be the DNS problem? Or perhaps the problem will go away if I run
nltest to reset the security channel on DC02 since I have error
"access denied" & "logon failure: unknown username or bad password"?
Thanks heaps.

August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
the date? After 60 days, the backup is useless. Also, the dcdiag you posted
upon Jorge's request, shows numerous issues related to out-of-date data. You
can try the nltest command, which should reset the channel:

nltest /sc_verify:[YourDomainName]

if that doesn't work, try:
nltest /sc_reset:[YourDomainName]

More info on it here:

About nltest:
http://www.microsoft.com/technet/pr...Ref/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx

nltest syntax:
http://www.microsoft.com/technet/pr...Ref/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx

Ace

 

[Ace Fekay [MVP]]

In

Ace,
I got the following results. Is it still safe to run nltest
/sc_reset:[domain name] from DC02? Thanks.

The results when I run "nltest" from DC02
nltest /server:ssradcert02 /sc_query:ssict
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
The command completed successfully

The results when run from DC01
C:\>nltest /sc_query:ssict
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is
approaching.

As for the session password, it renews every 7 days, which is configurable
in the default domain policy, under Comp\Windows\Security\Kerberos.

Ace

 

[Guest]

Hi Ace,
I have no intention to ignore your advice but I am still blur because of my
ignorance. What exactly is this 60days limit may I know? I thought I am now
still within the 60days but why I face so many errors. Or perhaps I should
learn that "nltest" is always the command to run whenever we restore system
state? Because I am on leave next week so my boss shows great concern I can
cause further damage. Also he argued that we are not any worst because the
backup tape from 60days limit is already causing the errors, there is no
difference to even restore it from yesterday's tape now. Does it make sense?

In

Ace,
I got the following results. Is it still safe to run nltest
/sc_reset:[domain name] from DC02? Thanks.

The results when I run "nltest" from DC02
nltest /server:ssradcert02 /sc_query:ssict
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
The command completed successfully

The results when run from DC01
C:\>nltest /sc_query:ssict
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is
approaching.

As for the session password, it renews every 7 days, which is configurable
in the default domain policy, under Comp\Windows\Security\Kerberos.

Ace

 

[Ace Fekay [MVP]]

In

Hi Ace,
I have no intention to ignore your advice but I am still blur because
of my ignorance. What exactly is this 60days limit may I know? I
thought I am now still within the 60days but why I face so many
errors. Or perhaps I should learn that "nltest" is always the command
to run whenever we restore system state? Because I am on leave next
week so my boss shows great concern I can cause further damage. Also
he argued that we are not any worst because the backup tape from
60days limit is already causing the errors, there is no difference to
even restore it from yesterday's tape now. Does it make sense?

Maybe in all honesty, if you are not trusting what you are hearing, whether
from me or anyone else in this group, I would HIGHLY suggest you call
Microsoft PSS and let them guide you. I believe there will be a charge,
unless you have an MSP agreement. It's your call.


What are you waiting for? Your vacation? You are running Certificate
services. It even complicates it. I would suggest to ACT QUICKLY and forget
your vacation next week and concentrate on this important matter. It seems
like you and your boss are gambling that the tombstone issue doesn't mean
anything to you. I'm just giving you an option before you have no more
options once the 60 Tombstone Lifetime comes up. Your issue is a secure
channel password.

You are not comprehending the seriousness of the 60 day tombstone. Once it
comes up, you will have NO OTHER CHOICE but to trash the server, seize the
FSMO roles over to the existing server, run a metadata cleanup using
ntdsutil, clean up any remaining lingering objects from the old server in
Sites and Services and using ADSI Edit, then re-format the old server and
reinstall it from scratch.

Good luck.

Below taken from:
http://www.microsoft.com/technet/ar...irectory/deploy/adguide/addeploy/addch10.mspx
It is not possible to restore a backup image into a replicated enterprise
that is older than the tombstone lifetime value for the enterprise. When an
Active Directory object is deleted, it is not fully and immediately removed
from Active Directory. Instead the majority of the attributes are stripped
out and the object is moved to the deleted items container. This remaining
object is called a tombstone. This tombstone object is replicated to all
domain controllers in that respective domain so that they can learn of the
object deletion. In this manner, the original object is no longer available
to anyone searching Active Directory for it, but it is tombstoned.

The tombstone lifetime value represents the number of days that the deleted
object (or tombstone) must be retained before it can be permanently removed
from the directory. This value can be set by using the Active Directory
Service Interfaces (ADSI) edit at the directory service path below:

Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration,
dc=<<Domain_Name>>,dc=<<Domain_prefix>>

The default tombstone lifetime value is 60 days. Active Directory will not
allow data to be restored to the directory from a backup image that is older
than the tombstone lifetime. If this were to happen, the restored object
would have an Update Sequence Number (USN) too old to trigger Active
Directory replication. In this scenario, the object would never be
replicated out to other domain controllers, and the restored domain
controller would never replicate in to the necessary information to delete
the object. Active Directory on the local server would thus become
inconsistent.



Ace

 

[kj]

Need a second opinion (seeker01)?

I recently had a client with this very problem ( without the added
complexity of the CA ).

RUN, DON'T WALK, to the phone and call Microsoft PSS !!! Your BOSS has valid
concerns and you should too.

Your problem is solvable, but time is crucial at this point and it's time to
call in the pros!

By my calculation, your 60 days is up in less than a week. If you choose to
go on holiday without completely resolving this issue, then I'd suggest not
coming back.

 

[Guest]

Hi All,
I really appreciate your experienced advice. I have offered numerous times
to work on it next week but my boss see no risk to deal with it after I am
back from leaves. He is even prepared for me to rebuild the DC02 as a clean
OS if "nltest" wont fix the problem after the 60days lifetime. DC01 is the
FSMO holders, not DC01. Once again, thanks guys.

 

[Ace Fekay [MVP]]

In

Hi All,
I really appreciate your experienced advice. I have offered numerous
times to work on it next week but my boss see no risk to deal with it
after I am back from leaves. He is even prepared for me to rebuild
the DC02 as a clean OS if "nltest" wont fix the problem after the
60days lifetime. DC01 is the FSMO holders, not DC01. Once again,
thanks guys.

Good luck.

Ace

 

[kj]

DC01 is the FSMO holders, not DC01

Too bad it's not the (root?) CA.

Before you go, consider printing the following for a little "put you to
sleep reading".

http://www.microsoft.com/technet/pr...elp/9216103d-91c6-40da-a370-f95ccf4beaca.mspx

http://www.microsoft.com/technet/pr...elp/9216103d-91c6-40da-a370-f95ccf4beaca.mspx

Particularly the second, which of course, you will have problems completing
beacuse replication is broken.

Viva la holiday!

;-)