Sign in with
Sign up | Sign in
Your question

Problems after Restore System State

Last response: in Windows 2000/NT
Share
Anonymous
September 20, 2005 11:26:06 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

current environment: 2 x Windows 2000 Domain Controllers with CA services
running.

This morning, I have performed the non-authoritative system state restore on
DC2 because no users can request new certificate. The system state restore
solved the CA problem but introduced other new non-trusted errors & DNS
errors . DC1 complaint "The session setup from the computer DC02 failed to
authenticate. The name of the account referenced in the security database is
SSRADCERT02$. The following error occurred: Access is denied." I can ping the
DC by host & fqdn but why cant I do net time \\DC02computername /set /y from
ssradcert02 encounters errors “access denied”. I have to run "net time
\\DC02IPaddress /set /y.

Any clues why? I have coldfeet really. Thanks !
Anonymous
September 20, 2005 11:33:06 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Oh yes, I got this error on DC02 server, "Failed to authenticate with
\\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller for
domain "XYZ". I am so scared to make more changes because that may break
certificate service cant do new certificate. I am very desperate to hear
anyone that knew why. Thanks muchly.

"seeker01" wrote:

> current environment: 2 x Windows 2000 Domain Controllers with CA services
> running.
>
> This morning, I have performed the non-authoritative system state restore on
> DC2 because no users can request new certificate. The system state restore
> solved the CA problem but introduced other new non-trusted errors & DNS
> errors . DC1 complaint "The session setup from the computer DC02 failed to
> authenticate. The name of the account referenced in the security database is
> SSRADCERT02$. The following error occurred: Access is denied." I can ping the
> DC by host & fqdn but why cant I do net time \\DC02computername /set /y from
> ssradcert02 encounters errors “access denied”. I have to run "net time
> \\DC02IPaddress /set /y.
>
> Any clues why? I have coldfeet really. Thanks !
>
Anonymous
September 21, 2005 2:54:31 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8@microsoft.com,
seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
commented about below:
> Oh yes, I got this error on DC02 server, "Failed to authenticate with
> \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
> for domain "XYZ". I am so scared to make more changes because that
> may break certificate service cant do new certificate. I am very
> desperate to hear anyone that knew why. Thanks muchly.
>
> "seeker01" wrote:
>

How old was the system state that you restored?

What errors are in the event logs of both DCs?

Does DC01.ssict.org.au exist as a record and do the SRV records reference
this as a DC hosting services under the zone?

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
Related resources
Anonymous
September 21, 2005 2:54:32 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ace,
Thanks for your email. The system state that I restored was from 1Aug05 tape.

DC01 errors are: (1) ID5722 from NETLOGON "The session setup from the
computer DC02 failed to authenticate. The name of the account referenced in
the security database is DC02$. The following error occurred: Access is
denied." (2) ID3034 from MRxSMB "The redirector was unable to initialize
security context or query context attributes". (3) ID13508 from NfFrs "File
Replication Service is having trouble enabling replication from DC02 to DC01
for c:\winnt\sysvol\domain using the DNS name DC02.ssict.org.au. FRS will
keep retrying.

DC02 errors are: (1) ID1000 from Userenv "Windows cannot determine the user
or computer name. Return value (-2146893022)" (2) ID3034 from MRxSMB "The
redirector was unable to initialize security context or query context
attributes". (3) ID16650 from SAM "The account-identifier allocator failed to
initialize properly. The record data contains the NT error code that caused
the failure. Windows 2000 will retry the initialization until it succeeds;
until that time, account creation will be denied on this Domain Controller.
Please look for other SAM event logs that may indicate the exact reason for
the failure"

I am not sure if this is DNS related issue because my nslookup works fine.
Is this to do with the security channel need resetting? What is the right
command & run from where? Thanks a bunch really :-/

Seeker01

"Ace Fekay [MVP]" wrote:

> In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8@microsoft.com,
> seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Oh yes, I got this error on DC02 server, "Failed to authenticate with
> > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
> > for domain "XYZ". I am so scared to make more changes because that
> > may break certificate service cant do new certificate. I am very
> > desperate to hear anyone that knew why. Thanks muchly.
> >
> > "seeker01" wrote:
> >
>
> How old was the system state that you restored?
>
> What errors are in the event logs of both DCs?
>
> Does DC01.ssict.org.au exist as a record and do the SRV records reference
> this as a DC hosting services under the zone?
>
> --
> Regards,
> Ace
>
> If this post is viewed at a non-Microsoft community website, and you were to
> respond to it through that community's website, I may not see your reply.
> Therefore, please direct all replies ONLY to the Microsoft public newsgroup
> this thread originated in so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
Anonymous
September 21, 2005 3:35:58 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"" wrote:
> Oh yes, I got this error on DC02 server, "Failed to
> authenticate with
> \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
> controller for
> domain "XYZ". I am so scared to make more changes because
> that may break
> certificate service cant do new certificate. I am very
> desperate to hear
> anyone that knew why. Thanks muchly.
>
> "seeker01" wrote:
>
> > current environment: 2 x Windows 2000 Domain Controllers
> with CA services
> > running.
> >
> > This morning, I have performed the non-authoritative system
> state restore on
> > DC2 because no users can request new certificate. The system
> state restore
> > solved the CA problem but introduced other new non-trusted
> errors & DNS
> > errors . DC1 complaint "The session setup from the computer
> DC02 failed to
> > authenticate. The name of the account referenced in the
> security database is
> > SSRADCERT02$. The following error occurred: Access is
> denied." I can ping the
> > DC by host & fqdn but why cant I do net time
> \DC02computername /set /y from
> > ssradcert02 encounters errors “access denied”. I have to
> run "net time
> > \DC02IPaddress /set /y.
> >
> > Any clues why? I have coldfeet really. Thanks !
> >

what does DCDIAG /V say?

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
Anonymous
September 21, 2005 3:35:59 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Jorge,
Thanks for your email. I was afraid of running anything but I think should
be safe to run "DCDIAG /V" from DC02. I will inform you the status later on.

Regards,
Seeker01

"Jorge_de_Almeida_Pinto" wrote:

> "" wrote:
> > Oh yes, I got this error on DC02 server, "Failed to
> > authenticate with
> > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
> > controller for
> > domain "XYZ". I am so scared to make more changes because
> > that may break
> > certificate service cant do new certificate. I am very
> > desperate to hear
> > anyone that knew why. Thanks muchly.
> >
> > "seeker01" wrote:
> >
> > > current environment: 2 x Windows 2000 Domain Controllers
> > with CA services
> > > running.
> > >
> > > This morning, I have performed the non-authoritative system
> > state restore on
> > > DC2 because no users can request new certificate. The system
> > state restore
> > > solved the CA problem but introduced other new non-trusted
> > errors & DNS
> > > errors . DC1 complaint "The session setup from the computer
> > DC02 failed to
> > > authenticate. The name of the account referenced in the
> > security database is
> > > SSRADCERT02$. The following error occurred: Access is
> > denied." I can ping the
> > > DC by host & fqdn but why cant I do net time
> > \DC02computername /set /y from
> > > ssradcert02 encounters errors “access denied”. I have to
> > run "net time
> > > \DC02IPaddress /set /y.
> > >
> > > Any clues why? I have coldfeet really. Thanks !
> > >
>
> what does DCDIAG /V say?
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
>
Anonymous
September 21, 2005 3:35:59 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Jorge, below is the Dcdiag /v results from DC01 & DC02. Thanks for your
help.

[Replications Check,DC01] A recent replication attempt failed:
From DC02 to DC01
The replication generated an error (1908):
Win32 Error 1908
The failure occurred at 2005-09-21 14:50.17.
The last success occurred at 2005-09-20 09:56.03.
Kerberos Error.
A KDC was not found to authenticate the call.
[DC02] DsBind() failed with error -2146893022,
Win32 Error -2146893022.
Warning: DC01 is not advertising as a time server.
w32time Service is stopped on [DC01]
Starting test: frssysvol
* The File Replication Service Event log test
An Warning Event occured. EventID: 0x800034C4
Time Generated: 09/20/2005 17:07:48
enabling replication from DC02 to DC01 for c:\winnt\sysvol\domain using the
DNS name DC02.ssict.org.au. FRS will keep retrying.
[1] FRS can not correctly resolve the DNS name DC02.ssict.org.au from this
computer.
[2] FRS is not running on DC02.ssict.org.au.
[3] The topology information in the Active Directory for this replica has
not yet replicated to all the Domain Controllers.
Starting test: FsmoCheck
GC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
PDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
KDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd......... ssict.org.au failed test FsmoCheck
=========================
[Replications Check,DC02] A recent replication attempt failed:
From DC01 to DC02
The replication generated an error (1326):
Logon failure: unknown user name or bad password.
The failure occurred at 2005-09-21 14:46.52.
The last success occurred at 2005-08-01 16:59.20.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
[DC01] DsBind() failed with error -2146893022,
The target principal name is incorrect..
Warning: DsGetDcName returned information for \\DC01.ssict.org.au, when we
were trying to reach DC02.
Server is not responding or is not considered suitable.
Warning: DC02 is not advertising as a time server.
Warning: DC01 is the Schema Owner, but is not responding to DS RPC Bind.
[DC01] LDAP bind failed with error 31,
A device attached to the system is not functioning..
DC01 is the Schema Owner, but is not responding to LDAP Bind.
DC01 is the Domain Owner, but is not responding to DS RPC & LDAP Bind.
DC01 is the PDC Owner, but is not responding to DS RPC & LDAP Bind.
DC01 is the Rid Owner, but is not responding to DS RPC & LDAP Bind
DC01 is the Infrastructure Update Owner, but is not responding to DS RPC &
LDAP Bind.
Starting test: RidManager
[DC02] DsBindWithCred() failed with error -2146893022. The target principal
name is incorrect.
* The File Replication Service Event log test
Error: No record of File Replication System, SYSVOL started.
An Warning Event occured. EventID: 0x800034FD
Time Generated: 09/20/2005 16:50:11
An Warning Event occured. EventID: 0x800034D0
Time Generated: 09/20/2005 16:50:11
Event String: The File Replication Service moved the preexisting files in
c:\winnt\sysvol\domain to
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
The File Replication Service may delete the files in
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog
at any time. Files can be saved from deletion by copying them out of
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
Copying the files into c:\winnt\sysvol\domain may lead to name conflicts if
the files already exist on some other replicating partner.
In some cases, the File Replication Service may copy a file from
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog into
c:\winnt\sysvol\domain instead of replicating the file from some other
replicating partner.
Space can be recovered at any time by deleting the files in
c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 09/20/2005 16:51:52
Event String: The File Replication Service is having trouble
enabling replication from DC01 to DC02 for c:\winnt\sysvol\domain using the
DNS name DC01.ssict.org.au. FRS will keep retrying.
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x0000410A
Time Generated: 09/21/2005 14:38:20
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000C8A
Time Generated: 09/21/2005 14:52:45
Event String: Failed to authenticate with \\DC01.ssict.org.au, a Windows NT
or Windows 2000 domain controller for domain SSICT.
An Error Event occured. EventID: 0xC0000021
Starting test: FsmoCheck
Warning: Couldn't verify this server as a GC in this servers AD.
GC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
PDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd
DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
KDC Name: \\DC01.ssict.org.au
Locator Flags: 0xe00001bd ........ ssict.org.au failed test FsmoCheck

"Jorge_de_Almeida_Pinto" wrote:

> "" wrote:
> > Oh yes, I got this error on DC02 server, "Failed to
> > authenticate with
> > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
> > controller for
> > domain "XYZ". I am so scared to make more changes because
> > that may break
> > certificate service cant do new certificate. I am very
> > desperate to hear
> > anyone that knew why. Thanks muchly.
> >
> > "seeker01" wrote:
> >
> > > current environment: 2 x Windows 2000 Domain Controllers
> > with CA services
> > > running.
> > >
> > > This morning, I have performed the non-authoritative system
> > state restore on
> > > DC2 because no users can request new certificate. The system
> > state restore
> > > solved the CA problem but introduced other new non-trusted
> > errors & DNS
> > > errors . DC1 complaint "The session setup from the computer
> > DC02 failed to
> > > authenticate. The name of the account referenced in the
> > security database is
> > > SSRADCERT02$. The following error occurred: Access is
> > denied." I can ping the
> > > DC by host & fqdn but why cant I do net time
> > \DC02computername /set /y from
> > > ssradcert02 encounters errors “access denied”. I have to
> > run "net time
> > > \DC02IPaddress /set /y.
> > >
> > > Any clues why? I have coldfeet really. Thanks !
> > >
>
> what does DCDIAG /V say?
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
>
Anonymous
September 21, 2005 4:58:02 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Jorge,

When I try to open active directory users and computers on DC02, I receive
the following error: "Naming information cannot be located because: The
specified directory service attribute or value does not exist. Contact your
system administrator to verify that your domain is properly configured and is
currently online." When I run net share, there is no "NETLOGON" & "SYSVOL"
share. Is this DNS related? How to determine if DNS because I can run
nslookup fine. Also the Policy & Scripts folder are actually found under the
folder of c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog. Is this
causing the problem why & should I just remove this folder? Thanks.

"Jorge_de_Almeida_Pinto" wrote:

> "" wrote:
> > Oh yes, I got this error on DC02 server, "Failed to
> > authenticate with
> > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
> > controller for
> > domain "XYZ". I am so scared to make more changes because
> > that may break
> > certificate service cant do new certificate. I am very
> > desperate to hear
> > anyone that knew why. Thanks muchly.
> >
> > "seeker01" wrote:
> >
> > > current environment: 2 x Windows 2000 Domain Controllers
> > with CA services
> > > running.
> > >
> > > This morning, I have performed the non-authoritative system
> > state restore on
> > > DC2 because no users can request new certificate. The system
> > state restore
> > > solved the CA problem but introduced other new non-trusted
> > errors & DNS
> > > errors . DC1 complaint "The session setup from the computer
> > DC02 failed to
> > > authenticate. The name of the account referenced in the
> > security database is
> > > SSRADCERT02$. The following error occurred: Access is
> > denied." I can ping the
> > > DC by host & fqdn but why cant I do net time
> > \DC02computername /set /y from
> > > ssradcert02 encounters errors “access denied”. I have to
> > run "net time
> > > \DC02IPaddress /set /y.
> > >
> > > Any clues why? I have coldfeet really. Thanks !
> > >
>
> what does DCDIAG /V say?
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-...
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
>
Anonymous
September 21, 2005 5:12:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ace,
Both DC01 & DC02 already running with SP4 before 1Aug05. After the system
state restore on DC02, am I supposed to re-apply the SP4 because I didnt. Is
this the reason why? There were no more changes made on both DNS servers
since the built more than a year ago. Can it be the DNS problem? Or perhaps
the problem will go away if I run nltest to reset the security channel on
DC02 since I have error "access denied" & "logon failure: unknown username or
bad password"? Thanks heaps.

"Ace Fekay [MVP]" wrote:

> In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8@microsoft.com,
> seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Oh yes, I got this error on DC02 server, "Failed to authenticate with
> > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
> > for domain "XYZ". I am so scared to make more changes because that
> > may break certificate service cant do new certificate. I am very
> > desperate to hear anyone that knew why. Thanks muchly.
> >
> > "seeker01" wrote:
> >
>
> How old was the system state that you restored?
>
> What errors are in the event logs of both DCs?
>
> Does DC01.ssict.org.au exist as a record and do the SRV records reference
> this as a DC hosting services under the zone?
>
> --
> Regards,
> Ace
>
> If this post is viewed at a non-Microsoft community website, and you were to
> respond to it through that community's website, I may not see your reply.
> Therefore, please direct all replies ONLY to the Microsoft public newsgroup
> this thread originated in so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
Anonymous
September 21, 2005 3:38:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi Ace,
> Both DC01 & DC02 already running with SP4 before 1Aug05. After the
> system state restore on DC02, am I supposed to re-apply the SP4
> because I didnt. Is this the reason why? There were no more changes
> made on both DNS servers since the built more than a year ago. Can it
> be the DNS problem? Or perhaps the problem will go away if I run
> nltest to reset the security channel on DC02 since I have error
> "access denied" & "logon failure: unknown username or bad password"?
> Thanks heaps.

August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
the date? After 60 days, the backup is useless. Also, the dcdiag you posted
upon Jorge's request, shows numerous issues related to out-of-date data. You
can try the nltest command, which should reset the channel:

nltest /sc_verify:[YourDomainName]

if that doesn't work, try:
nltest /sc_reset:[YourDomainName]

More info on it here:

About nltest:
http://www.microsoft.com/technet/prodtechnol/windowsser...

nltest syntax:
http://www.microsoft.com/technet/prodtechnol/windowsser...

Ace
Anonymous
September 21, 2005 8:16:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ace,
Thanks for your email, I will try it though afraid to modify on this
production domain. Because it is still within the 60 days limit, why do I
receive these messages? What is the normal days for machine password to stay
valid, is it 30 days? I suspect this could be the issue. Do u think so ?

"Ace Fekay [MVP]" wrote:

> In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
> seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Hi Ace,
> > Both DC01 & DC02 already running with SP4 before 1Aug05. After the
> > system state restore on DC02, am I supposed to re-apply the SP4
> > because I didnt. Is this the reason why? There were no more changes
> > made on both DNS servers since the built more than a year ago. Can it
> > be the DNS problem? Or perhaps the problem will go away if I run
> > nltest to reset the security channel on DC02 since I have error
> > "access denied" & "logon failure: unknown username or bad password"?
> > Thanks heaps.
>
> August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
> the date? After 60 days, the backup is useless. Also, the dcdiag you posted
> upon Jorge's request, shows numerous issues related to out-of-date data. You
> can try the nltest command, which should reset the channel:
>
> nltest /sc_verify:[YourDomainName]
>
> if that doesn't work, try:
> nltest /sc_reset:[YourDomainName]
>
> More info on it here:
>
> About nltest:
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> nltest syntax:
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> Ace
>
>
>
Anonymous
September 21, 2005 8:43:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ace,
I have ID4001 error "The DNS server was unable to open zone ssict.org.au in
the Active Directory. This DNS Server is configured to obtain and use
information from the directory for this zone and is unable to load the zone
without it. Check that the Active Directory is functioning properly and
reload the zone. The event data is the error code" But do you think my
problems is DNS related or aging related issue?


"Ace Fekay [MVP]" wrote:

> In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
> seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Hi Ace,
> > Both DC01 & DC02 already running with SP4 before 1Aug05. After the
> > system state restore on DC02, am I supposed to re-apply the SP4
> > because I didnt. Is this the reason why? There were no more changes
> > made on both DNS servers since the built more than a year ago. Can it
> > be the DNS problem? Or perhaps the problem will go away if I run
> > nltest to reset the security channel on DC02 since I have error
> > "access denied" & "logon failure: unknown username or bad password"?
> > Thanks heaps.
>
> August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
> the date? After 60 days, the backup is useless. Also, the dcdiag you posted
> upon Jorge's request, shows numerous issues related to out-of-date data. You
> can try the nltest command, which should reset the channel:
>
> nltest /sc_verify:[YourDomainName]
>
> if that doesn't work, try:
> nltest /sc_reset:[YourDomainName]
>
> More info on it here:
>
> About nltest:
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> nltest syntax:
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> Ace
>
>
>
Anonymous
September 21, 2005 10:54:03 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ace,
I got the following results. Is it still safe to run nltest
/sc_reset:[domain name] from DC02? Thanks.

The results when I run “nltest” from DC02
nltest /server:ssradcert02 /sc_query:ssict
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
The command completed successfully

The results when run from DC01
C:\>nltest /sc_query:ssict
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


"Ace Fekay [MVP]" wrote:

> In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
> seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Hi Ace,
> > Both DC01 & DC02 already running with SP4 before 1Aug05. After the
> > system state restore on DC02, am I supposed to re-apply the SP4
> > because I didnt. Is this the reason why? There were no more changes
> > made on both DNS servers since the built more than a year ago. Can it
> > be the DNS problem? Or perhaps the problem will go away if I run
> > nltest to reset the security channel on DC02 since I have error
> > "access denied" & "logon failure: unknown username or bad password"?
> > Thanks heaps.
>
> August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
> the date? After 60 days, the backup is useless. Also, the dcdiag you posted
> upon Jorge's request, shows numerous issues related to out-of-date data. You
> can try the nltest command, which should reset the channel:
>
> nltest /sc_verify:[YourDomainName]
>
> if that doesn't work, try:
> nltest /sc_reset:[YourDomainName]
>
> More info on it here:
>
> About nltest:
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> nltest syntax:
> http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> Ace
>
>
>
Anonymous
September 22, 2005 2:41:00 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:815F60A4-8783-4F4D-ADB1-94BD32D3F359@microsoft.com,
seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
commented about below:
> Ace,
> I got the following results. Is it still safe to run nltest
> /sc_reset:[domain name] from DC02? Thanks.
>
> The results when I run "nltest" from DC02
> nltest /server:ssradcert02 /sc_query:ssict
> Flags: 0
> Trusted DC Name
> Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
> The command completed successfully
>
> The results when run from DC01
> C:\>nltest /sc_query:ssict
> I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is
approaching.

As for the session password, it renews every 7 days, which is configurable
in the default domain policy, under Comp\Windows\Security\Kerberos.

Ace
Anonymous
September 22, 2005 4:29:04 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Ace,
I have no intention to ignore your advice but I am still blur because of my
ignorance. What exactly is this 60days limit may I know? I thought I am now
still within the 60days but why I face so many errors. Or perhaps I should
learn that "nltest" is always the command to run whenever we restore system
state? Because I am on leave next week so my boss shows great concern I can
cause further damage. Also he argued that we are not any worst because the
backup tape from 60days limit is already causing the errors, there is no
difference to even restore it from yesterday's tape now. Does it make sense?

"Ace Fekay [MVP]" wrote:

> In news:815F60A4-8783-4F4D-ADB1-94BD32D3F359@microsoft.com,
> seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
> commented about below:
> > Ace,
> > I got the following results. Is it still safe to run nltest
> > /sc_reset:[domain name] from DC02? Thanks.
> >
> > The results when I run "nltest" from DC02
> > nltest /server:ssradcert02 /sc_query:ssict
> > Flags: 0
> > Trusted DC Name
> > Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
> > The command completed successfully
> >
> > The results when run from DC01
> > C:\>nltest /sc_query:ssict
> > I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
>
> Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is
> approaching.
>
> As for the session password, it renews every 7 days, which is configurable
> in the default domain policy, under Comp\Windows\Security\Kerberos.
>
> Ace
>
>
>
Anonymous
September 22, 2005 1:28:10 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:39FD1F53-40AF-457E-ABFA-7566A461E99B@microsoft.com,
seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi Ace,
> I have no intention to ignore your advice but I am still blur because
> of my ignorance. What exactly is this 60days limit may I know? I
> thought I am now still within the 60days but why I face so many
> errors. Or perhaps I should learn that "nltest" is always the command
> to run whenever we restore system state? Because I am on leave next
> week so my boss shows great concern I can cause further damage. Also
> he argued that we are not any worst because the backup tape from
> 60days limit is already causing the errors, there is no difference to
> even restore it from yesterday's tape now. Does it make sense?

Maybe in all honesty, if you are not trusting what you are hearing, whether
from me or anyone else in this group, I would HIGHLY suggest you call
Microsoft PSS and let them guide you. I believe there will be a charge,
unless you have an MSP agreement. It's your call.


What are you waiting for? Your vacation? You are running Certificate
services. It even complicates it. I would suggest to ACT QUICKLY and forget
your vacation next week and concentrate on this important matter. It seems
like you and your boss are gambling that the tombstone issue doesn't mean
anything to you. I'm just giving you an option before you have no more
options once the 60 Tombstone Lifetime comes up. Your issue is a secure
channel password.

You are not comprehending the seriousness of the 60 day tombstone. Once it
comes up, you will have NO OTHER CHOICE but to trash the server, seize the
FSMO roles over to the existing server, run a metadata cleanup using
ntdsutil, clean up any remaining lingering objects from the old server in
Sites and Services and using ADSI Edit, then re-format the old server and
reinstall it from scratch.

Good luck.

Below taken from:
http://www.microsoft.com/technet/archive/windows2000ser...
It is not possible to restore a backup image into a replicated enterprise
that is older than the tombstone lifetime value for the enterprise. When an
Active Directory object is deleted, it is not fully and immediately removed
from Active Directory. Instead the majority of the attributes are stripped
out and the object is moved to the deleted items container. This remaining
object is called a tombstone. This tombstone object is replicated to all
domain controllers in that respective domain so that they can learn of the
object deletion. In this manner, the original object is no longer available
to anyone searching Active Directory for it, but it is tombstoned.

The tombstone lifetime value represents the number of days that the deleted
object (or tombstone) must be retained before it can be permanently removed
from the directory. This value can be set by using the Active Directory
Service Interfaces (ADSI) edit at the directory service path below:

Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration,
dc=<<Domain_Name>>,dc=<<Domain_prefix>>

The default tombstone lifetime value is 60 days. Active Directory will not
allow data to be restored to the directory from a backup image that is older
than the tombstone lifetime. If this were to happen, the restored object
would have an Update Sequence Number (USN) too old to trigger Active
Directory replication. In this scenario, the object would never be
replicated out to other domain controllers, and the restored domain
controller would never replicate in to the necessary information to delete
the object. Active Directory on the local server would thus become
inconsistent.



Ace
September 22, 2005 2:59:53 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Need a second opinion (seeker01)?

I recently had a client with this very problem ( without the added
complexity of the CA ).

RUN, DON'T WALK, to the phone and call Microsoft PSS !!! Your BOSS has valid
concerns and you should too.

Your problem is solvable, but time is crucial at this point and it's time to
call in the pros!

By my calculation, your 60 days is up in less than a week. If you choose to
go on holiday without completely resolving this issue, then I'd suggest not
coming back.

--
/kj
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:efXBAm3vFHA.2924@TK2MSFTNGP15.phx.gbl...
> In news:39FD1F53-40AF-457E-ABFA-7566A461E99B@microsoft.com,
> seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
> commented about below:
>> Hi Ace,
>> I have no intention to ignore your advice but I am still blur because
>> of my ignorance. What exactly is this 60days limit may I know? I
>> thought I am now still within the 60days but why I face so many
>> errors. Or perhaps I should learn that "nltest" is always the command
>> to run whenever we restore system state? Because I am on leave next
>> week so my boss shows great concern I can cause further damage. Also
>> he argued that we are not any worst because the backup tape from
>> 60days limit is already causing the errors, there is no difference to
>> even restore it from yesterday's tape now. Does it make sense?
>
> Maybe in all honesty, if you are not trusting what you are hearing,
> whether from me or anyone else in this group, I would HIGHLY suggest you
> call Microsoft PSS and let them guide you. I believe there will be a
> charge, unless you have an MSP agreement. It's your call.
>
>
> What are you waiting for? Your vacation? You are running Certificate
> services. It even complicates it. I would suggest to ACT QUICKLY and
> forget your vacation next week and concentrate on this important matter.
> It seems like you and your boss are gambling that the tombstone issue
> doesn't mean anything to you. I'm just giving you an option before you
> have no more options once the 60 Tombstone Lifetime comes up. Your issue
> is a secure channel password.
>
> You are not comprehending the seriousness of the 60 day tombstone. Once it
> comes up, you will have NO OTHER CHOICE but to trash the server, seize the
> FSMO roles over to the existing server, run a metadata cleanup using
> ntdsutil, clean up any remaining lingering objects from the old server in
> Sites and Services and using ADSI Edit, then re-format the old server and
> reinstall it from scratch.
>
> Good luck.
>
> Below taken from:
> http://www.microsoft.com/technet/archive/windows2000ser...
> It is not possible to restore a backup image into a replicated enterprise
> that is older than the tombstone lifetime value for the enterprise. When
> an Active Directory object is deleted, it is not fully and immediately
> removed from Active Directory. Instead the majority of the attributes are
> stripped out and the object is moved to the deleted items container. This
> remaining object is called a tombstone. This tombstone object is
> replicated to all domain controllers in that respective domain so that
> they can learn of the object deletion. In this manner, the original object
> is no longer available to anyone searching Active Directory for it, but it
> is tombstoned.
>
> The tombstone lifetime value represents the number of days that the
> deleted object (or tombstone) must be retained before it can be
> permanently removed from the directory. This value can be set by using the
> Active Directory Service Interfaces (ADSI) edit at the directory service
> path below:
>
> Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration,
> dc=<<Domain_Name>>,dc=<<Domain_prefix>>
>
> The default tombstone lifetime value is 60 days. Active Directory will not
> allow data to be restored to the directory from a backup image that is
> older than the tombstone lifetime. If this were to happen, the restored
> object would have an Update Sequence Number (USN) too old to trigger
> Active Directory replication. In this scenario, the object would never be
> replicated out to other domain controllers, and the restored domain
> controller would never replicate in to the necessary information to delete
> the object. Active Directory on the local server would thus become
> inconsistent.
>
>
>
> Ace
>
>
>
>
!