Problems after Restore System State

Archived from groups: microsoft.public.win2000.active_directory (More info?)

current environment: 2 x Windows 2000 Domain Controllers with CA services
running.

This morning, I have performed the non-authoritative system state restore on
DC2 because no users can request new certificate. The system state restore
solved the CA problem but introduced other new non-trusted errors & DNS
errors . DC1 complaint "The session setup from the computer DC02 failed to
authenticate. The name of the account referenced in the security database is
SSRADCERT02$. The following error occurred: Access is denied." I can ping the
DC by host & fqdn but why cant I do net time \\DC02computername /set /y from
ssradcert02 encounters errors “access denied”. I have to run "net time
\\DC02IPaddress /set /y.

Any clues why? I have coldfeet really. Thanks !
16 answers Last reply
More about problems restore system state
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Oh yes, I got this error on DC02 server, "Failed to authenticate with
    \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller for
    domain "XYZ". I am so scared to make more changes because that may break
    certificate service cant do new certificate. I am very desperate to hear
    anyone that knew why. Thanks muchly.

    "seeker01" wrote:

    > current environment: 2 x Windows 2000 Domain Controllers with CA services
    > running.
    >
    > This morning, I have performed the non-authoritative system state restore on
    > DC2 because no users can request new certificate. The system state restore
    > solved the CA problem but introduced other new non-trusted errors & DNS
    > errors . DC1 complaint "The session setup from the computer DC02 failed to
    > authenticate. The name of the account referenced in the security database is
    > SSRADCERT02$. The following error occurred: Access is denied." I can ping the
    > DC by host & fqdn but why cant I do net time \\DC02computername /set /y from
    > ssradcert02 encounters errors “access denied”. I have to run "net time
    > \\DC02IPaddress /set /y.
    >
    > Any clues why? I have coldfeet really. Thanks !
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8@microsoft.com,
    seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    commented about below:
    > Oh yes, I got this error on DC02 server, "Failed to authenticate with
    > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
    > for domain "XYZ". I am so scared to make more changes because that
    > may break certificate service cant do new certificate. I am very
    > desperate to hear anyone that knew why. Thanks muchly.
    >
    > "seeker01" wrote:
    >

    How old was the system state that you restored?

    What errors are in the event logs of both DCs?

    Does DC01.ssict.org.au exist as a record and do the SRV records reference
    this as a DC hosting services under the zone?

    --
    Regards,
    Ace

    If this post is viewed at a non-Microsoft community website, and you were to
    respond to it through that community's website, I may not see your reply.
    Therefore, please direct all replies ONLY to the Microsoft public newsgroup
    this thread originated in so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Ace,
    Thanks for your email. The system state that I restored was from 1Aug05 tape.

    DC01 errors are: (1) ID5722 from NETLOGON "The session setup from the
    computer DC02 failed to authenticate. The name of the account referenced in
    the security database is DC02$. The following error occurred: Access is
    denied." (2) ID3034 from MRxSMB "The redirector was unable to initialize
    security context or query context attributes". (3) ID13508 from NfFrs "File
    Replication Service is having trouble enabling replication from DC02 to DC01
    for c:\winnt\sysvol\domain using the DNS name DC02.ssict.org.au. FRS will
    keep retrying.

    DC02 errors are: (1) ID1000 from Userenv "Windows cannot determine the user
    or computer name. Return value (-2146893022)" (2) ID3034 from MRxSMB "The
    redirector was unable to initialize security context or query context
    attributes". (3) ID16650 from SAM "The account-identifier allocator failed to
    initialize properly. The record data contains the NT error code that caused
    the failure. Windows 2000 will retry the initialization until it succeeds;
    until that time, account creation will be denied on this Domain Controller.
    Please look for other SAM event logs that may indicate the exact reason for
    the failure"

    I am not sure if this is DNS related issue because my nslookup works fine.
    Is this to do with the security channel need resetting? What is the right
    command & run from where? Thanks a bunch really :-/

    Seeker01

    "Ace Fekay [MVP]" wrote:

    > In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8@microsoft.com,
    > seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    > commented about below:
    > > Oh yes, I got this error on DC02 server, "Failed to authenticate with
    > > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
    > > for domain "XYZ". I am so scared to make more changes because that
    > > may break certificate service cant do new certificate. I am very
    > > desperate to hear anyone that knew why. Thanks muchly.
    > >
    > > "seeker01" wrote:
    > >
    >
    > How old was the system state that you restored?
    >
    > What errors are in the event logs of both DCs?
    >
    > Does DC01.ssict.org.au exist as a record and do the SRV records reference
    > this as a DC hosting services under the zone?
    >
    > --
    > Regards,
    > Ace
    >
    > If this post is viewed at a non-Microsoft community website, and you were to
    > respond to it through that community's website, I may not see your reply.
    > Therefore, please direct all replies ONLY to the Microsoft public newsgroup
    > this thread originated in so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees and
    > confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > Microsoft Windows MVP - Windows Server - Directory Services
    > Infinite Diversities in Infinite Combinations.
    > =================================
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "" wrote:
    > Oh yes, I got this error on DC02 server, "Failed to
    > authenticate with
    > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
    > controller for
    > domain "XYZ". I am so scared to make more changes because
    > that may break
    > certificate service cant do new certificate. I am very
    > desperate to hear
    > anyone that knew why. Thanks muchly.
    >
    > "seeker01" wrote:
    >
    > > current environment: 2 x Windows 2000 Domain Controllers
    > with CA services
    > > running.
    > >
    > > This morning, I have performed the non-authoritative system
    > state restore on
    > > DC2 because no users can request new certificate. The system
    > state restore
    > > solved the CA problem but introduced other new non-trusted
    > errors & DNS
    > > errors . DC1 complaint "The session setup from the computer
    > DC02 failed to
    > > authenticate. The name of the account referenced in the
    > security database is
    > > SSRADCERT02$. The following error occurred: Access is
    > denied." I can ping the
    > > DC by host & fqdn but why cant I do net time
    > \DC02computername /set /y from
    > > ssradcert02 encounters errors “access denied”. I have to
    > run "net time
    > > \DC02IPaddress /set /y.
    > >
    > > Any clues why? I have coldfeet really. Thanks !
    > >

    what does DCDIAG /V say?

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Jorge,
    Thanks for your email. I was afraid of running anything but I think should
    be safe to run "DCDIAG /V" from DC02. I will inform you the status later on.

    Regards,
    Seeker01

    "Jorge_de_Almeida_Pinto" wrote:

    > "" wrote:
    > > Oh yes, I got this error on DC02 server, "Failed to
    > > authenticate with
    > > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
    > > controller for
    > > domain "XYZ". I am so scared to make more changes because
    > > that may break
    > > certificate service cant do new certificate. I am very
    > > desperate to hear
    > > anyone that knew why. Thanks muchly.
    > >
    > > "seeker01" wrote:
    > >
    > > > current environment: 2 x Windows 2000 Domain Controllers
    > > with CA services
    > > > running.
    > > >
    > > > This morning, I have performed the non-authoritative system
    > > state restore on
    > > > DC2 because no users can request new certificate. The system
    > > state restore
    > > > solved the CA problem but introduced other new non-trusted
    > > errors & DNS
    > > > errors . DC1 complaint "The session setup from the computer
    > > DC02 failed to
    > > > authenticate. The name of the account referenced in the
    > > security database is
    > > > SSRADCERT02$. The following error occurred: Access is
    > > denied." I can ping the
    > > > DC by host & fqdn but why cant I do net time
    > > \DC02computername /set /y from
    > > > ssradcert02 encounters errors “access denied”. I have to
    > > run "net time
    > > > \DC02IPaddress /set /y.
    > > >
    > > > Any clues why? I have coldfeet really. Thanks !
    > > >
    >
    > what does DCDIAG /V say?
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Jorge, below is the Dcdiag /v results from DC01 & DC02. Thanks for your
    help.

    [Replications Check,DC01] A recent replication attempt failed:
    From DC02 to DC01
    The replication generated an error (1908):
    Win32 Error 1908
    The failure occurred at 2005-09-21 14:50.17.
    The last success occurred at 2005-09-20 09:56.03.
    Kerberos Error.
    A KDC was not found to authenticate the call.
    [DC02] DsBind() failed with error -2146893022,
    Win32 Error -2146893022.
    Warning: DC01 is not advertising as a time server.
    w32time Service is stopped on [DC01]
    Starting test: frssysvol
    * The File Replication Service Event log test
    An Warning Event occured. EventID: 0x800034C4
    Time Generated: 09/20/2005 17:07:48
    enabling replication from DC02 to DC01 for c:\winnt\sysvol\domain using the
    DNS name DC02.ssict.org.au. FRS will keep retrying.
    [1] FRS can not correctly resolve the DNS name DC02.ssict.org.au from this
    computer.
    [2] FRS is not running on DC02.ssict.org.au.
    [3] The topology information in the Active Directory for this replica has
    not yet replicated to all the Domain Controllers.
    Starting test: FsmoCheck
    GC Name: \\DC01.ssict.org.au
    Locator Flags: 0xe00001bd
    PDC Name: \\DC01.ssict.org.au
    Locator Flags: 0xe00001bd
    Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
    A Time Server could not be located.
    The server holding the PDC role is down.
    Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
    A Good Time Server could not be located.
    KDC Name: \\DC01.ssict.org.au
    Locator Flags: 0xe00001bd......... ssict.org.au failed test FsmoCheck
    =========================
    [Replications Check,DC02] A recent replication attempt failed:
    From DC01 to DC02
    The replication generated an error (1326):
    Logon failure: unknown user name or bad password.
    The failure occurred at 2005-09-21 14:46.52.
    The last success occurred at 2005-08-01 16:59.20.
    Kerberos Error.
    The machine account is not present, or does not match on the.
    destination, source or KDC servers.
    [DC01] DsBind() failed with error -2146893022,
    The target principal name is incorrect..
    Warning: DsGetDcName returned information for \\DC01.ssict.org.au, when we
    were trying to reach DC02.
    Server is not responding or is not considered suitable.
    Warning: DC02 is not advertising as a time server.
    Warning: DC01 is the Schema Owner, but is not responding to DS RPC Bind.
    [DC01] LDAP bind failed with error 31,
    A device attached to the system is not functioning..
    DC01 is the Schema Owner, but is not responding to LDAP Bind.
    DC01 is the Domain Owner, but is not responding to DS RPC & LDAP Bind.
    DC01 is the PDC Owner, but is not responding to DS RPC & LDAP Bind.
    DC01 is the Rid Owner, but is not responding to DS RPC & LDAP Bind
    DC01 is the Infrastructure Update Owner, but is not responding to DS RPC &
    LDAP Bind.
    Starting test: RidManager
    [DC02] DsBindWithCred() failed with error -2146893022. The target principal
    name is incorrect.
    * The File Replication Service Event log test
    Error: No record of File Replication System, SYSVOL started.
    An Warning Event occured. EventID: 0x800034FD
    Time Generated: 09/20/2005 16:50:11
    An Warning Event occured. EventID: 0x800034D0
    Time Generated: 09/20/2005 16:50:11
    Event String: The File Replication Service moved the preexisting files in
    c:\winnt\sysvol\domain to
    c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
    The File Replication Service may delete the files in
    c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog
    at any time. Files can be saved from deletion by copying them out of
    c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
    Copying the files into c:\winnt\sysvol\domain may lead to name conflicts if
    the files already exist on some other replicating partner.
    In some cases, the File Replication Service may copy a file from
    c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog into
    c:\winnt\sysvol\domain instead of replicating the file from some other
    replicating partner.
    Space can be recovered at any time by deleting the files in
    c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog.
    An Warning Event occured. EventID: 0x800034C4
    Time Generated: 09/20/2005 16:51:52
    Event String: The File Replication Service is having trouble
    enabling replication from DC01 to DC02 for c:\winnt\sysvol\domain using the
    DNS name DC01.ssict.org.au. FRS will keep retrying.
    Starting test: systemlog
    * The System Event log test
    An Error Event occured. EventID: 0x0000410A
    Time Generated: 09/21/2005 14:38:20
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0x00000C8A
    Time Generated: 09/21/2005 14:52:45
    Event String: Failed to authenticate with \\DC01.ssict.org.au, a Windows NT
    or Windows 2000 domain controller for domain SSICT.
    An Error Event occured. EventID: 0xC0000021
    Starting test: FsmoCheck
    Warning: Couldn't verify this server as a GC in this servers AD.
    GC Name: \\DC01.ssict.org.au
    Locator Flags: 0xe00001bd
    PDC Name: \\DC01.ssict.org.au
    Locator Flags: 0xe00001bd
    DcGetDcName(TIME_SERVER) call failed, error 1355
    A Time Server could not be located.
    The server holding the PDC role is down.
    DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
    A Good Time Server could not be located.
    KDC Name: \\DC01.ssict.org.au
    Locator Flags: 0xe00001bd ........ ssict.org.au failed test FsmoCheck

    "Jorge_de_Almeida_Pinto" wrote:

    > "" wrote:
    > > Oh yes, I got this error on DC02 server, "Failed to
    > > authenticate with
    > > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
    > > controller for
    > > domain "XYZ". I am so scared to make more changes because
    > > that may break
    > > certificate service cant do new certificate. I am very
    > > desperate to hear
    > > anyone that knew why. Thanks muchly.
    > >
    > > "seeker01" wrote:
    > >
    > > > current environment: 2 x Windows 2000 Domain Controllers
    > > with CA services
    > > > running.
    > > >
    > > > This morning, I have performed the non-authoritative system
    > > state restore on
    > > > DC2 because no users can request new certificate. The system
    > > state restore
    > > > solved the CA problem but introduced other new non-trusted
    > > errors & DNS
    > > > errors . DC1 complaint "The session setup from the computer
    > > DC02 failed to
    > > > authenticate. The name of the account referenced in the
    > > security database is
    > > > SSRADCERT02$. The following error occurred: Access is
    > > denied." I can ping the
    > > > DC by host & fqdn but why cant I do net time
    > > \DC02computername /set /y from
    > > > ssradcert02 encounters errors “access denied”. I have to
    > > run "net time
    > > > \DC02IPaddress /set /y.
    > > >
    > > > Any clues why? I have coldfeet really. Thanks !
    > > >
    >
    > what does DCDIAG /V say?
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
    >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Jorge,

    When I try to open active directory users and computers on DC02, I receive
    the following error: "Naming information cannot be located because: The
    specified directory service attribute or value does not exist. Contact your
    system administrator to verify that your domain is properly configured and is
    currently online." When I run net share, there is no "NETLOGON" & "SYSVOL"
    share. Is this DNS related? How to determine if DNS because I can run
    nslookup fine. Also the Policy & Scripts folder are actually found under the
    folder of c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog. Is this
    causing the problem why & should I just remove this folder? Thanks.

    "Jorge_de_Almeida_Pinto" wrote:

    > "" wrote:
    > > Oh yes, I got this error on DC02 server, "Failed to
    > > authenticate with
    > > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
    > > controller for
    > > domain "XYZ". I am so scared to make more changes because
    > > that may break
    > > certificate service cant do new certificate. I am very
    > > desperate to hear
    > > anyone that knew why. Thanks muchly.
    > >
    > > "seeker01" wrote:
    > >
    > > > current environment: 2 x Windows 2000 Domain Controllers
    > > with CA services
    > > > running.
    > > >
    > > > This morning, I have performed the non-authoritative system
    > > state restore on
    > > > DC2 because no users can request new certificate. The system
    > > state restore
    > > > solved the CA problem but introduced other new non-trusted
    > > errors & DNS
    > > > errors . DC1 complaint "The session setup from the computer
    > > DC02 failed to
    > > > authenticate. The name of the account referenced in the
    > > security database is
    > > > SSRADCERT02$. The following error occurred: Access is
    > > denied." I can ping the
    > > > DC by host & fqdn but why cant I do net time
    > > \DC02computername /set /y from
    > > > ssradcert02 encounters errors “access denied”. I have to
    > > run "net time
    > > > \DC02IPaddress /set /y.
    > > >
    > > > Any clues why? I have coldfeet really. Thanks !
    > > >
    >
    > what does DCDIAG /V say?
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532
    >
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Ace,
    Both DC01 & DC02 already running with SP4 before 1Aug05. After the system
    state restore on DC02, am I supposed to re-apply the SP4 because I didnt. Is
    this the reason why? There were no more changes made on both DNS servers
    since the built more than a year ago. Can it be the DNS problem? Or perhaps
    the problem will go away if I run nltest to reset the security channel on
    DC02 since I have error "access denied" & "logon failure: unknown username or
    bad password"? Thanks heaps.

    "Ace Fekay [MVP]" wrote:

    > In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8@microsoft.com,
    > seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    > commented about below:
    > > Oh yes, I got this error on DC02 server, "Failed to authenticate with
    > > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
    > > for domain "XYZ". I am so scared to make more changes because that
    > > may break certificate service cant do new certificate. I am very
    > > desperate to hear anyone that knew why. Thanks muchly.
    > >
    > > "seeker01" wrote:
    > >
    >
    > How old was the system state that you restored?
    >
    > What errors are in the event logs of both DCs?
    >
    > Does DC01.ssict.org.au exist as a record and do the SRV records reference
    > this as a DC hosting services under the zone?
    >
    > --
    > Regards,
    > Ace
    >
    > If this post is viewed at a non-Microsoft community website, and you were to
    > respond to it through that community's website, I may not see your reply.
    > Therefore, please direct all replies ONLY to the Microsoft public newsgroup
    > this thread originated in so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees and
    > confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > Microsoft Windows MVP - Windows Server - Directory Services
    > Infinite Diversities in Infinite Combinations.
    > =================================
    >
    >
    >
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
    seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    commented about below:
    > Hi Ace,
    > Both DC01 & DC02 already running with SP4 before 1Aug05. After the
    > system state restore on DC02, am I supposed to re-apply the SP4
    > because I didnt. Is this the reason why? There were no more changes
    > made on both DNS servers since the built more than a year ago. Can it
    > be the DNS problem? Or perhaps the problem will go away if I run
    > nltest to reset the security channel on DC02 since I have error
    > "access denied" & "logon failure: unknown username or bad password"?
    > Thanks heaps.

    August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
    the date? After 60 days, the backup is useless. Also, the dcdiag you posted
    upon Jorge's request, shows numerous issues related to out-of-date data. You
    can try the nltest command, which should reset the channel:

    nltest /sc_verify:[YourDomainName]

    if that doesn't work, try:
    nltest /sc_reset:[YourDomainName]

    More info on it here:

    About nltest:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx

    nltest syntax:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx

    Ace
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Ace,
    Thanks for your email, I will try it though afraid to modify on this
    production domain. Because it is still within the 60 days limit, why do I
    receive these messages? What is the normal days for machine password to stay
    valid, is it 30 days? I suspect this could be the issue. Do u think so ?

    "Ace Fekay [MVP]" wrote:

    > In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
    > seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    > commented about below:
    > > Hi Ace,
    > > Both DC01 & DC02 already running with SP4 before 1Aug05. After the
    > > system state restore on DC02, am I supposed to re-apply the SP4
    > > because I didnt. Is this the reason why? There were no more changes
    > > made on both DNS servers since the built more than a year ago. Can it
    > > be the DNS problem? Or perhaps the problem will go away if I run
    > > nltest to reset the security channel on DC02 since I have error
    > > "access denied" & "logon failure: unknown username or bad password"?
    > > Thanks heaps.
    >
    > August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
    > the date? After 60 days, the backup is useless. Also, the dcdiag you posted
    > upon Jorge's request, shows numerous issues related to out-of-date data. You
    > can try the nltest command, which should reset the channel:
    >
    > nltest /sc_verify:[YourDomainName]
    >
    > if that doesn't work, try:
    > nltest /sc_reset:[YourDomainName]
    >
    > More info on it here:
    >
    > About nltest:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx
    >
    > nltest syntax:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx
    >
    > Ace
    >
    >
    >
  11. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Ace,
    I have ID4001 error "The DNS server was unable to open zone ssict.org.au in
    the Active Directory. This DNS Server is configured to obtain and use
    information from the directory for this zone and is unable to load the zone
    without it. Check that the Active Directory is functioning properly and
    reload the zone. The event data is the error code" But do you think my
    problems is DNS related or aging related issue?


    "Ace Fekay [MVP]" wrote:

    > In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
    > seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    > commented about below:
    > > Hi Ace,
    > > Both DC01 & DC02 already running with SP4 before 1Aug05. After the
    > > system state restore on DC02, am I supposed to re-apply the SP4
    > > because I didnt. Is this the reason why? There were no more changes
    > > made on both DNS servers since the built more than a year ago. Can it
    > > be the DNS problem? Or perhaps the problem will go away if I run
    > > nltest to reset the security channel on DC02 since I have error
    > > "access denied" & "logon failure: unknown username or bad password"?
    > > Thanks heaps.
    >
    > August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
    > the date? After 60 days, the backup is useless. Also, the dcdiag you posted
    > upon Jorge's request, shows numerous issues related to out-of-date data. You
    > can try the nltest command, which should reset the channel:
    >
    > nltest /sc_verify:[YourDomainName]
    >
    > if that doesn't work, try:
    > nltest /sc_reset:[YourDomainName]
    >
    > More info on it here:
    >
    > About nltest:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx
    >
    > nltest syntax:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx
    >
    > Ace
    >
    >
    >
  12. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Ace,
    I got the following results. Is it still safe to run nltest
    /sc_reset:[domain name] from DC02? Thanks.

    The results when I run “nltest” from DC02
    nltest /server:ssradcert02 /sc_query:ssict
    Flags: 0
    Trusted DC Name
    Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
    The command completed successfully

    The results when run from DC01
    C:\>nltest /sc_query:ssict
    I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


    "Ace Fekay [MVP]" wrote:

    > In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04@microsoft.com,
    > seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    > commented about below:
    > > Hi Ace,
    > > Both DC01 & DC02 already running with SP4 before 1Aug05. After the
    > > system state restore on DC02, am I supposed to re-apply the SP4
    > > because I didnt. Is this the reason why? There were no more changes
    > > made on both DNS servers since the built more than a year ago. Can it
    > > be the DNS problem? Or perhaps the problem will go away if I run
    > > nltest to reset the security channel on DC02 since I have error
    > > "access denied" & "logon failure: unknown username or bad password"?
    > > Thanks heaps.
    >
    > August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about
    > the date? After 60 days, the backup is useless. Also, the dcdiag you posted
    > upon Jorge's request, shows numerous issues related to out-of-date data. You
    > can try the nltest command, which should reset the channel:
    >
    > nltest /sc_verify:[YourDomainName]
    >
    > if that doesn't work, try:
    > nltest /sc_reset:[YourDomainName]
    >
    > More info on it here:
    >
    > About nltest:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx
    >
    > nltest syntax:
    > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx
    >
    > Ace
    >
    >
    >
  13. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:815F60A4-8783-4F4D-ADB1-94BD32D3F359@microsoft.com,
    seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    commented about below:
    > Ace,
    > I got the following results. Is it still safe to run nltest
    > /sc_reset:[domain name] from DC02? Thanks.
    >
    > The results when I run "nltest" from DC02
    > nltest /server:ssradcert02 /sc_query:ssict
    > Flags: 0
    > Trusted DC Name
    > Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
    > The command completed successfully
    >
    > The results when run from DC01
    > C:\>nltest /sc_query:ssict
    > I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is
    approaching.

    As for the session password, it renews every 7 days, which is configurable
    in the default domain policy, under Comp\Windows\Security\Kerberos.

    Ace
  14. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Ace,
    I have no intention to ignore your advice but I am still blur because of my
    ignorance. What exactly is this 60days limit may I know? I thought I am now
    still within the 60days but why I face so many errors. Or perhaps I should
    learn that "nltest" is always the command to run whenever we restore system
    state? Because I am on leave next week so my boss shows great concern I can
    cause further damage. Also he argued that we are not any worst because the
    backup tape from 60days limit is already causing the errors, there is no
    difference to even restore it from yesterday's tape now. Does it make sense?

    "Ace Fekay [MVP]" wrote:

    > In news:815F60A4-8783-4F4D-ADB1-94BD32D3F359@microsoft.com,
    > seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    > commented about below:
    > > Ace,
    > > I got the following results. Is it still safe to run nltest
    > > /sc_reset:[domain name] from DC02? Thanks.
    > >
    > > The results when I run "nltest" from DC02
    > > nltest /server:ssradcert02 /sc_query:ssict
    > > Flags: 0
    > > Trusted DC Name
    > > Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED
    > > The command completed successfully
    > >
    > > The results when run from DC01
    > > C:\>nltest /sc_query:ssict
    > > I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
    >
    > Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is
    > approaching.
    >
    > As for the session password, it renews every 7 days, which is configurable
    > in the default domain policy, under Comp\Windows\Security\Kerberos.
    >
    > Ace
    >
    >
    >
  15. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:39FD1F53-40AF-457E-ABFA-7566A461E99B@microsoft.com,
    seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    commented about below:
    > Hi Ace,
    > I have no intention to ignore your advice but I am still blur because
    > of my ignorance. What exactly is this 60days limit may I know? I
    > thought I am now still within the 60days but why I face so many
    > errors. Or perhaps I should learn that "nltest" is always the command
    > to run whenever we restore system state? Because I am on leave next
    > week so my boss shows great concern I can cause further damage. Also
    > he argued that we are not any worst because the backup tape from
    > 60days limit is already causing the errors, there is no difference to
    > even restore it from yesterday's tape now. Does it make sense?

    Maybe in all honesty, if you are not trusting what you are hearing, whether
    from me or anyone else in this group, I would HIGHLY suggest you call
    Microsoft PSS and let them guide you. I believe there will be a charge,
    unless you have an MSP agreement. It's your call.


    What are you waiting for? Your vacation? You are running Certificate
    services. It even complicates it. I would suggest to ACT QUICKLY and forget
    your vacation next week and concentrate on this important matter. It seems
    like you and your boss are gambling that the tombstone issue doesn't mean
    anything to you. I'm just giving you an option before you have no more
    options once the 60 Tombstone Lifetime comes up. Your issue is a secure
    channel password.

    You are not comprehending the seriousness of the 60 day tombstone. Once it
    comes up, you will have NO OTHER CHOICE but to trash the server, seize the
    FSMO roles over to the existing server, run a metadata cleanup using
    ntdsutil, clean up any remaining lingering objects from the old server in
    Sites and Services and using ADSI Edit, then re-format the old server and
    reinstall it from scratch.

    Good luck.

    Below taken from:
    http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch10.mspx
    It is not possible to restore a backup image into a replicated enterprise
    that is older than the tombstone lifetime value for the enterprise. When an
    Active Directory object is deleted, it is not fully and immediately removed
    from Active Directory. Instead the majority of the attributes are stripped
    out and the object is moved to the deleted items container. This remaining
    object is called a tombstone. This tombstone object is replicated to all
    domain controllers in that respective domain so that they can learn of the
    object deletion. In this manner, the original object is no longer available
    to anyone searching Active Directory for it, but it is tombstoned.

    The tombstone lifetime value represents the number of days that the deleted
    object (or tombstone) must be retained before it can be permanently removed
    from the directory. This value can be set by using the Active Directory
    Service Interfaces (ADSI) edit at the directory service path below:

    Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration,
    dc=<<Domain_Name>>,dc=<<Domain_prefix>>

    The default tombstone lifetime value is 60 days. Active Directory will not
    allow data to be restored to the directory from a backup image that is older
    than the tombstone lifetime. If this were to happen, the restored object
    would have an Update Sequence Number (USN) too old to trigger Active
    Directory replication. In this scenario, the object would never be
    replicated out to other domain controllers, and the restored domain
    controller would never replicate in to the necessary information to delete
    the object. Active Directory on the local server would thus become
    inconsistent.


    Ace
  16. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Need a second opinion (seeker01)?

    I recently had a client with this very problem ( without the added
    complexity of the CA ).

    RUN, DON'T WALK, to the phone and call Microsoft PSS !!! Your BOSS has valid
    concerns and you should too.

    Your problem is solvable, but time is crucial at this point and it's time to
    call in the pros!

    By my calculation, your 60 days is up in less than a week. If you choose to
    go on holiday without completely resolving this issue, then I'd suggest not
    coming back.

    --
    /kj
    "Ace Fekay [MVP]"
    <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
    message news:efXBAm3vFHA.2924@TK2MSFTNGP15.phx.gbl...
    > In news:39FD1F53-40AF-457E-ABFA-7566A461E99B@microsoft.com,
    > seeker01 <seeker01@discussions.microsoft.com> made this post, which I then
    > commented about below:
    >> Hi Ace,
    >> I have no intention to ignore your advice but I am still blur because
    >> of my ignorance. What exactly is this 60days limit may I know? I
    >> thought I am now still within the 60days but why I face so many
    >> errors. Or perhaps I should learn that "nltest" is always the command
    >> to run whenever we restore system state? Because I am on leave next
    >> week so my boss shows great concern I can cause further damage. Also
    >> he argued that we are not any worst because the backup tape from
    >> 60days limit is already causing the errors, there is no difference to
    >> even restore it from yesterday's tape now. Does it make sense?
    >
    > Maybe in all honesty, if you are not trusting what you are hearing,
    > whether from me or anyone else in this group, I would HIGHLY suggest you
    > call Microsoft PSS and let them guide you. I believe there will be a
    > charge, unless you have an MSP agreement. It's your call.
    >
    >
    > What are you waiting for? Your vacation? You are running Certificate
    > services. It even complicates it. I would suggest to ACT QUICKLY and
    > forget your vacation next week and concentrate on this important matter.
    > It seems like you and your boss are gambling that the tombstone issue
    > doesn't mean anything to you. I'm just giving you an option before you
    > have no more options once the 60 Tombstone Lifetime comes up. Your issue
    > is a secure channel password.
    >
    > You are not comprehending the seriousness of the 60 day tombstone. Once it
    > comes up, you will have NO OTHER CHOICE but to trash the server, seize the
    > FSMO roles over to the existing server, run a metadata cleanup using
    > ntdsutil, clean up any remaining lingering objects from the old server in
    > Sites and Services and using ADSI Edit, then re-format the old server and
    > reinstall it from scratch.
    >
    > Good luck.
    >
    > Below taken from:
    > http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch10.mspx
    > It is not possible to restore a backup image into a replicated enterprise
    > that is older than the tombstone lifetime value for the enterprise. When
    > an Active Directory object is deleted, it is not fully and immediately
    > removed from Active Directory. Instead the majority of the attributes are
    > stripped out and the object is moved to the deleted items container. This
    > remaining object is called a tombstone. This tombstone object is
    > replicated to all domain controllers in that respective domain so that
    > they can learn of the object deletion. In this manner, the original object
    > is no longer available to anyone searching Active Directory for it, but it
    > is tombstoned.
    >
    > The tombstone lifetime value represents the number of days that the
    > deleted object (or tombstone) must be retained before it can be
    > permanently removed from the directory. This value can be set by using the
    > Active Directory Service Interfaces (ADSI) edit at the directory service
    > path below:
    >
    > Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration,
    > dc=<<Domain_Name>>,dc=<<Domain_prefix>>
    >
    > The default tombstone lifetime value is 60 days. Active Directory will not
    > allow data to be restored to the directory from a backup image that is
    > older than the tombstone lifetime. If this were to happen, the restored
    > object would have an Update Sequence Number (USN) too old to trigger
    > Active Directory replication. In this scenario, the object would never be
    > replicated out to other domain controllers, and the restored domain
    > controller would never replicate in to the necessary information to delete
    > the object. Active Directory on the local server would thus become
    > inconsistent.
    >
    >
    >
    > Ace
    >
    >
    >
    >
Ask a new question

Read More

Active Directory Windows