issue accessing an AD server

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

I have an issue accessing an AD server; do to hardware failure I needed to
restore the server from tape. Veritas BE was unable to restore the sysvol
share point, but it did restore the files and folders. I created the share
and right however as an end user I cannot logon to the server. When I browse
the network places to the server I cannot access the server. I receive the
error Logon failure: the target account name is incorrect. This happens as
the admin as well.


I feel it could be a permission issue. Can anyone tell me how to reset the
security permission on an AD server? I want to set them to the same level as
it would be after you promote the server to an AD I know its doable I jus
went brain dead on the syntax.


I posted this in the


Thanks

Scott
4 answers Last reply
More about issue accessing server
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You can reset local security settings to default defined levels as described
    in the link below. However on a domain controller, Domain Controller
    Security Policy will override user rights assignments. The second link shows
    how to restore Domain Controller Security Policy user rights to default or
    otherwise modify it.

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
    http://support.microsoft.com/?kbid=267553

    Having said that, I think your problem is not with security policy, but
    probably due to the fact that your computer accounts may have been corrupted
    or the comuter passwords on the backup have expired. I would first install
    the support tools on your domain controller and a domain member from the
    install disk under support/tools where you will need to run setup or the
    ..msi package there. The run first netdiag and then dcdiag on your domain
    controller looking for failed tests/fatal errors particularly in regards to
    dns, domain membership, dclist, and trust relationship. If all looks well
    for the dc, run netdiag on a domain member that is experiencing problems
    looking for the same. You may simply need to rejoing the computers to the
    domain or otherwise try to reset their accounts using netdom which may be
    easier but does not always work. If you find a lot of problems with the dc,
    look in Event Viewer for event ID error numbers and search the Knowledge
    Base or http://eventid.net for what you find. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393

    "ScottS" <SSalvatore@lbmca.com> wrote in message
    news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
    > Hi
    >
    > I have an issue accessing an AD server; do to hardware failure I needed to
    > restore the server from tape. Veritas BE was unable to restore the sysvol
    > share point, but it did restore the files and folders. I created the share
    > and right however as an end user I cannot logon to the server. When I
    browse
    > the network places to the server I cannot access the server. I receive the
    > error Logon failure: the target account name is incorrect. This happens as
    > the admin as well.
    >
    >
    >
    > I feel it could be a permission issue. Can anyone tell me how to reset the
    > security permission on an AD server? I want to set them to the same level
    as
    > it would be after you promote the server to an AD I know its doable I jus
    > went brain dead on the syntax.
    >
    >
    >
    > I posted this in the
    >
    >
    >
    > Thanks
    >
    > Scott
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you

    All the other servers are reachable by the users. The only server that is
    having the issue is the restored one.


    Not knowing what this means, the following items failed during the netdiag
    and DCdiag.

    What would be the next steps?


    Global results:


    Domain membership test . . . . . . : Failed

    [WARNING] Ths system volume has not been completely replicated to the
    local machine. This machine is not working properly as a DC.


    Trust relationship test. . . . . . : Failed

    [FATAL] Secure channel to domain 'RCAL' is broken.
    [ERROR_NO_TRUST_SAM_ACCOUNT]


    Kerberos test. . . . . . . . . . . : Failed

    [FATAL] Kerberos does not have a ticket for SPEAKER$.


    ------------------------------------------------


    DC Diagnosis


    Performing initial setup:

    [speaker] LDAP bind failed with error 31,

    A device attached to the system is not functioning..


    "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
    news:OeIzc.59193$Sw.2529@attbi_s51...
    > You can reset local security settings to default defined levels as
    described
    > in the link below. However on a domain controller, Domain Controller
    > Security Policy will override user rights assignments. The second link
    shows
    > how to restore Domain Controller Security Policy user rights to default or
    > otherwise modify it.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
    > http://support.microsoft.com/?kbid=267553
    >
    > Having said that, I think your problem is not with security policy, but
    > probably due to the fact that your computer accounts may have been
    corrupted
    > or the comuter passwords on the backup have expired. I would first install
    > the support tools on your domain controller and a domain member from the
    > install disk under support/tools where you will need to run setup or the
    > .msi package there. The run first netdiag and then dcdiag on your domain
    > controller looking for failed tests/fatal errors particularly in regards
    to
    > dns, domain membership, dclist, and trust relationship. If all looks well
    > for the dc, run netdiag on a domain member that is experiencing problems
    > looking for the same. You may simply need to rejoing the computers to the
    > domain or otherwise try to reset their accounts using netdom which may be
    > easier but does not always work. If you find a lot of problems with the
    dc,
    > look in Event Viewer for event ID error numbers and search the Knowledge
    > Base or http://eventid.net for what you find. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393
    >
    > "ScottS" <SSalvatore@lbmca.com> wrote in message
    > news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
    > > Hi
    > >
    > > I have an issue accessing an AD server; do to hardware failure I needed
    to
    > > restore the server from tape. Veritas BE was unable to restore the
    sysvol
    > > share point, but it did restore the files and folders. I created the
    share
    > > and right however as an end user I cannot logon to the server. When I
    > browse
    > > the network places to the server I cannot access the server. I receive
    the
    > > error Logon failure: the target account name is incorrect. This happens
    as
    > > the admin as well.
    > >
    > >
    > >
    > > I feel it could be a permission issue. Can anyone tell me how to reset
    the
    > > security permission on an AD server? I want to set them to the same
    level
    > as
    > > it would be after you promote the server to an AD I know its doable I
    jus
    > > went brain dead on the syntax.
    > >
    > >
    > >
    > > I posted this in the
    > >
    > >
    > >
    > > Thanks
    > >
    > > Scott
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Well you have a couple of options.

    If you have a recent System State backup of that domain controller you could boot
    into Directory Services Restore Mode [similar to safe mode] where you would have to
    logon as the local administrator account that was configured when to computer was
    first dcpromo and then use ntbackup to restore the System State and after reboot your
    domain controller will replicate with the others do get updates.

    If you do not have a System State backup for that domain controller. You will have to
    reinstall W2K including service packs and then dcpromo it to a domain controller
    where it will replicate with other domain controllers. Note that you will have to
    clean up entries in AD Sites and Services and do a matadata cleanup of Active
    Directory using ntdsutil FIRST if you go that route. See the link below for more info
    on Active Directory restore procedures. If the failed dc held any fsmo roles or was
    global catalog server, you will need to seize those roles on another domain
    controller and create another global catalog server.

    You may also want to post in the win2000.Active_directory newsgroup to see if they
    have any further advice with a post along the line of "domain controller
    ilure". --- Steve

    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx#XSLTsection128121120120
    http://tinyurl.com/28476 -- same link as above, shorter.

    "ScottS" <SSalvatore@lbmca.com> wrote in message
    news:eskAWHyUEHA.2908@TK2MSFTNGP10.phx.gbl...
    > Thank you
    >
    > All the other servers are reachable by the users. The only server that is
    > having the issue is the restored one.
    >
    >
    >
    > Not knowing what this means, the following items failed during the netdiag
    > and DCdiag.
    >
    > What would be the next steps?
    >
    >
    >
    > Global results:
    >
    >
    >
    > Domain membership test . . . . . . : Failed
    >
    > [WARNING] Ths system volume has not been completely replicated to the
    > local machine. This machine is not working properly as a DC.
    >
    >
    >
    >
    >
    > Trust relationship test. . . . . . : Failed
    >
    > [FATAL] Secure channel to domain 'RCAL' is broken.
    > [ERROR_NO_TRUST_SAM_ACCOUNT]
    >
    >
    >
    > Kerberos test. . . . . . . . . . . : Failed
    >
    > [FATAL] Kerberos does not have a ticket for SPEAKER$.
    >
    >
    >
    > ------------------------------------------------
    >
    >
    >
    > DC Diagnosis
    >
    >
    >
    > Performing initial setup:
    >
    > [speaker] LDAP bind failed with error 31,
    >
    > A device attached to the system is not functioning..
    >
    >
    >
    >
    >
    > "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
    > news:OeIzc.59193$Sw.2529@attbi_s51...
    > > You can reset local security settings to default defined levels as
    > described
    > > in the link below. However on a domain controller, Domain Controller
    > > Security Policy will override user rights assignments. The second link
    > shows
    > > how to restore Domain Controller Security Policy user rights to default or
    > > otherwise modify it.
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
    > > http://support.microsoft.com/?kbid=267553
    > >
    > > Having said that, I think your problem is not with security policy, but
    > > probably due to the fact that your computer accounts may have been
    > corrupted
    > > or the comuter passwords on the backup have expired. I would first install
    > > the support tools on your domain controller and a domain member from the
    > > install disk under support/tools where you will need to run setup or the
    > > .msi package there. The run first netdiag and then dcdiag on your domain
    > > controller looking for failed tests/fatal errors particularly in regards
    > to
    > > dns, domain membership, dclist, and trust relationship. If all looks well
    > > for the dc, run netdiag on a domain member that is experiencing problems
    > > looking for the same. You may simply need to rejoing the computers to the
    > > domain or otherwise try to reset their accounts using netdom which may be
    > > easier but does not always work. If you find a lot of problems with the
    > dc,
    > > look in Event Viewer for event ID error numbers and search the Knowledge
    > > Base or http://eventid.net for what you find. --- Steve
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393
    > >
    > > "ScottS" <SSalvatore@lbmca.com> wrote in message
    > > news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
    > > > Hi
    > > >
    > > > I have an issue accessing an AD server; do to hardware failure I needed
    > to
    > > > restore the server from tape. Veritas BE was unable to restore the
    > sysvol
    > > > share point, but it did restore the files and folders. I created the
    > share
    > > > and right however as an end user I cannot logon to the server. When I
    > > browse
    > > > the network places to the server I cannot access the server. I receive
    > the
    > > > error Logon failure: the target account name is incorrect. This happens
    > as
    > > > the admin as well.
    > > >
    > > >
    > > >
    > > > I feel it could be a permission issue. Can anyone tell me how to reset
    > the
    > > > security permission on an AD server? I want to set them to the same
    > level
    > > as
    > > > it would be after you promote the server to an AD I know its doable I
    > jus
    > > > went brain dead on the syntax.
    > > >
    > > >
    > > >
    > > > I posted this in the
    > > >
    > > >
    > > >
    > > > Thanks
    > > >
    > > > Scott
    > > >
    > > >
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    ouch

    Thanks I will get to it.


    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:YSKzc.55554$HG.12231@attbi_s53...
    > Well you have a couple of options.
    >
    > If you have a recent System State backup of that domain controller you
    could boot
    > into Directory Services Restore Mode [similar to safe mode] where you
    would have to
    > logon as the local administrator account that was configured when to
    computer was
    > first dcpromo and then use ntbackup to restore the System State and after
    reboot your
    > domain controller will replicate with the others do get updates.
    >
    > If you do not have a System State backup for that domain controller. You
    will have to
    > reinstall W2K including service packs and then dcpromo it to a domain
    controller
    > where it will replicate with other domain controllers. Note that you will
    have to
    > clean up entries in AD Sites and Services and do a matadata cleanup of
    Active
    > Directory using ntdsutil FIRST if you go that route. See the link below
    for more info
    > on Active Directory restore procedures. If the failed dc held any fsmo
    roles or was
    > global catalog server, you will need to seize those roles on another
    domain
    > controller and create another global catalog server.
    >
    > You may also want to post in the win2000.Active_directory newsgroup to see
    if they
    > have any further advice with a post along the line of "domain controller
    > ilure". --- Steve
    >
    >
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
    tivedirectory/maintain/opsguide/part1/adogd03.mspx#XSLTsection128121120120
    > http://tinyurl.com/28476 -- same link as above, shorter.
    >
    > "ScottS" <SSalvatore@lbmca.com> wrote in message
    > news:eskAWHyUEHA.2908@TK2MSFTNGP10.phx.gbl...
    > > Thank you
    > >
    > > All the other servers are reachable by the users. The only server that
    is
    > > having the issue is the restored one.
    > >
    > >
    > >
    > > Not knowing what this means, the following items failed during the
    netdiag
    > > and DCdiag.
    > >
    > > What would be the next steps?
    > >
    > >
    > >
    > > Global results:
    > >
    > >
    > >
    > > Domain membership test . . . . . . : Failed
    > >
    > > [WARNING] Ths system volume has not been completely replicated to
    the
    > > local machine. This machine is not working properly as a DC.
    > >
    > >
    > >
    > >
    > >
    > > Trust relationship test. . . . . . : Failed
    > >
    > > [FATAL] Secure channel to domain 'RCAL' is broken.
    > > [ERROR_NO_TRUST_SAM_ACCOUNT]
    > >
    > >
    > >
    > > Kerberos test. . . . . . . . . . . : Failed
    > >
    > > [FATAL] Kerberos does not have a ticket for SPEAKER$.
    > >
    > >
    > >
    > > ------------------------------------------------
    > >
    > >
    > >
    > > DC Diagnosis
    > >
    > >
    > >
    > > Performing initial setup:
    > >
    > > [speaker] LDAP bind failed with error 31,
    > >
    > > A device attached to the system is not functioning..
    > >
    > >
    > >
    > >
    > >
    > > "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
    > > news:OeIzc.59193$Sw.2529@attbi_s51...
    > > > You can reset local security settings to default defined levels as
    > > described
    > > > in the link below. However on a domain controller, Domain Controller
    > > > Security Policy will override user rights assignments. The second link
    > > shows
    > > > how to restore Domain Controller Security Policy user rights to
    default or
    > > > otherwise modify it.
    > > >
    > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
    > > > http://support.microsoft.com/?kbid=267553
    > > >
    > > > Having said that, I think your problem is not with security policy,
    but
    > > > probably due to the fact that your computer accounts may have been
    > > corrupted
    > > > or the comuter passwords on the backup have expired. I would first
    install
    > > > the support tools on your domain controller and a domain member from
    the
    > > > install disk under support/tools where you will need to run setup or
    the
    > > > .msi package there. The run first netdiag and then dcdiag on your
    domain
    > > > controller looking for failed tests/fatal errors particularly in
    regards
    > > to
    > > > dns, domain membership, dclist, and trust relationship. If all looks
    well
    > > > for the dc, run netdiag on a domain member that is experiencing
    problems
    > > > looking for the same. You may simply need to rejoing the computers to
    the
    > > > domain or otherwise try to reset their accounts using netdom which may
    be
    > > > easier but does not always work. If you find a lot of problems with
    the
    > > dc,
    > > > look in Event Viewer for event ID error numbers and search the
    Knowledge
    > > > Base or http://eventid.net for what you find. --- Steve
    > > >
    > > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216393
    > > >
    > > > "ScottS" <SSalvatore@lbmca.com> wrote in message
    > > > news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
    > > > > Hi
    > > > >
    > > > > I have an issue accessing an AD server; do to hardware failure I
    needed
    > > to
    > > > > restore the server from tape. Veritas BE was unable to restore the
    > > sysvol
    > > > > share point, but it did restore the files and folders. I created the
    > > share
    > > > > and right however as an end user I cannot logon to the server. When
    I
    > > > browse
    > > > > the network places to the server I cannot access the server. I
    receive
    > > the
    > > > > error Logon failure: the target account name is incorrect. This
    happens
    > > as
    > > > > the admin as well.
    > > > >
    > > > >
    > > > >
    > > > > I feel it could be a permission issue. Can anyone tell me how to
    reset
    > > the
    > > > > security permission on an AD server? I want to set them to the same
    > > level
    > > > as
    > > > > it would be after you promote the server to an AD I know its doable
    I
    > > jus
    > > > > went brain dead on the syntax.
    > > > >
    > > > >
    > > > >
    > > > > I posted this in the
    > > > >
    > > > >
    > > > >
    > > > > Thanks
    > > > >
    > > > > Scott
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >
Ask a new question

Read More

Security Microsoft Servers Windows