Sign in with
Sign up | Sign in
Your question

issue accessing an AD server

Last response: in Windows 2000/NT
Share
June 15, 2004 6:04:49 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

I have an issue accessing an AD server; do to hardware failure I needed to
restore the server from tape. Veritas BE was unable to restore the sysvol
share point, but it did restore the files and folders. I created the share
and right however as an end user I cannot logon to the server. When I browse
the network places to the server I cannot access the server. I receive the
error Logon failure: the target account name is incorrect. This happens as
the admin as well.



I feel it could be a permission issue. Can anyone tell me how to reset the
security permission on an AD server? I want to set them to the same level as
it would be after you promote the server to an AD I know its doable I jus
went brain dead on the syntax.



I posted this in the



Thanks

Scott

More about : issue accessing server

Anonymous
a b 8 Security
June 15, 2004 11:38:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

You can reset local security settings to default defined levels as described
in the link below. However on a domain controller, Domain Controller
Security Policy will override user rights assignments. The second link shows
how to restore Domain Controller Security Policy user rights to default or
otherwise modify it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://support.microsoft.com/?kbid=267553

Having said that, I think your problem is not with security policy, but
probably due to the fact that your computer accounts may have been corrupted
or the comuter passwords on the backup have expired. I would first install
the support tools on your domain controller and a domain member from the
install disk under support/tools where you will need to run setup or the
..msi package there. The run first netdiag and then dcdiag on your domain
controller looking for failed tests/fatal errors particularly in regards to
dns, domain membership, dclist, and trust relationship. If all looks well
for the dc, run netdiag on a domain member that is experiencing problems
looking for the same. You may simply need to rejoing the computers to the
domain or otherwise try to reset their accounts using netdom which may be
easier but does not always work. If you find a lot of problems with the dc,
look in Event Viewer for event ID error numbers and search the Knowledge
Base or http://eventid.net for what you find. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...

"ScottS" <SSalvatore@lbmca.com> wrote in message
news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
> Hi
>
> I have an issue accessing an AD server; do to hardware failure I needed to
> restore the server from tape. Veritas BE was unable to restore the sysvol
> share point, but it did restore the files and folders. I created the share
> and right however as an end user I cannot logon to the server. When I
browse
> the network places to the server I cannot access the server. I receive the
> error Logon failure: the target account name is incorrect. This happens as
> the admin as well.
>
>
>
> I feel it could be a permission issue. Can anyone tell me how to reset the
> security permission on an AD server? I want to set them to the same level
as
> it would be after you promote the server to an AD I know its doable I jus
> went brain dead on the syntax.
>
>
>
> I posted this in the
>
>
>
> Thanks
>
> Scott
>
>
June 15, 2004 11:38:23 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you

All the other servers are reachable by the users. The only server that is
having the issue is the restored one.



Not knowing what this means, the following items failed during the netdiag
and DCdiag.

What would be the next steps?



Global results:



Domain membership test . . . . . . : Failed

[WARNING] Ths system volume has not been completely replicated to the
local machine. This machine is not working properly as a DC.





Trust relationship test. . . . . . : Failed

[FATAL] Secure channel to domain 'RCAL' is broken.
[ERROR_NO_TRUST_SAM_ACCOUNT]



Kerberos test. . . . . . . . . . . : Failed

[FATAL] Kerberos does not have a ticket for SPEAKER$.



------------------------------------------------



DC Diagnosis



Performing initial setup:

[speaker] LDAP bind failed with error 31,

A device attached to the system is not functioning..





"Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:o eIzc.59193$Sw.2529@attbi_s51...
> You can reset local security settings to default defined levels as
described
> in the link below. However on a domain controller, Domain Controller
> Security Policy will override user rights assignments. The second link
shows
> how to restore Domain Controller Security Policy user rights to default or
> otherwise modify it.
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
> http://support.microsoft.com/?kbid=267553
>
> Having said that, I think your problem is not with security policy, but
> probably due to the fact that your computer accounts may have been
corrupted
> or the comuter passwords on the backup have expired. I would first install
> the support tools on your domain controller and a domain member from the
> install disk under support/tools where you will need to run setup or the
> .msi package there. The run first netdiag and then dcdiag on your domain
> controller looking for failed tests/fatal errors particularly in regards
to
> dns, domain membership, dclist, and trust relationship. If all looks well
> for the dc, run netdiag on a domain member that is experiencing problems
> looking for the same. You may simply need to rejoing the computers to the
> domain or otherwise try to reset their accounts using netdom which may be
> easier but does not always work. If you find a lot of problems with the
dc,
> look in Event Viewer for event ID error numbers and search the Knowledge
> Base or http://eventid.net for what you find. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
> "ScottS" <SSalvatore@lbmca.com> wrote in message
> news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
> > Hi
> >
> > I have an issue accessing an AD server; do to hardware failure I needed
to
> > restore the server from tape. Veritas BE was unable to restore the
sysvol
> > share point, but it did restore the files and folders. I created the
share
> > and right however as an end user I cannot logon to the server. When I
> browse
> > the network places to the server I cannot access the server. I receive
the
> > error Logon failure: the target account name is incorrect. This happens
as
> > the admin as well.
> >
> >
> >
> > I feel it could be a permission issue. Can anyone tell me how to reset
the
> > security permission on an AD server? I want to set them to the same
level
> as
> > it would be after you promote the server to an AD I know its doable I
jus
> > went brain dead on the syntax.
> >
> >
> >
> > I posted this in the
> >
> >
> >
> > Thanks
> >
> > Scott
> >
> >
>
>
Related resources
Anonymous
a b 8 Security
June 16, 2004 2:37:45 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Well you have a couple of options.

If you have a recent System State backup of that domain controller you could boot
into Directory Services Restore Mode [similar to safe mode] where you would have to
logon as the local administrator account that was configured when to computer was
first dcpromo and then use ntbackup to restore the System State and after reboot your
domain controller will replicate with the others do get updates.

If you do not have a System State backup for that domain controller. You will have to
reinstall W2K including service packs and then dcpromo it to a domain controller
where it will replicate with other domain controllers. Note that you will have to
clean up entries in AD Sites and Services and do a matadata cleanup of Active
Directory using ntdsutil FIRST if you go that route. See the link below for more info
on Active Directory restore procedures. If the failed dc held any fsmo roles or was
global catalog server, you will need to seize those roles on another domain
controller and create another global catalog server.

You may also want to post in the win2000.Active_directory newsgroup to see if they
have any further advice with a post along the line of "domain controller
ilure". --- Steve

http://www.microsoft.com/technet/prodtechnol/windows200...
http://tinyurl.com/28476 -- same link as above, shorter.

"ScottS" <SSalvatore@lbmca.com> wrote in message
news:eskAWHyUEHA.2908@TK2MSFTNGP10.phx.gbl...
> Thank you
>
> All the other servers are reachable by the users. The only server that is
> having the issue is the restored one.
>
>
>
> Not knowing what this means, the following items failed during the netdiag
> and DCdiag.
>
> What would be the next steps?
>
>
>
> Global results:
>
>
>
> Domain membership test . . . . . . : Failed
>
> [WARNING] Ths system volume has not been completely replicated to the
> local machine. This machine is not working properly as a DC.
>
>
>
>
>
> Trust relationship test. . . . . . : Failed
>
> [FATAL] Secure channel to domain 'RCAL' is broken.
> [ERROR_NO_TRUST_SAM_ACCOUNT]
>
>
>
> Kerberos test. . . . . . . . . . . : Failed
>
> [FATAL] Kerberos does not have a ticket for SPEAKER$.
>
>
>
> ------------------------------------------------
>
>
>
> DC Diagnosis
>
>
>
> Performing initial setup:
>
> [speaker] LDAP bind failed with error 31,
>
> A device attached to the system is not functioning..
>
>
>
>
>
> "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
> news:o eIzc.59193$Sw.2529@attbi_s51...
> > You can reset local security settings to default defined levels as
> described
> > in the link below. However on a domain controller, Domain Controller
> > Security Policy will override user rights assignments. The second link
> shows
> > how to restore Domain Controller Security Policy user rights to default or
> > otherwise modify it.
> >
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
> > http://support.microsoft.com/?kbid=267553
> >
> > Having said that, I think your problem is not with security policy, but
> > probably due to the fact that your computer accounts may have been
> corrupted
> > or the comuter passwords on the backup have expired. I would first install
> > the support tools on your domain controller and a domain member from the
> > install disk under support/tools where you will need to run setup or the
> > .msi package there. The run first netdiag and then dcdiag on your domain
> > controller looking for failed tests/fatal errors particularly in regards
> to
> > dns, domain membership, dclist, and trust relationship. If all looks well
> > for the dc, run netdiag on a domain member that is experiencing problems
> > looking for the same. You may simply need to rejoing the computers to the
> > domain or otherwise try to reset their accounts using netdom which may be
> > easier but does not always work. If you find a lot of problems with the
> dc,
> > look in Event Viewer for event ID error numbers and search the Knowledge
> > Base or http://eventid.net for what you find. --- Steve
> >
> > http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> >
> > "ScottS" <SSalvatore@lbmca.com> wrote in message
> > news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
> > > Hi
> > >
> > > I have an issue accessing an AD server; do to hardware failure I needed
> to
> > > restore the server from tape. Veritas BE was unable to restore the
> sysvol
> > > share point, but it did restore the files and folders. I created the
> share
> > > and right however as an end user I cannot logon to the server. When I
> > browse
> > > the network places to the server I cannot access the server. I receive
> the
> > > error Logon failure: the target account name is incorrect. This happens
> as
> > > the admin as well.
> > >
> > >
> > >
> > > I feel it could be a permission issue. Can anyone tell me how to reset
> the
> > > security permission on an AD server? I want to set them to the same
> level
> > as
> > > it would be after you promote the server to an AD I know its doable I
> jus
> > > went brain dead on the syntax.
> > >
> > >
> > >
> > > I posted this in the
> > >
> > >
> > >
> > > Thanks
> > >
> > > Scott
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
June 16, 2004 2:37:46 AM

Archived from groups: microsoft.public.win2000.security (More info?)

ouch

Thanks I will get to it.


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:YSKzc.55554$HG.12231@attbi_s53...
> Well you have a couple of options.
>
> If you have a recent System State backup of that domain controller you
could boot
> into Directory Services Restore Mode [similar to safe mode] where you
would have to
> logon as the local administrator account that was configured when to
computer was
> first dcpromo and then use ntbackup to restore the System State and after
reboot your
> domain controller will replicate with the others do get updates.
>
> If you do not have a System State backup for that domain controller. You
will have to
> reinstall W2K including service packs and then dcpromo it to a domain
controller
> where it will replicate with other domain controllers. Note that you will
have to
> clean up entries in AD Sites and Services and do a matadata cleanup of
Active
> Directory using ntdsutil FIRST if you go that route. See the link below
for more info
> on Active Directory restore procedures. If the failed dc held any fsmo
roles or was
> global catalog server, you will need to seize those roles on another
domain
> controller and create another global catalog server.
>
> You may also want to post in the win2000.Active_directory newsgroup to see
if they
> have any further advice with a post along the line of "domain controller
> ilure". --- Steve
>
>
http://www.microsoft.com/technet/prodtechnol/windows200...
tivedirectory/maintain/opsguide/part1/adogd03.mspx#XSLTsection128121120120
> http://tinyurl.com/28476 -- same link as above, shorter.
>
> "ScottS" <SSalvatore@lbmca.com> wrote in message
> news:eskAWHyUEHA.2908@TK2MSFTNGP10.phx.gbl...
> > Thank you
> >
> > All the other servers are reachable by the users. The only server that
is
> > having the issue is the restored one.
> >
> >
> >
> > Not knowing what this means, the following items failed during the
netdiag
> > and DCdiag.
> >
> > What would be the next steps?
> >
> >
> >
> > Global results:
> >
> >
> >
> > Domain membership test . . . . . . : Failed
> >
> > [WARNING] Ths system volume has not been completely replicated to
the
> > local machine. This machine is not working properly as a DC.
> >
> >
> >
> >
> >
> > Trust relationship test. . . . . . : Failed
> >
> > [FATAL] Secure channel to domain 'RCAL' is broken.
> > [ERROR_NO_TRUST_SAM_ACCOUNT]
> >
> >
> >
> > Kerberos test. . . . . . . . . . . : Failed
> >
> > [FATAL] Kerberos does not have a ticket for SPEAKER$.
> >
> >
> >
> > ------------------------------------------------
> >
> >
> >
> > DC Diagnosis
> >
> >
> >
> > Performing initial setup:
> >
> > [speaker] LDAP bind failed with error 31,
> >
> > A device attached to the system is not functioning..
> >
> >
> >
> >
> >
> > "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
> > news:o eIzc.59193$Sw.2529@attbi_s51...
> > > You can reset local security settings to default defined levels as
> > described
> > > in the link below. However on a domain controller, Domain Controller
> > > Security Policy will override user rights assignments. The second link
> > shows
> > > how to restore Domain Controller Security Policy user rights to
default or
> > > otherwise modify it.
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
> > > http://support.microsoft.com/?kbid=267553
> > >
> > > Having said that, I think your problem is not with security policy,
but
> > > probably due to the fact that your computer accounts may have been
> > corrupted
> > > or the comuter passwords on the backup have expired. I would first
install
> > > the support tools on your domain controller and a domain member from
the
> > > install disk under support/tools where you will need to run setup or
the
> > > .msi package there. The run first netdiag and then dcdiag on your
domain
> > > controller looking for failed tests/fatal errors particularly in
regards
> > to
> > > dns, domain membership, dclist, and trust relationship. If all looks
well
> > > for the dc, run netdiag on a domain member that is experiencing
problems
> > > looking for the same. You may simply need to rejoing the computers to
the
> > > domain or otherwise try to reset their accounts using netdom which may
be
> > > easier but does not always work. If you find a lot of problems with
the
> > dc,
> > > look in Event Viewer for event ID error numbers and search the
Knowledge
> > > Base or http://eventid.net for what you find. --- Steve
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
> > >
> > > "ScottS" <SSalvatore@lbmca.com> wrote in message
> > > news:#P2PBNwUEHA.712@TK2MSFTNGP11.phx.gbl...
> > > > Hi
> > > >
> > > > I have an issue accessing an AD server; do to hardware failure I
needed
> > to
> > > > restore the server from tape. Veritas BE was unable to restore the
> > sysvol
> > > > share point, but it did restore the files and folders. I created the
> > share
> > > > and right however as an end user I cannot logon to the server. When
I
> > > browse
> > > > the network places to the server I cannot access the server. I
receive
> > the
> > > > error Logon failure: the target account name is incorrect. This
happens
> > as
> > > > the admin as well.
> > > >
> > > >
> > > >
> > > > I feel it could be a permission issue. Can anyone tell me how to
reset
> > the
> > > > security permission on an AD server? I want to set them to the same
> > level
> > > as
> > > > it would be after you promote the server to an AD I know its doable
I
> > jus
> > > > went brain dead on the syntax.
> > > >
> > > >
> > > >
> > > > I posted this in the
> > > >
> > > >
> > > >
> > > > Thanks
> > > >
> > > > Scott
> > > >
> > > >
> > >
> > >
> >
> >
>
>
!