Problems after Restore System State
in [Active Directory]
|
Prev: How to change the SID on a Windows XP, Windows 2000, or Windows NT computer...
Next: Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
From: seeker01 on 20 Sep 2005 23:54 Hi Jorge, Thanks for your email. I was afraid of running anything but I think should be safe to run "DCDIAG /V" from DC02. I will inform you the status later on. Regards, Seeker01 "Jorge_de_Almeida_Pinto" wrote: > "" wrote: > > Oh yes, I got this error on DC02 server, "Failed to > > authenticate with > > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain > > controller for > > domain "XYZ". I am so scared to make more changes because > > that may break > > certificate service cant do new certificate. I am very > > desperate to hear > > anyone that knew why. Thanks muchly. > > > > "seeker01" wrote: > > > > > current environment: 2 x Windows 2000 Domain Controllers > > with CA services > > > running. > > > > > > This morning, I have performed the non-authoritative system > > state restore on > > > DC2 because no users can request new certificate. The system > > state restore > > > solved the CA problem but introduced other new non-trusted > > errors & DNS > > > errors . DC1 complaint "The session setup from the computer > > DC02 failed to > > > authenticate. The name of the account referenced in the > > security database is > > > SSRADCERT02$. The following error occurred: Access is > > denied." I can ping the > > > DC by host & fqdn but why cant I do net time > > \DC02computername /set /y from > > > ssradcert02 encounters errors â??access deniedâ?. I have to > > run "net time > > > \DC02IPaddress /set /y. > > > > > > Any clues why? I have coldfeet really. Thanks ! > > > > > what does DCDIAG /V say? > > -- > Posted using the http://www.windowsforumz.com interface, at author's request > Articles individually checked for conformance to usenet standards > Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532 >
From: seeker01 on 21 Sep 2005 03:58 Hi Jorge, When I try to open active directory users and computers on DC02, I receive the following error: "Naming information cannot be located because: The specified directory service attribute or value does not exist. Contact your system administrator to verify that your domain is properly configured and is currently online." When I run net share, there is no "NETLOGON" & "SYSVOL" share. Is this DNS related? How to determine if DNS because I can run nslookup fine. Also the Policy & Scripts folder are actually found under the folder of c:\winnt\sysvol\domain\NtFrs_PreExisting___See_EventLog. Is this causing the problem why & should I just remove this folder? Thanks. "Jorge_de_Almeida_Pinto" wrote: > "" wrote: > > Oh yes, I got this error on DC02 server, "Failed to > > authenticate with > > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain > > controller for > > domain "XYZ". I am so scared to make more changes because > > that may break > > certificate service cant do new certificate. I am very > > desperate to hear > > anyone that knew why. Thanks muchly. > > > > "seeker01" wrote: > > > > > current environment: 2 x Windows 2000 Domain Controllers > > with CA services > > > running. > > > > > > This morning, I have performed the non-authoritative system > > state restore on > > > DC2 because no users can request new certificate. The system > > state restore > > > solved the CA problem but introduced other new non-trusted > > errors & DNS > > > errors . DC1 complaint "The session setup from the computer > > DC02 failed to > > > authenticate. The name of the account referenced in the > > security database is > > > SSRADCERT02$. The following error occurred: Access is > > denied." I can ping the > > > DC by host & fqdn but why cant I do net time > > \DC02computername /set /y from > > > ssradcert02 encounters errors â??access deniedâ?. I have to > > run "net time > > > \DC02IPaddress /set /y. > > > > > > Any clues why? I have coldfeet really. Thanks ! > > > > > what does DCDIAG /V say? > > -- > Posted using the http://www.windowsforumz.com interface, at author's request > Articles individually checked for conformance to usenet standards > Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html > Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532 >
From: seeker01 on 21 Sep 2005 04:12 Hi Ace, Both DC01 & DC02 already running with SP4 before 1Aug05. After the system state restore on DC02, am I supposed to re-apply the SP4 because I didnt. Is this the reason why? There were no more changes made on both DNS servers since the built more than a year ago. Can it be the DNS problem? Or perhaps the problem will go away if I run nltest to reset the security channel on DC02 since I have error "access denied" & "logon failure: unknown username or bad password"? Thanks heaps. "Ace Fekay [MVP]" wrote: > In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: > > Oh yes, I got this error on DC02 server, "Failed to authenticate with > > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller > > for domain "XYZ". I am so scared to make more changes because that > > may break certificate service cant do new certificate. I am very > > desperate to hear anyone that knew why. Thanks muchly. > > > > "seeker01" wrote: > > > > How old was the system state that you restored? > > What errors are in the event logs of both DCs? > > Does DC01.ssict.org.au exist as a record and do the SRV records reference > this as a DC hosting services under the zone? > > -- > Regards, > Ace > > If this post is viewed at a non-Microsoft community website, and you were to > respond to it through that community's website, I may not see your reply. > Therefore, please direct all replies ONLY to the Microsoft public newsgroup > this thread originated in so all can benefit. > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP > Microsoft Windows MVP - Windows Server - Directory Services > Infinite Diversities in Infinite Combinations. > ================================= > > >
From: Ace Fekay [MVP] on 21 Sep 2005 11:38 In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04(a)microsoft.com, seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then commented about below: > Hi Ace, > Both DC01 & DC02 already running with SP4 before 1Aug05. After the > system state restore on DC02, am I supposed to re-apply the SP4 > because I didnt. Is this the reason why? There were no more changes > made on both DNS servers since the built more than a year ago. Can it > be the DNS problem? Or perhaps the problem will go away if I run > nltest to reset the security channel on DC02 since I have error > "access denied" & "logon failure: unknown username or bad password"? > Thanks heaps. August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about the date? After 60 days, the backup is useless. Also, the dcdiag you posted upon Jorge's request, shows numerous issues related to out-of-date data. You can try the nltest command, which should reset the channel: nltest /sc_verify:[YourDomainName] if that doesn't work, try: nltest /sc_reset:[YourDomainName] More info on it here: About nltest: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx nltest syntax: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx Ace
From: seeker01 on 21 Sep 2005 19:16
Hi Ace, Thanks for your email, I will try it though afraid to modify on this production domain. Because it is still within the 60 days limit, why do I receive these messages? What is the normal days for machine password to stay valid, is it 30 days? I suspect this could be the issue. Do u think so ? "Ace Fekay [MVP]" wrote: > In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: > > Hi Ace, > > Both DC01 & DC02 already running with SP4 before 1Aug05. After the > > system state restore on DC02, am I supposed to re-apply the SP4 > > because I didnt. Is this the reason why? There were no more changes > > made on both DNS servers since the built more than a year ago. Can it > > be the DNS problem? Or perhaps the problem will go away if I run > > nltest to reset the security channel on DC02 since I have error > > "access denied" & "logon failure: unknown username or bad password"? > > Thanks heaps. > > August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about > the date? After 60 days, the backup is useless. Also, the dcdiag you posted > upon Jorge's request, shows numerous issues related to out-of-date data. You > can try the nltest command, which should reset the channel: > > nltest /sc_verify:[YourDomainName] > > if that doesn't work, try: > nltest /sc_reset:[YourDomainName] > > More info on it here: > > About nltest: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx > > nltest syntax: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx > > Ace > > > |