From: seeker01 on
current environment: 2 x Windows 2000 Domain Controllers with CA services
running.

This morning, I have performed the non-authoritative system state restore on
DC2 because no users can request new certificate. The system state restore
solved the CA problem but introduced other new non-trusted errors & DNS
errors . DC1 complaint "The session setup from the computer DC02 failed to
authenticate. The name of the account referenced in the security database is
SSRADCERT02$. The following error occurred: Access is denied." I can ping the
DC by host & fqdn but why cant I do net time \\DC02computername /set /y from
ssradcert02 encounters errors ?access denied?. I have to run "net time
\\DC02IPaddress /set /y.

Any clues why? I have coldfeet really. Thanks !

From: seeker01 on
Oh yes, I got this error on DC02 server, "Failed to authenticate with
\\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller for
domain "XYZ". I am so scared to make more changes because that may break
certificate service cant do new certificate. I am very desperate to hear
anyone that knew why. Thanks muchly.

"seeker01" wrote:

> current environment: 2 x Windows 2000 Domain Controllers with CA services
> running.
>
> This morning, I have performed the non-authoritative system state restore on
> DC2 because no users can request new certificate. The system state restore
> solved the CA problem but introduced other new non-trusted errors & DNS
> errors . DC1 complaint "The session setup from the computer DC02 failed to
> authenticate. The name of the account referenced in the security database is
> SSRADCERT02$. The following error occurred: Access is denied." I can ping the
> DC by host & fqdn but why cant I do net time \\DC02computername /set /y from
> ssradcert02 encounters errors ?access denied?. I have to run "net time
> \\DC02IPaddress /set /y.
>
> Any clues why? I have coldfeet really. Thanks !
>
From: Ace Fekay [MVP] on
In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8(a)microsoft.com,
seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then
commented about below:
> Oh yes, I got this error on DC02 server, "Failed to authenticate with
> \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
> for domain "XYZ". I am so scared to make more changes because that
> may break certificate service cant do new certificate. I am very
> desperate to hear anyone that knew why. Thanks muchly.
>
> "seeker01" wrote:
>

How old was the system state that you restored?

What errors are in the event logs of both DCs?

Does DC01.ssict.org.au exist as a record and do the SRV records reference
this as a DC hosting services under the zone?

--
Regards,
Ace

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================


From: seeker01 on
Hi Ace,
Thanks for your email. The system state that I restored was from 1Aug05 tape.

DC01 errors are: (1) ID5722 from NETLOGON "The session setup from the
computer DC02 failed to authenticate. The name of the account referenced in
the security database is DC02$. The following error occurred: Access is
denied." (2) ID3034 from MRxSMB "The redirector was unable to initialize
security context or query context attributes". (3) ID13508 from NfFrs "File
Replication Service is having trouble enabling replication from DC02 to DC01
for c:\winnt\sysvol\domain using the DNS name DC02.ssict.org.au. FRS will
keep retrying.

DC02 errors are: (1) ID1000 from Userenv "Windows cannot determine the user
or computer name. Return value (-2146893022)" (2) ID3034 from MRxSMB "The
redirector was unable to initialize security context or query context
attributes". (3) ID16650 from SAM "The account-identifier allocator failed to
initialize properly. The record data contains the NT error code that caused
the failure. Windows 2000 will retry the initialization until it succeeds;
until that time, account creation will be denied on this Domain Controller.
Please look for other SAM event logs that may indicate the exact reason for
the failure"

I am not sure if this is DNS related issue because my nslookup works fine.
Is this to do with the security channel need resetting? What is the right
command & run from where? Thanks a bunch really :-/

Seeker01

"Ace Fekay [MVP]" wrote:

> In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8(a)microsoft.com,
> seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then
> commented about below:
> > Oh yes, I got this error on DC02 server, "Failed to authenticate with
> > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller
> > for domain "XYZ". I am so scared to make more changes because that
> > may break certificate service cant do new certificate. I am very
> > desperate to hear anyone that knew why. Thanks muchly.
> >
> > "seeker01" wrote:
> >
>
> How old was the system state that you restored?
>
> What errors are in the event logs of both DCs?
>
> Does DC01.ssict.org.au exist as a record and do the SRV records reference
> this as a DC hosting services under the zone?
>
> --
> Regards,
> Ace
>
> If this post is viewed at a non-Microsoft community website, and you were to
> respond to it through that community's website, I may not see your reply.
> Therefore, please direct all replies ONLY to the Microsoft public newsgroup
> this thread originated in so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
From: Jorge_de_Almeida_Pinto on
"" wrote:
> Oh yes, I got this error on DC02 server, "Failed to
> authenticate with
> \DC01.ssict.org.au, a Windows NT or Windows 2000 domain
> controller for
> domain "XYZ". I am so scared to make more changes because
> that may break
> certificate service cant do new certificate. I am very
> desperate to hear
> anyone that knew why. Thanks muchly.
>
> "seeker01" wrote:
>
> > current environment: 2 x Windows 2000 Domain Controllers
> with CA services
> > running.
> >
> > This morning, I have performed the non-authoritative system
> state restore on
> > DC2 because no users can request new certificate. The system
> state restore
> > solved the CA problem but introduced other new non-trusted
> errors & DNS
> > errors . DC1 complaint "The session setup from the computer
> DC02 failed to
> > authenticate. The name of the account referenced in the
> security database is
> > SSRADCERT02$. The following error occurred: Access is
> denied." I can ping the
> > DC by host & fqdn but why cant I do net time
> \DC02computername /set /y from
> > ssradcert02 encounters errors ?access denied?. I have to
> run "net time
> > \DC02IPaddress /set /y.
> >
> > Any clues why? I have coldfeet really. Thanks !
> >

what does DCDIAG /V say?

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532