qubiac
asked on
Domain Controller error
Windows 2000 and SP2.
I get the following error.
I have looked in the Microsoft Support site and I have tried to run these tests but something is missing.
Anyone?
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 16650
Date: 2002-03-05
Time: 12:51:30
User: N/A
Computer: VGMA03
Description:
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
Data:
0000: a7 02 00 c0 §..À
I get the following error.
I have looked in the Microsoft Support site and I have tried to run these tests but something is missing.
Anyone?
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 16650
Date: 2002-03-05
Time: 12:51:30
User: N/A
Computer: VGMA03
Description:
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
Data:
0000: a7 02 00 c0 §..À
What are your symptoms if any? Are you experiencing any problems?
Do you have other DC's or any legacy Nt 4.0 PDC's on the net?
ASKER
The problem is that I could register one more AD server and I could replicate it to my new AD server.
But for some reason that don´t work anymore and I get the error that you see above.
We had old servers in our network before, but not anymore so I changed that AD mode to Native.
But for some reason that don´t work anymore and I get the error that you see above.
We had old servers in our network before, but not anymore so I changed that AD mode to Native.
In your User rights permissions, grant the Enterprise Admins group the user right
"Access this computer from the network", if Enterprise Admins does not have this permission.
then refresh your Security Policy using the foll command
SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE
Try this out and let me know if it resolves ur problem.
If it doesn't then try the steps mentioned in Technet Article Q248410
Regards,
Steven
"Access this computer from the network", if Enterprise Admins does not have this permission.
then refresh your Security Policy using the foll command
SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE
Try this out and let me know if it resolves ur problem.
If it doesn't then try the steps mentioned in Technet Article Q248410
Regards,
Steven
ASKER
I have tried alot of different things with this problem.
I installed netdiag.exe which analyses the network for errors from the selected server. Look below for the error that it reported, what can I do to fix that?
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/server1.domain.com' is
missing on DC 'server2.domain.com'.
[WARNING] The default SPN registration for 'HOST/SERVER1' is missing on DC 'server2.vallagruppen.com' .
and I also got this one
Trust relationship test. . . . . . : Passed
Secure channel for domain 'DOMAIN' is to '\\SERVER2'.
Cannot test secure channel to PDC emulator since you are not an administrator.
Any ideas?
I installed netdiag.exe which analyses the network for errors from the selected server. Look below for the error that it reported, what can I do to fix that?
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] The default SPN registration for 'HOST/server1.domain.com' is
missing on DC 'server2.domain.com'.
[WARNING] The default SPN registration for 'HOST/SERVER1' is missing on DC 'server2.vallagruppen.com'
and I also got this one
Trust relationship test. . . . . . : Passed
Secure channel for domain 'DOMAIN' is to '\\SERVER2'.
Cannot test secure channel to PDC emulator since you are not an administrator.
Any ideas?
Do you have another DC? If so, use ntdsutil to delete the bad references to this server.
ASKER
Yes, I think about doing that. But it seems somewhat difficult to delete the references?
Do you have advice for me how to do it?
Regards,
Roberto
ASKER
Thanks I found it and I´m currently removing the info from my primary DC.
ASKER
Ok, I think that I got everything removed now from the DC. Now I want to re-add my other DC to the primary DC, how can I do that?
Try running DCpromo
ASKER
It seems like if my secondary DC is in a "between-state", with other words, my primary DC do not have any secondary DC and my secondary DC still belives that it is an DC.
Running dcpromo makes my secondary DC to try to remove the AD on itself, but I get "The specified domain either does not exist or could not be contacted" so it seems that it is an DNS error, or what do you think?
Running dcpromo makes my secondary DC to try to remove the AD on itself, but I get "The specified domain either does not exist or could not be contacted" so it seems that it is an DNS error, or what do you think?
ASKER
I still get errors.... I ficed the DNS, I think.
And running dcpromo gives me the following error
The operation failed because:
The Directory Service failed to replicate off changes made locally.
"The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation). "
And running dcpromo gives me the following error
The operation failed because:
The Directory Service failed to replicate off changes made locally.
"The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation). "
How many DCs do you have? Who hold the schema masters?
ASKER
I have 2 DC:s. My primary DC holds it
ASKER
I have 2 DC:s. My primary DC holds it
Remove AD from the secondary, let the normal replication period pass, 15 minutes, then run DCPROMO to put a replica back on it.
ASKER
How can I remove the AD on the secondary DC.
When I run dcpromo to remove AD on the secondary DC it wants to connect to the primary DC first and that´s where it fails currently.
Are there other ways to remove AD on a server?
When I run dcpromo to remove AD on the secondary DC it wants to connect to the primary DC first and that´s where it fails currently.
Are there other ways to remove AD on a server?
ASKER
What do you think about this approach?
If the demotion failed, you can try the brute force approach:
1. Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Co ntrol\Prod uctOptions
2. Edit the ProductType value name and change the data value from LanmanNT to ServerNT, using the exact case.
3. Shutdown and restart the server.
4. Delete the NTDS folder.
If the demotion failed, you can try the brute force approach:
1. Use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\
2. Edit the ProductType value name and change the data value from LanmanNT to ServerNT, using the exact case.
3. Shutdown and restart the server.
4. Delete the NTDS folder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Problem solved with ADSIEdit and DCPROMO and some restarts.
Deleted the information about the secondary DC n the first DC, then I ran ADSIEdit and removed all info about the secondary DC. Hacked the registry on the secondary DC to make it an ordinary server instead of an DC server.
Used DCPROMO to rejoin the domain.
Worked like a charm.
congrats.