Solved

Domain Controller error

Posted on 2002-03-05
22
3,879 Views
Last Modified: 2010-10-26
Windows 2000 and SP2.

I get the following error.
I have looked in the Microsoft Support site and I have tried to run these tests but something is missing.
Anyone?


Event Type:     Error
Event Source:     SAM
Event Category:     None
Event ID:     16650
Date:          2002-03-05
Time:          12:51:30
User:          N/A
Computer:     VGMA03
Description:
The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.
Data:
0000: a7 02 00 c0               §..À    
0
Comment
Question by:qubiac
22 Comments
 
LVL 17

Expert Comment

by:mikecr
ID: 6841338
What are your symptoms if any? Are you experiencing any problems?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6841807
Do you have other DC's or any legacy Nt 4.0 PDC's on the net?
0
 

Author Comment

by:qubiac
ID: 6842346
The problem is that I could register one more AD server and I could replicate it to my new AD server.
But for some reason that don´t work anymore and I get the error that you see above.
We had old servers in our network before, but not anymore so I changed that AD mode to Native.
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 

Expert Comment

by:steven_jd
ID: 6843638
In your User rights permissions, grant the Enterprise Admins group the user right
"Access this computer from the network", if Enterprise Admins does not have this permission.

then refresh your Security Policy using the foll command

SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE

Try this out and let me know if it resolves ur problem.

If it doesn't then try the steps mentioned in Technet Article Q248410

Regards,

Steven
0
 

Author Comment

by:qubiac
ID: 6844530
I have tried alot of different things with this problem.
I installed netdiag.exe which analyses the network for errors from the selected server. Look below for the error that it reported, what can I do to fix that?


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/server1.domain.com' is
 missing on DC 'server2.domain.com'.
    [WARNING] The default SPN registration for 'HOST/SERVER1' is missing on DC 'server2.vallagruppen.com'.

and I also got this one

Trust relationship test. . . . . . : Passed
    Secure channel for domain 'DOMAIN' is to '\\SERVER2'.
    Cannot test secure channel to PDC emulator since you are not an administrator.


Any ideas?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6845187
Do you have another DC?  If so, use ntdsutil to delete the bad references to this server.
0
 

Author Comment

by:qubiac
ID: 6845387

Yes, I think about doing that. But it seems somewhat difficult to delete the references?
Do you have advice for me how to do it?

Regards,
Roberto
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6845469
0
 

Author Comment

by:qubiac
ID: 6845488
Thanks I found it and I´m currently removing the info from my primary DC.
0
 

Author Comment

by:qubiac
ID: 6845610
Ok, I think that I got everything removed now from the DC. Now I want to re-add my other DC to the primary DC, how can I do that?
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6845634
Try running DCpromo
0
 

Author Comment

by:qubiac
ID: 6845668
It seems like if my secondary DC is in a "between-state", with other words, my primary DC do not have any secondary DC and my secondary DC still belives that it is an DC.
Running dcpromo makes my secondary DC to try to remove the AD on itself, but I get "The specified domain either does not exist or could not be contacted" so it seems that it is an DNS error, or what do you think?
0
 

Author Comment

by:qubiac
ID: 6845694
I still get errors.... I ficed the DNS, I think.
And running dcpromo gives me the following error

The operation failed because:

The Directory Service failed to replicate off changes made locally.

"The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation). "
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6845706
How many DCs do you have?  Who hold the schema masters?
0
 

Author Comment

by:qubiac
ID: 6845716
I have 2 DC:s. My primary DC holds it
0
 

Author Comment

by:qubiac
ID: 6845721
I have 2 DC:s. My primary DC holds it
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6845736
Remove AD from the secondary, let the normal replication period pass, 15 minutes, then run DCPROMO to put a replica back on it.
0
 

Author Comment

by:qubiac
ID: 6845756
How can I remove the AD on the secondary DC.
When I run dcpromo to remove AD on the secondary DC it wants to connect to the primary DC first and that´s where it fails currently.
Are there other ways to remove AD on a server?
0
 

Author Comment

by:qubiac
ID: 6845776
What do you think about this approach?

If the demotion failed, you can try the brute force approach:
1. Use Regedt32 to navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

2. Edit the ProductType value name and change the data value from LanmanNT to ServerNT, using the exact case.

3. Shutdown and restart the server.

4. Delete the NTDS folder.
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 200 total points
ID: 6845907
You also have to make sure that you know the local admin account password.  When the system comes back up, remove it from the domain.  Delete the computer account from AD.  Then rejoin the domain.  At that point you should be able to run DCPROMO successfully.
0
 

Author Comment

by:qubiac
ID: 6848177

Problem solved with ADSIEdit and DCPROMO and some restarts.
Deleted the information about the secondary DC n the first DC, then I ran ADSIEdit and removed all info about the secondary DC. Hacked the registry on the secondary DC to make it an ordinary server instead of an DC server.
Used DCPROMO to rejoin the domain.

Worked like a charm.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6848189
congrats.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question