Solved

Domain Controller error

Posted on 2002-03-05
22
3,874 Views
Last Modified: 2010-10-26
Windows 2000 and SP2.

I get the following error.
I have looked in the Microsoft Support site and I have tried to run these tests but something is missing.
Anyone?


Event Type:     Error
Event Source:     SAM
Event Category:     None
Event ID:     16650
Date:          2002-03-05
Time:          12:51:30
User:          N/A
Computer:     VGMA03
Description:
The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.
Data:
0000: a7 02 00 c0               §..À    
0
Comment
Question by:qubiac
22 Comments
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
What are your symptoms if any? Are you experiencing any problems?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Do you have other DC's or any legacy Nt 4.0 PDC's on the net?
0
 

Author Comment

by:qubiac
Comment Utility
The problem is that I could register one more AD server and I could replicate it to my new AD server.
But for some reason that don´t work anymore and I get the error that you see above.
We had old servers in our network before, but not anymore so I changed that AD mode to Native.
0
 

Expert Comment

by:steven_jd
Comment Utility
In your User rights permissions, grant the Enterprise Admins group the user right
"Access this computer from the network", if Enterprise Admins does not have this permission.

then refresh your Security Policy using the foll command

SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE

Try this out and let me know if it resolves ur problem.

If it doesn't then try the steps mentioned in Technet Article Q248410

Regards,

Steven
0
 

Author Comment

by:qubiac
Comment Utility
I have tried alot of different things with this problem.
I installed netdiag.exe which analyses the network for errors from the selected server. Look below for the error that it reported, what can I do to fix that?


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/server1.domain.com' is
 missing on DC 'server2.domain.com'.
    [WARNING] The default SPN registration for 'HOST/SERVER1' is missing on DC 'server2.vallagruppen.com'.

and I also got this one

Trust relationship test. . . . . . : Passed
    Secure channel for domain 'DOMAIN' is to '\\SERVER2'.
    Cannot test secure channel to PDC emulator since you are not an administrator.


Any ideas?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Do you have another DC?  If so, use ntdsutil to delete the bad references to this server.
0
 

Author Comment

by:qubiac
Comment Utility

Yes, I think about doing that. But it seems somewhat difficult to delete the references?
Do you have advice for me how to do it?

Regards,
Roberto
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
0
 

Author Comment

by:qubiac
Comment Utility
Thanks I found it and I´m currently removing the info from my primary DC.
0
 

Author Comment

by:qubiac
Comment Utility
Ok, I think that I got everything removed now from the DC. Now I want to re-add my other DC to the primary DC, how can I do that?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Try running DCpromo
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:qubiac
Comment Utility
It seems like if my secondary DC is in a "between-state", with other words, my primary DC do not have any secondary DC and my secondary DC still belives that it is an DC.
Running dcpromo makes my secondary DC to try to remove the AD on itself, but I get "The specified domain either does not exist or could not be contacted" so it seems that it is an DNS error, or what do you think?
0
 

Author Comment

by:qubiac
Comment Utility
I still get errors.... I ficed the DNS, I think.
And running dcpromo gives me the following error

The operation failed because:

The Directory Service failed to replicate off changes made locally.

"The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation). "
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
How many DCs do you have?  Who hold the schema masters?
0
 

Author Comment

by:qubiac
Comment Utility
I have 2 DC:s. My primary DC holds it
0
 

Author Comment

by:qubiac
Comment Utility
I have 2 DC:s. My primary DC holds it
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Remove AD from the secondary, let the normal replication period pass, 15 minutes, then run DCPROMO to put a replica back on it.
0
 

Author Comment

by:qubiac
Comment Utility
How can I remove the AD on the secondary DC.
When I run dcpromo to remove AD on the secondary DC it wants to connect to the primary DC first and that´s where it fails currently.
Are there other ways to remove AD on a server?
0
 

Author Comment

by:qubiac
Comment Utility
What do you think about this approach?

If the demotion failed, you can try the brute force approach:
1. Use Regedt32 to navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

2. Edit the ProductType value name and change the data value from LanmanNT to ServerNT, using the exact case.

3. Shutdown and restart the server.

4. Delete the NTDS folder.
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 200 total points
Comment Utility
You also have to make sure that you know the local admin account password.  When the system comes back up, remove it from the domain.  Delete the computer account from AD.  Then rejoin the domain.  At that point you should be able to run DCPROMO successfully.
0
 

Author Comment

by:qubiac
Comment Utility

Problem solved with ADSIEdit and DCPROMO and some restarts.
Deleted the information about the secondary DC n the first DC, then I ran ADSIEdit and removed all info about the secondary DC. Hacked the registry on the secondary DC to make it an ordinary server instead of an DC server.
Used DCPROMO to rejoin the domain.

Worked like a charm.
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
congrats.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now