[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3888
  • Last Modified:

Domain Controller error

Windows 2000 and SP2.

I get the following error.
I have looked in the Microsoft Support site and I have tried to run these tests but something is missing.
Anyone?


Event Type:     Error
Event Source:     SAM
Event Category:     None
Event ID:     16650
Date:          2002-03-05
Time:          12:51:30
User:          N/A
Computer:     VGMA03
Description:
The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.
Data:
0000: a7 02 00 c0               §..À    
0
qubiac
Asked:
qubiac
1 Solution
 
mikecrCommented:
What are your symptoms if any? Are you experiencing any problems?
0
 
geoffrynCommented:
Do you have other DC's or any legacy Nt 4.0 PDC's on the net?
0
 
qubiacAuthor Commented:
The problem is that I could register one more AD server and I could replicate it to my new AD server.
But for some reason that don´t work anymore and I get the error that you see above.
We had old servers in our network before, but not anymore so I changed that AD mode to Native.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
steven_jdCommented:
In your User rights permissions, grant the Enterprise Admins group the user right
"Access this computer from the network", if Enterprise Admins does not have this permission.

then refresh your Security Policy using the foll command

SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE

Try this out and let me know if it resolves ur problem.

If it doesn't then try the steps mentioned in Technet Article Q248410

Regards,

Steven
0
 
qubiacAuthor Commented:
I have tried alot of different things with this problem.
I installed netdiag.exe which analyses the network for errors from the selected server. Look below for the error that it reported, what can I do to fix that?


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/server1.domain.com' is
 missing on DC 'server2.domain.com'.
    [WARNING] The default SPN registration for 'HOST/SERVER1' is missing on DC 'server2.vallagruppen.com'.

and I also got this one

Trust relationship test. . . . . . : Passed
    Secure channel for domain 'DOMAIN' is to '\\SERVER2'.
    Cannot test secure channel to PDC emulator since you are not an administrator.


Any ideas?
0
 
geoffrynCommented:
Do you have another DC?  If so, use ntdsutil to delete the bad references to this server.
0
 
qubiacAuthor Commented:

Yes, I think about doing that. But it seems somewhat difficult to delete the references?
Do you have advice for me how to do it?

Regards,
Roberto
0
 
qubiacAuthor Commented:
Thanks I found it and I´m currently removing the info from my primary DC.
0
 
qubiacAuthor Commented:
Ok, I think that I got everything removed now from the DC. Now I want to re-add my other DC to the primary DC, how can I do that?
0
 
geoffrynCommented:
Try running DCpromo
0
 
qubiacAuthor Commented:
It seems like if my secondary DC is in a "between-state", with other words, my primary DC do not have any secondary DC and my secondary DC still belives that it is an DC.
Running dcpromo makes my secondary DC to try to remove the AD on itself, but I get "The specified domain either does not exist or could not be contacted" so it seems that it is an DNS error, or what do you think?
0
 
qubiacAuthor Commented:
I still get errors.... I ficed the DNS, I think.
And running dcpromo gives me the following error

The operation failed because:

The Directory Service failed to replicate off changes made locally.

"The security context could not be established due to a failure in the requested quality of service (e.g. mutual authentication or delegation). "
0
 
geoffrynCommented:
How many DCs do you have?  Who hold the schema masters?
0
 
qubiacAuthor Commented:
I have 2 DC:s. My primary DC holds it
0
 
qubiacAuthor Commented:
I have 2 DC:s. My primary DC holds it
0
 
geoffrynCommented:
Remove AD from the secondary, let the normal replication period pass, 15 minutes, then run DCPROMO to put a replica back on it.
0
 
qubiacAuthor Commented:
How can I remove the AD on the secondary DC.
When I run dcpromo to remove AD on the secondary DC it wants to connect to the primary DC first and that´s where it fails currently.
Are there other ways to remove AD on a server?
0
 
qubiacAuthor Commented:
What do you think about this approach?

If the demotion failed, you can try the brute force approach:
1. Use Regedt32 to navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

2. Edit the ProductType value name and change the data value from LanmanNT to ServerNT, using the exact case.

3. Shutdown and restart the server.

4. Delete the NTDS folder.
0
 
geoffrynCommented:
You also have to make sure that you know the local admin account password.  When the system comes back up, remove it from the domain.  Delete the computer account from AD.  Then rejoin the domain.  At that point you should be able to run DCPROMO successfully.
0
 
qubiacAuthor Commented:

Problem solved with ADSIEdit and DCPROMO and some restarts.
Deleted the information about the secondary DC n the first DC, then I ran ADSIEdit and removed all info about the secondary DC. Hacked the registry on the secondary DC to make it an ordinary server instead of an DC server.
Used DCPROMO to rejoin the domain.

Worked like a charm.
0
 
geoffrynCommented:
congrats.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now