Solved

Harddisk of second win2k DC in forrest crashed. put back ghost image of 1 month old and now DC cannot sync because of "Access denied error"

Posted on 2004-04-10
17
279 Views
Last Modified: 2010-03-18
Hi,

I have a win2k domain with 2 DC's. the harddisk of my second DC has crashed and is totally broken. I have a ghost image of about 1 month old that I have put back on a new disk.
The problem is now that this second dc cannot sync anymore or access any resources on the first DC because of an access denied message. The administrator password has not changed since the time of the image.
Any help is much appreciated!

Thanks,

Jeroen
0
Comment
Question by:jeroentje
17 Comments
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 10797598
What kind of event ids are you getting?
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10799116
I would try to first off, demote the failed DC to a regular member server by running DCPROMO.  Assuming that works, reboot the machine, then promote it to a DC again using the same command.  If that doesn't work, we need to try to get replication going again.

Run through the follwoing and see if you can force replication to occur again:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q232/0/72.ASP&NoWebContent=1

Let us know the results...

James



0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10799121
Also, are there any other services on the failed DC that are critical?  If there are only some files, I would suggest running NTBACKUP, backing up the files that you need off the server....reinstalling 2000 Server from scratch, then promoting it.  After that, restore the files from backup.
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10799159
Here are some more replication troubleshooting resources you can take a look at if the above fails:

http://support.microsoft.com/?id=249256 - THIS IS A GOOD POSSIBILITY OF HELPING YOU FIX THE PROBLEM.  MAkE SURE YOU READ THIS CAREFULLY!

http://support.microsoft.com/default.aspx?scid=kb;en-us;q321046

http://support.microsoft.com/default.aspx?scid=kb;EN-US;229896

James

0
 

Author Comment

by:jeroentje
ID: 10800310
Hi,

thanks for the answers so far.
The eventID's I am seeing are : 3034, 56, 11, 1311, 1566, 13508
I think it has something to do with the secure channel passwords not being synced.
I will read trough the suggestions from James and let you know.

Thanks,

Jeroen
0
 
LVL 82

Expert Comment

by:oBdA
ID: 10800648
The first article seems to be pretty close to your situation. This requires the W2k Support Tools; they're on the W2k CD, but if you haven't installed them yet, do *not* install them from there. Instead, download and install the SP4 Support Tools (some of the tools were updated by Service Packs).

"Replication Access Was Denied" Error Messages Occur After You Promote a Server to Domain Controller
http://support.microsoft.com/?kbid=329860

Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?kbid=216393

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp
0
 

Author Comment

by:jeroentje
ID: 10808019
Hi James,

I have tried this one : http://support.microsoft.com/?id=249256
and I get the following message :
C:\Documents and Settings\Administrator.FADELESS>netdom reset trinity /domain:fa
deless.net
The secure channel from TRINITY to FADELESS.NET was not reset.
Access is denied.

Access is denied.

The command failed to complete successfully.

C:\Documents and Settings\Administrator.FADELESS>

I really think that the problem is indeed that the secure channel password is not synced, but I cannot get it to sync.

Thanks for the help,

Jeroen
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 9

Expert Comment

by:jamesreddy
ID: 10808339
Ok.  Give this a shot:

http://support.microsoft.com/default.aspx?scid=kb;[LN];Q288167

Goes through resetting that secure channel password.  That should fix you up.

James
0
 

Author Comment

by:jeroentje
ID: 10809166
Hi James,

My broken DC is called trinity and the one thet is working is called morpheus. they are connected trough a vpn.
when I run netdom query fsmo on trinity, I get :
C:\>netdom query fsmo
Schema owner                morpheus.fadeless.net
Domain role owner           morpheus.fadeless.net
PDC role                    morpheus.fadeless.net
RID pool manager            morpheus.fadeless.net
Infrastructure owner        morpheus.fadeless.net
The command completed successfully.

C:\>

then I disable the KDC service and run :
C:\>netdom resetpwd /server:trinity /userd:fadeless\administrator /passwordd:*****
The machine account password for the local machine could not be reset.
Access is denied.

The command failed to complete successfully.

however, when the kdc service is disabled, I am able to browse to the c$ share of morpheus. when I enable it again, I get the access denied error.
I have restarted the dc like the article says, but still the same problem.
I don't really want to demote the DC and promote it again.
There must be a solution for this problem as I guess others have come accross this in the past?
Thanks for your help.

Jeroen

0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10809308
What is the harm in demoting and promoting.  You will not lose any data.
0
 

Author Comment

by:jeroentje
ID: 10810853
I think that either the demotion will completely fail because of not enough rights, or it will be demoted but my other DC will still think that it exists
and when I try to promote it again, it will tell me that there is allready a DC with that name in that site?

What do you think?

J.
0
 
LVL 9

Expert Comment

by:jamesreddy
ID: 10811959
I think that there is only one way to find out and that it can't become worse.  You may get an error demoting it, but if that's the case, you just get an error, and then we know...no harm done.  It couldn't hurt anything to attempt this.  Since all other efforts are failing, this will likely fail too, but it's worth a shot.
0
 

Author Comment

by:jeroentje
ID: 10812100
I have just tried demoting trinity and get the following error :

The operation failed because :
Managing the network session with morpheus.fadeless.net failed
"Logon faillure : The target account name is incorrect"

0
 

Author Comment

by:jeroentje
ID: 10812726
I have tried this : http://support.microsoft.com/default.aspx?scid=kb;en-us;154501
but it didn't help.

J.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 11387862
PAQed, with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Resolve DNS query failed errors for Exchange
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now