Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 289
  • Last Modified:

Harddisk of second win2k DC in forrest crashed. put back ghost image of 1 month old and now DC cannot sync because of "Access denied error"

Hi,

I have a win2k domain with 2 DC's. the harddisk of my second DC has crashed and is totally broken. I have a ghost image of about 1 month old that I have put back on a new disk.
The problem is now that this second dc cannot sync anymore or access any resources on the first DC because of an access denied message. The administrator password has not changed since the time of the image.
Any help is much appreciated!

Thanks,

Jeroen
0
jeroentje
Asked:
jeroentje
1 Solution
 
Gareth GudgerCommented:
What kind of event ids are you getting?
0
 
jamesreddyCommented:
I would try to first off, demote the failed DC to a regular member server by running DCPROMO.  Assuming that works, reboot the machine, then promote it to a DC again using the same command.  If that doesn't work, we need to try to get replication going again.

Run through the follwoing and see if you can force replication to occur again:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q232/0/72.ASP&NoWebContent=1

Let us know the results...

James



0
 
jamesreddyCommented:
Also, are there any other services on the failed DC that are critical?  If there are only some files, I would suggest running NTBACKUP, backing up the files that you need off the server....reinstalling 2000 Server from scratch, then promoting it.  After that, restore the files from backup.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
jamesreddyCommented:
Here are some more replication troubleshooting resources you can take a look at if the above fails:

http://support.microsoft.com/?id=249256 - THIS IS A GOOD POSSIBILITY OF HELPING YOU FIX THE PROBLEM.  MAkE SURE YOU READ THIS CAREFULLY!

http://support.microsoft.com/default.aspx?scid=kb;en-us;q321046

http://support.microsoft.com/default.aspx?scid=kb;EN-US;229896

James

0
 
jeroentjeAuthor Commented:
Hi,

thanks for the answers so far.
The eventID's I am seeing are : 3034, 56, 11, 1311, 1566, 13508
I think it has something to do with the secure channel passwords not being synced.
I will read trough the suggestions from James and let you know.

Thanks,

Jeroen
0
 
oBdACommented:
The first article seems to be pretty close to your situation. This requires the W2k Support Tools; they're on the W2k CD, but if you haven't installed them yet, do *not* install them from there. Instead, download and install the SP4 Support Tools (some of the tools were updated by Service Packs).

"Replication Access Was Denied" Error Messages Occur After You Promote a Server to Domain Controller
http://support.microsoft.com/?kbid=329860

Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?kbid=216393

Windows 2000 SP4 Support Tools
http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/supporttools.asp
0
 
jeroentjeAuthor Commented:
Hi James,

I have tried this one : http://support.microsoft.com/?id=249256
and I get the following message :
C:\Documents and Settings\Administrator.FADELESS>netdom reset trinity /domain:fa
deless.net
The secure channel from TRINITY to FADELESS.NET was not reset.
Access is denied.

Access is denied.

The command failed to complete successfully.

C:\Documents and Settings\Administrator.FADELESS>

I really think that the problem is indeed that the secure channel password is not synced, but I cannot get it to sync.

Thanks for the help,

Jeroen
0
 
jamesreddyCommented:
Ok.  Give this a shot:

http://support.microsoft.com/default.aspx?scid=kb;[LN];Q288167

Goes through resetting that secure channel password.  That should fix you up.

James
0
 
jeroentjeAuthor Commented:
Hi James,

My broken DC is called trinity and the one thet is working is called morpheus. they are connected trough a vpn.
when I run netdom query fsmo on trinity, I get :
C:\>netdom query fsmo
Schema owner                morpheus.fadeless.net
Domain role owner           morpheus.fadeless.net
PDC role                    morpheus.fadeless.net
RID pool manager            morpheus.fadeless.net
Infrastructure owner        morpheus.fadeless.net
The command completed successfully.

C:\>

then I disable the KDC service and run :
C:\>netdom resetpwd /server:trinity /userd:fadeless\administrator /passwordd:*****
The machine account password for the local machine could not be reset.
Access is denied.

The command failed to complete successfully.

however, when the kdc service is disabled, I am able to browse to the c$ share of morpheus. when I enable it again, I get the access denied error.
I have restarted the dc like the article says, but still the same problem.
I don't really want to demote the DC and promote it again.
There must be a solution for this problem as I guess others have come accross this in the past?
Thanks for your help.

Jeroen

0
 
jamesreddyCommented:
What is the harm in demoting and promoting.  You will not lose any data.
0
 
jeroentjeAuthor Commented:
I think that either the demotion will completely fail because of not enough rights, or it will be demoted but my other DC will still think that it exists
and when I try to promote it again, it will tell me that there is allready a DC with that name in that site?

What do you think?

J.
0
 
jamesreddyCommented:
I think that there is only one way to find out and that it can't become worse.  You may get an error demoting it, but if that's the case, you just get an error, and then we know...no harm done.  It couldn't hurt anything to attempt this.  Since all other efforts are failing, this will likely fail too, but it's worth a shot.
0
 
jeroentjeAuthor Commented:
I have just tried demoting trinity and get the following error :

The operation failed because :
Managing the network session with morpheus.fadeless.net failed
"Logon faillure : The target account name is incorrect"

0
 
jeroentjeAuthor Commented:
I have tried this : http://support.microsoft.com/default.aspx?scid=kb;en-us;154501
but it didn't help.

J.
0
 
moduloCommented:
PAQed, with points refunded (500)

modulo
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now