Replication Problem - Unable to login to domain?

Good afternoon,

I'm having a problem.  I upgraded a domain controller from Windows 2000 to Windows 2003.  Everything seemed to work fine Friday afternoon, than when I came back on Monday I was unable to login to the server as a domain user.  I can login as the domain administrator with no problem.  I attempted to run dcpromo to remove the domain controller status, but it gave me the error message "Replication access was denied".  I followed the steps on;en-us;329860 (Microsoft KB #329860), but still have the same problem.

My new 2003 server (MES-ADM1) is located in the Domain Controllers folder on Active Directory Users and Computers, I adjusted the settings as directed in ADSI edit, and when I attempt to run nltest /sc_change_pwd:local (the domain name is "local"), I get the following error:

C:\>nltest /sc_change_pds:local
I_NetLogonControl failed: Status = 1787 0x6fb ERROR_NO_TRUST_SAM_ACCOUNT

I'm still rather unfamiliar with domain controllers, and trust relationships, so if you could help me with step-by steps for suggestions, I would greatly appriciate it.

In trying things out, I was able to create a new user on MES-ADM1 (new server) and it was available on my PDC, and was able to login without a problem.  I had thought that if there was a trust or replication error, I wouldn't be able to access or make changes to anything on the domain, including creating a new user.  But, then again, I'm a little out of my league here..

Any suggestions or assistance would be greatly appriciated.

Who is Participating?
crissandConnect With a Mentor Commented:
See this too:;EN-US;160324

It explaines how to remove and rejoin the server to the domain.
Maybe this is your problem?

Anyway, how many DC are in your network? How are the fsmo roles distributed?
digitalsatoriAuthor Commented:
Basically, there are 6 DCs in our network, one at each location, all connect to the PDC, which houses all fsmo roles, from my understanding (from the previous network admin).  All 5 of the remote DCs were upgraded last week (the PDC was upgraded a while back), and all of them except for the server in question have had no problems.

Thank you for the link, I did try all of those suggestions (the link is actually a copy of the same KB article I looked at), but I still seem to be having the same troubles.

Thanks again for the reply.  =)
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Have you run the netdiag tool? Whith what result?
digitalsatoriAuthor Commented:
This is the output of netdiag, I've edited out some things critical to our network..  please e-mail me if it is information you need.

Thanks again for your help!!  =)


    Computer Name: MES-ADM1
    DNS Host Name: mes-adm1.local.xxxxxxxxxxxxxxxx
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
    List of installed hotfixes :

Netcard queries test . . . . . . . : Passed

Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : mes-adm1
        IP Address . . . . . . . . :
        Subnet Mask. . . . . . . . :
        Default Gateway. . . . . . :
        Primary WINS Server. . . . :
        Secondary WINS Server. . . :
        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed

Global results:

Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '
' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '
' and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Failed
    Secure channel for domain 'LOCAL' is to '\\PDC'.

    [FATAL] Cannot set secure channel for domain 'LOCAL' to PDC emulator. [ERROR

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/mes-adm1' is missing on DC
    [WARNING] The default SPN registration for 'HOST/MES-ADM1' is missing on DC

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
    No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully
As you can see in the dcpromo process the replication had errors. Let seee this first:

[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

Verify on the server in question if these services are started and verify if tcp/ip helper is started. Since it seems to be a netbios problem verify if netbios over tcp/ip settings on the nic is the same like the other servers.
digitalsatoriAuthor Commented:
All righty,

I checked all of the services you had mentioned, and Messenger Service was the only one not running.  I started the service, and now the NetBT Name Test has passed with no error messages.  The others are all still intact.

WINS is running, and I seem to be able to force a replication that way.  If I check the "Server Status", it states it is responding.  However, I'm still unable to log in as anyone except the domain administrator.  What I find odd is that if I run dcpromo, it prompts me for a UN/PW for an account that has administrative privilages to the domain, but it says replication access was denied even if I log in as the domain administrator.
Good for now. Is there a posibility that this domain controller to have a name that's allready registered in active directory? Can you look at system error log to see some error events, and to write the errors here? Usualyy, there must be errors on the faulty dc and on the pdc emulator's error log.
digitalsatoriAuthor Commented:
Type: Error, Source: NETLOGON, EventID: 5721

The session setup to the Windows NT or Windows 2000 Domain Controller \\PDC for the domain LOCAL failed because the Domain Controller did not have an account MES-ADM1$ needed to set up the session by this computer MES-ADM1.

I'm pretty sure that there is a problem with the name already being registered in Active Directory or DNS (or possibly has been removed with the upgrade and never put back), but I'm not familiar enough to remove it and recreate it.  Is it something as simple as deleting the computer in Users and Computers (like you would a user), or is there something more that needs to be done?
digitalsatoriAuthor Commented:
I tried to do both of those, but to no avail.  I'm not able to leave the domain because the server is a DC.  I can't demote the server from a DC because replication access is denied.

I looked through DNS, WINS, ADSI, etc.  Everything seems to be okay.  Any other thoughts?

Thanks again for your time and trying to help me..  it is appriciated.  =)
Let's start a step by step verification. Right-click My Computer, select Properties, and click the Computer Name tab. If the DNS suffix of the computer name doesn't match what is listed for the domain name, there is a disjoint namespace.

digitalsatoriAuthor Commented:
The name does match the DNS suffix.  I think that part of it is okay.  =)
There is a vbs script on microsoft's site that solve the problem here:;en-us;257623

digitalsatoriAuthor Commented:
Still no workie..  I ran the script, too, but I'm still having the same problems..
Is the domain suffix the same now? Run dcdiag now.
digitalsatoriAuthor Commented:
I actually did fix the problem today.  All of the domain controllers that I upgraded last week decided to have the same problem today.

Anyway, apparently what had happened was that I did not demote the DCs prior to performing the upgrade.  I did manage to find the link on how to run dcpromo /forceremoval and once I did that and rejoined, and then repromoted the DC, everything worked out.

So thank you so much for your help, had it not been for your link I wouldn't have been able to find that command!
Glad to help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.