Solved

Replication Problem - Unable to login to domain?

Posted on 2004-10-05
18
3,618 Views
Last Modified: 2008-01-09
Good afternoon,

I'm having a problem.  I upgraded a domain controller from Windows 2000 to Windows 2003.  Everything seemed to work fine Friday afternoon, than when I came back on Monday I was unable to login to the server as a domain user.  I can login as the domain administrator with no problem.  I attempted to run dcpromo to remove the domain controller status, but it gave me the error message "Replication access was denied".  I followed the steps on http://support.microsoft.com/default.aspx?scid=kb;en-us;329860 (Microsoft KB #329860), but still have the same problem.

My new 2003 server (MES-ADM1) is located in the Domain Controllers folder on Active Directory Users and Computers, I adjusted the settings as directed in ADSI edit, and when I attempt to run nltest /sc_change_pwd:local (the domain name is "local"), I get the following error:

C:\>nltest /sc_change_pds:local
I_NetLogonControl failed: Status = 1787 0x6fb ERROR_NO_TRUST_SAM_ACCOUNT

I'm still rather unfamiliar with domain controllers, and trust relationships, so if you could help me with step-by steps for suggestions, I would greatly appriciate it.

In trying things out, I was able to create a new user on MES-ADM1 (new server) and it was available on my PDC, and was able to login without a problem.  I had thought that if there was a trust or replication error, I wouldn't be able to access or make changes to anything on the domain, including creating a new user.  But, then again, I'm a little out of my league here..

Any suggestions or assistance would be greatly appriciated.

Thanks.
0
Comment
Question by:digitalsatori
  • 10
  • 8
18 Comments
 
LVL 18

Expert Comment

by:crissand
ID: 12229201
Maybe this is your problem?

http://www.jsiinc.com/SUBM/tip6000/rh6069.htm

Anyway, how many DC are in your network? How are the fsmo roles distributed?
0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12229315
Basically, there are 6 DCs in our network, one at each location, all connect to the PDC, which houses all fsmo roles, from my understanding (from the previous network admin).  All 5 of the remote DCs were upgraded last week (the PDC was upgraded a while back), and all of them except for the server in question have had no problems.

Thank you for the link, I did try all of those suggestions (the link is actually a copy of the same KB article I looked at), but I still seem to be having the same troubles.

Thanks again for the reply.  =)
0
 
LVL 18

Expert Comment

by:crissand
ID: 12229709
Have you run the netdiag tool? Whith what result?
0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12229886
This is the output of netdiag, I've edited out some things critical to our network..  please e-mail me if it is information you need.

Thanks again for your help!!  =)

C:\>netdiag
.........................................

    Computer Name: MES-ADM1
    DNS Host Name: mes-adm1.local.xxxxxxxxxxxxxxxx
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 6 Model 8 Stepping 6, GenuineIntel
    List of installed hotfixes :
        KB819696
        KB823182
        KB823353
        KB823559
        KB824105
        KB824141
        KB825119
        KB828035
        KB828741
        KB830352
        KB833987
        KB835732
        KB837001
        KB839643
        KB839645
        KB840315
        KB840374
        KB867801
        Q147222
        Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : mes-adm1
        IP Address . . . . . . . . : 10.xxx.xxx.xxx
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 10.xxx.xxx.xxx
        Primary WINS Server. . . . : 10.xxx.xxx.xxx
        Secondary WINS Server. . . : 10.xxx.xxx.xxx
        Dns Servers. . . . . . . . : 10.xxx.xxx.xxx
                                     10.xxx.xxx.xxx


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

        WINS service test. . . . . : Passed


Global results:


Domain membership test . . . . . . : Failed
    [WARNING] Ths system volume has not been completely replicated to the local
machine. This machine is not working properly as a DC.


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{4671E5F5-958D-4C2D-8239-F75627A5F22F}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '10.xxx.xxx.xxx
' and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server '10.xxx.xxx.xxx
' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{4671E5F5-958D-4C2D-8239-F75627A5F22F}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{4671E5F5-958D-4C2D-8239-F75627A5F22F}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Failed
    Secure channel for domain 'LOCAL' is to '\\PDC'.

    [FATAL] Cannot set secure channel for domain 'LOCAL' to PDC emulator. [ERROR
_NO_TRUST_SAM_ACCOUNT]


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] The default SPN registration for 'HOST/mes-adm1' is missing on DC
'MES-ADM1'.
    [WARNING] The default SPN registration for 'HOST/MES-ADM1' is missing on DC
'MES-ADM1'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
0
 
LVL 18

Expert Comment

by:crissand
ID: 12236517
As you can see in the dcpromo process the replication had errors. Let seee this first:

[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenge
r Service', <20> 'WINS' names is missing.

Verify on the server in question if these services are started and verify if tcp/ip helper is started. Since it seems to be a netbios problem verify if netbios over tcp/ip settings on the nic is the same like the other servers.
0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12237377
All righty,

I checked all of the services you had mentioned, and Messenger Service was the only one not running.  I started the service, and now the NetBT Name Test has passed with no error messages.  The others are all still intact.

WINS is running, and I seem to be able to force a replication that way.  If I check the "Server Status", it states it is responding.  However, I'm still unable to log in as anyone except the domain administrator.  What I find odd is that if I run dcpromo, it prompts me for a UN/PW for an account that has administrative privilages to the domain, but it says replication access was denied even if I log in as the domain administrator.
0
 
LVL 18

Expert Comment

by:crissand
ID: 12237561
Good for now. Is there a posibility that this domain controller to have a name that's allready registered in active directory? Can you look at system error log to see some error events, and to write the errors here? Usualyy, there must be errors on the faulty dc and on the pdc emulator's error log.
0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12240033
SYSTEM LOG:
Type: Error, Source: NETLOGON, EventID: 5721

The session setup to the Windows NT or Windows 2000 Domain Controller \\PDC for the domain LOCAL failed because the Domain Controller did not have an account MES-ADM1$ needed to set up the session by this computer MES-ADM1.

I'm pretty sure that there is a problem with the name already being registered in Active Directory or DNS (or possibly has been removed with the upgrade and never put back), but I'm not familiar enough to remove it and recreate it.  Is it something as simple as deleting the computer in Users and Computers (like you would a user), or is there something more that needs to be done?
0
 
LVL 18

Expert Comment

by:crissand
ID: 12240205
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Accepted Solution

by:
crissand earned 500 total points
ID: 12240279
See this too:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;160324

It explaines how to remove and rejoin the server to the domain.
0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12248802
I tried to do both of those, but to no avail.  I'm not able to leave the domain because the server is a DC.  I can't demote the server from a DC because replication access is denied.

I looked through DNS, WINS, ADSI, etc.  Everything seems to be okay.  Any other thoughts?

Thanks again for your time and trying to help me..  it is appriciated.  =)
0
 
LVL 18

Expert Comment

by:crissand
ID: 12249246
Let's start a step by step verification. Right-click My Computer, select Properties, and click the Computer Name tab. If the DNS suffix of the computer name doesn't match what is listed for the domain name, there is a disjoint namespace.

0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12249521
The name does match the DNS suffix.  I think that part of it is okay.  =)
0
 
LVL 18

Expert Comment

by:crissand
ID: 12249600
There is a vbs script on microsoft's site that solve the problem here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;257623

0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12252620
Still no workie..  I ran the script, too, but I'm still having the same problems..
0
 
LVL 18

Expert Comment

by:crissand
ID: 12257804
Is the domain suffix the same now? Run dcdiag now.
0
 
LVL 1

Author Comment

by:digitalsatori
ID: 12262559
I actually did fix the problem today.  All of the domain controllers that I upgraded last week decided to have the same problem today.

Anyway, apparently what had happened was that I did not demote the DCs prior to performing the upgrade.  I did manage to find the link on how to run dcpromo /forceremoval and once I did that and rejoined, and then repromoted the DC, everything worked out.

So thank you so much for your help, had it not been for your link I wouldn't have been able to find that command!
0
 
LVL 18

Expert Comment

by:crissand
ID: 12275391
Glad to help!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Setting Windows 2012 RDS farm. 1 46
formating cluster disk 6 65
GPO Access denied in AD 12 36
inactive users 13 53
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now