?
Solved

Admin account appears to be locked out.

Posted on 2004-11-08
13
Medium Priority
?
2,049 Views
Last Modified: 2008-03-17
Hey guys i am in bad need of some help. I am on my DC right now and it is in safe mode. I cannot log in even as the Administrator at the first screen in regular boot. I also cannot even get past the ctrl alt del screen. I puch it and nothing happens. So anyway i am in safe mode and it appears that the problems started happening about 30 mins ago so i have gone back in the event logs and got the errors that began to occur at that time. I know everyone here is in need of help but this is critical. If i could give a million points i would. As of right now no one has mail and the dc is down and here at a hospital we all know it is critical is PLEASE help !!
Here are the Events that started all at the same time
Event ID 490    Source ESE
Information Store (5272) First Storage Group: An attempt to open the file "C:\Program Files\Exchsrvr\mdbdata\E00.chk" for read / write access failed with system error 1331 (0x00000533): "Logon failure: account currently disabled. ".  The open file operation will fail with error -1022 (0xfffffc02).

Event ID  419   Source smtpsrv
SMTP server cannot create a file in the queue directory C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\.

Event id 7          Source KDC
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was DNS/prisoner.iana.org and lookup type 0x48.

This last one above appears several times with any account basically popping up at random.

Event id 3011    Source LDMS
Failed to create process dmadmin.exe, binPath=%SystemRoot%\System32\dmadmin.exe, Error=1331.
0
Comment
Question by:jjeffords
  • 5
  • 3
  • 2
  • +3
13 Comments
 

Author Comment

by:jjeffords
ID: 12527146
Hey guys i figured i should also mention the fact these errors occur over and over again.
I also get the w32time popping up alot since then happened. I know how to fix that but i figured maybe this little bit of info would help things out. I was also getting some DNS server errors but they seemed to have tappered off
here is the one i was getting from DNS and one from the

Event ID  4004     Source   DNS  
The DNS server was unable to complete directory service enumeration of zone Backup2k3.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.


Event ID  490         Source   ntds isam
NTDS (600) NTDSA: An attempt to open the file "C:\WINDOWS\NTDS\edb.chk" for read / write access failed with system error 1331 (0x00000533): "Logon failure: account currently disabled. ".  The open file operation will fail with error -1022 (0xfffffc02).

Event id 490  Source NTDS ISAM
NTDS (600) NTDSA: An attempt to open the file "C:\WINDOWS\NTDS\edb.chk" for read / write access failed with system error 1331 (0x00000533): "Logon failure: account currently disabled. ".  The open file operation will fail with error -1022 (0xfffffc02).

0
 
LVL 51

Expert Comment

by:Netman66
ID: 12527409
Regarding the prisoner.iana.org entry, here is an exerpt from Mark Minasi's book:

": what IS this
prisoner.iana.org? Well, once RFC 1918 (and its predecessors, actually)
came out, the IANA -- the old name, recall, for the folks in charge of
handing out IP address blocks -- realized that they needed a "placeholder"
in-addr.arpa zone for the three ranges of non-routable addresses. So they
put zones named 10.in-addr.arpa, 16.172.in-addr.arpa, and
168.192.in-addr.arpa on a three DNS servers named blackhole-1.iana.org,
blackhole-2.iana.org and prisoner.iana.org, at IP addresses 192.175.48.6,
192.175.48.42, and 192.175.48.1, and prisoner is set as the primary DNS
server for the zones.


Thus, if one of your systems with a 192.168.x.x address tries to register
its PTR record then it will, unless you have a local DNS server with a
168.192.in-addr.arpa zone, end up trying to register with prisoner.iana.org
-- which will reject the request. The bottom line is, don't worry about it
in most cases. In one case, however, you MIGHT worry about it, if you were
running an intranet with a dialup connection to the Internet. If your
intranet systems have private addresses and you don't have a local reverse
lookup zone for your private addresses then you will cause your systems to
try to contact prisoner, which would trigger a dialup. And if you're
connected via ISDN in some country not blessed with as low a set of telecomm
rates as we enjoy in the US, then that could be a quite expensive
proposition. Again, the answer in that case would either be to tell your
system not to do dynamic updates at all, or to create a local DNS server
with a dynamic 168.192.in-addr.arpa zone. "


So, in a nutshell, your server is trying to register a private IP address with your ISP - so your DNS is not setup completely correct.

With respect to account lockout - in server 2003 it is possible to lock the Admin account - which scares me.  If you have a service account (ie. for Exchange) and can remember the password you might be able to log in with that account to check what's going on with the Admin account.  Alternately, you could boot the server in normal mode, connect remotely to it with ADUC or Manage and see what's up also.  

All the events you show simple tell me that either the service account is locked or the password expired.

Advise.
0
 

Author Comment

by:jjeffords
ID: 12527479
Also one more thing to add to all of this. When the machine is booting and it is showing the Applying computer settings, etc etc etc
It also now says Active Directory is now reloading indicies or something similar to that...
Any clue as to what could be causeing this?
Also i can still log into the server with the Administrator account as long as i am in Safe Mode. But if i am not in safe mode i cannot even get past Ctrl Alt Del
It just leaves me sitting there and no matter how many times i hit it. It goes no where. It doesnt matter what account i use it will not let me log in. I mean any domain account i try would not let me in. Then when i rebooted it wont let me past the ctrl alt delete
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 6

Expert Comment

by:nihlcat
ID: 12527538
Jjefford, that's the one predictable part of this:  AD absolutely will not run without DNS.

<Subscribing>
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 12527569
Sounds like there is an AD database corruption.  The file that holds AD is NTDS.DIT.

Here is an article to help troubleshoot: http://support.microsoft.com/default.aspx?scid=kb;en-us;258062

Advise.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12527582
Yes, as nihlcat mentions, your DNS could be the culprit too if something changed and AD cannot use it.

0
 

Author Comment

by:jjeffords
ID: 12527707
Would any of these reasons cause you not to be able to get past the Ctrl Atl Del screen ??
This one i cant figure out to save my life....
Unless i go to Safe Mode i cannot even execute ctrl alt del
0
 
LVL 11

Expert Comment

by:Joseph O&#39;Loughlin
ID: 12528320
Hi jjeffords,
You may have denied yourself permissions to log in locally.
usual disclaimers apply
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12528381
Start your computer in to Safe mode with networking support.
Log on as the administrator.
Start the Active Directory Users and Computers snap-in, expand Local Users and Groups, and then expand Users.
Right-click Administrator, and then click Enable Account.
Restart your computer.
0
 
LVL 4

Expert Comment

by:brownmattc
ID: 12529052
If you cant logon have you tried starting using Last Know Good Configuration?

Matt
0
 
LVL 4

Expert Comment

by:brownmattc
ID: 12529095
You can also restore the registry by doing the following:

Using Recovery Console to Restore the Registry Keys HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SOFTWARE
If the previously discussed recovery methods do not enable you to start Windows you can try replacing the System and Software files, which are in the systemroot\System32\Config folder, with a backup copy from the systemroot\Repair folder. The System and Software files are used by Windows to create the registry keys HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SOFTWARE. A corrupted copy of the System or Software file could prevent you from starting Windows.

Try other recovery methods before using the manual procedure that follows. The manual procedure enables you to start the operating system, allowing you to perform further repairs by using Windows.

When using the following procedure, do not replace both the System and Software files as part of a single attempt to start the computer. First, replace one file, and then test whether this action resolves the startup problem. If the problem persists, copy the other file. Which file you decide to replace first (the System or Software file), depends on the information that the Stop error displays (hardware or software related).

Using Recovery Console to replace the System file

At the Recovery Console prompt, locate the config folder by typing:
cd system32\config

Create backups of the System or Software files by typing:
copy system <drive:\path\filename>

-or-

copy software <drive:\path\filename>

If they exist, save backups of other files that use file names that start with "system" or "software," such as System.sav or Software.sav.

Replace the current System or Software file by typing:
copy ..\..\repair\system

-or-

copy ..\..\repair\software

Answer the Overwrite system? (Yes/No/All): prompt by pressing Y.
Restart the computer.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 12532801
What type of keyboard are you using?  Have you changed it recently?

Do you see any i8042prt errors in the Event Logs?

0
 
LVL 51

Expert Comment

by:Netman66
ID: 12539061
Thanks, but did it actually help?

Troubleshooting blind is a hard thing and I hope that something above helped fix your issue.  Can you please let us know if you were successful at fixing this with our assistance or if you figured it out on your own.  

If you did figure it out on your own, we would love to have you share your fix - it helps us learn too!

Cheers,
NM
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Learn about cloud computing and its benefits for small business owners.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question