Link to home
Start Free TrialLog in
Avatar of jjeffords
jjeffords

asked on

Admin account appears to be locked out.

Hey guys i am in bad need of some help. I am on my DC right now and it is in safe mode. I cannot log in even as the Administrator at the first screen in regular boot. I also cannot even get past the ctrl alt del screen. I puch it and nothing happens. So anyway i am in safe mode and it appears that the problems started happening about 30 mins ago so i have gone back in the event logs and got the errors that began to occur at that time. I know everyone here is in need of help but this is critical. If i could give a million points i would. As of right now no one has mail and the dc is down and here at a hospital we all know it is critical is PLEASE help !!
Here are the Events that started all at the same time
Event ID 490    Source ESE
Information Store (5272) First Storage Group: An attempt to open the file "C:\Program Files\Exchsrvr\mdbdata\E00.chk" for read / write access failed with system error 1331 (0x00000533): "Logon failure: account currently disabled. ".  The open file operation will fail with error -1022 (0xfffffc02).

Event ID  419   Source smtpsrv
SMTP server cannot create a file in the queue directory C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\.

Event id 7          Source KDC
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was DNS/prisoner.iana.org and lookup type 0x48.

This last one above appears several times with any account basically popping up at random.

Event id 3011    Source LDMS
Failed to create process dmadmin.exe, binPath=%SystemRoot%\System32\dmadmin.exe, Error=1331.
Avatar of jjeffords
jjeffords

ASKER

Hey guys i figured i should also mention the fact these errors occur over and over again.
I also get the w32time popping up alot since then happened. I know how to fix that but i figured maybe this little bit of info would help things out. I was also getting some DNS server errors but they seemed to have tappered off
here is the one i was getting from DNS and one from the

Event ID  4004     Source   DNS  
The DNS server was unable to complete directory service enumeration of zone Backup2k3.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.


Event ID  490         Source   ntds isam
NTDS (600) NTDSA: An attempt to open the file "C:\WINDOWS\NTDS\edb.chk" for read / write access failed with system error 1331 (0x00000533): "Logon failure: account currently disabled. ".  The open file operation will fail with error -1022 (0xfffffc02).

Event id 490  Source NTDS ISAM
NTDS (600) NTDSA: An attempt to open the file "C:\WINDOWS\NTDS\edb.chk" for read / write access failed with system error 1331 (0x00000533): "Logon failure: account currently disabled. ".  The open file operation will fail with error -1022 (0xfffffc02).

Avatar of Netman66
Regarding the prisoner.iana.org entry, here is an exerpt from Mark Minasi's book:

": what IS this
prisoner.iana.org? Well, once RFC 1918 (and its predecessors, actually)
came out, the IANA -- the old name, recall, for the folks in charge of
handing out IP address blocks -- realized that they needed a "placeholder"
in-addr.arpa zone for the three ranges of non-routable addresses. So they
put zones named 10.in-addr.arpa, 16.172.in-addr.arpa, and
168.192.in-addr.arpa on a three DNS servers named blackhole-1.iana.org,
blackhole-2.iana.org and prisoner.iana.org, at IP addresses 192.175.48.6,
192.175.48.42, and 192.175.48.1, and prisoner is set as the primary DNS
server for the zones.


Thus, if one of your systems with a 192.168.x.x address tries to register
its PTR record then it will, unless you have a local DNS server with a
168.192.in-addr.arpa zone, end up trying to register with prisoner.iana.org
-- which will reject the request. The bottom line is, don't worry about it
in most cases. In one case, however, you MIGHT worry about it, if you were
running an intranet with a dialup connection to the Internet. If your
intranet systems have private addresses and you don't have a local reverse
lookup zone for your private addresses then you will cause your systems to
try to contact prisoner, which would trigger a dialup. And if you're
connected via ISDN in some country not blessed with as low a set of telecomm
rates as we enjoy in the US, then that could be a quite expensive
proposition. Again, the answer in that case would either be to tell your
system not to do dynamic updates at all, or to create a local DNS server
with a dynamic 168.192.in-addr.arpa zone. "


So, in a nutshell, your server is trying to register a private IP address with your ISP - so your DNS is not setup completely correct.

With respect to account lockout - in server 2003 it is possible to lock the Admin account - which scares me.  If you have a service account (ie. for Exchange) and can remember the password you might be able to log in with that account to check what's going on with the Admin account.  Alternately, you could boot the server in normal mode, connect remotely to it with ADUC or Manage and see what's up also.  

All the events you show simple tell me that either the service account is locked or the password expired.

Advise.
Also one more thing to add to all of this. When the machine is booting and it is showing the Applying computer settings, etc etc etc
It also now says Active Directory is now reloading indicies or something similar to that...
Any clue as to what could be causeing this?
Also i can still log into the server with the Administrator account as long as i am in Safe Mode. But if i am not in safe mode i cannot even get past Ctrl Alt Del
It just leaves me sitting there and no matter how many times i hit it. It goes no where. It doesnt matter what account i use it will not let me log in. I mean any domain account i try would not let me in. Then when i rebooted it wont let me past the ctrl alt delete
Jjefford, that's the one predictable part of this:  AD absolutely will not run without DNS.

<Subscribing>
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yes, as nihlcat mentions, your DNS could be the culprit too if something changed and AD cannot use it.

Would any of these reasons cause you not to be able to get past the Ctrl Atl Del screen ??
This one i cant figure out to save my life....
Unless i go to Safe Mode i cannot even execute ctrl alt del
Hi jjeffords,
You may have denied yourself permissions to log in locally.
usual disclaimers apply
Start your computer in to Safe mode with networking support.
Log on as the administrator.
Start the Active Directory Users and Computers snap-in, expand Local Users and Groups, and then expand Users.
Right-click Administrator, and then click Enable Account.
Restart your computer.
If you cant logon have you tried starting using Last Know Good Configuration?

Matt
You can also restore the registry by doing the following:

Using Recovery Console to Restore the Registry Keys HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SOFTWARE
If the previously discussed recovery methods do not enable you to start Windows you can try replacing the System and Software files, which are in the systemroot\System32\Config folder, with a backup copy from the systemroot\Repair folder. The System and Software files are used by Windows to create the registry keys HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SOFTWARE. A corrupted copy of the System or Software file could prevent you from starting Windows.

Try other recovery methods before using the manual procedure that follows. The manual procedure enables you to start the operating system, allowing you to perform further repairs by using Windows.

When using the following procedure, do not replace both the System and Software files as part of a single attempt to start the computer. First, replace one file, and then test whether this action resolves the startup problem. If the problem persists, copy the other file. Which file you decide to replace first (the System or Software file), depends on the information that the Stop error displays (hardware or software related).

Using Recovery Console to replace the System file

At the Recovery Console prompt, locate the config folder by typing:
cd system32\config

Create backups of the System or Software files by typing:
copy system <drive:\path\filename>

-or-

copy software <drive:\path\filename>

If they exist, save backups of other files that use file names that start with "system" or "software," such as System.sav or Software.sav.

Replace the current System or Software file by typing:
copy ..\..\repair\system

-or-

copy ..\..\repair\software

Answer the Overwrite system? (Yes/No/All): prompt by pressing Y.
Restart the computer.
What type of keyboard are you using?  Have you changed it recently?

Do you see any i8042prt errors in the Event Logs?

Thanks, but did it actually help?

Troubleshooting blind is a hard thing and I hope that something above helped fix your issue.  Can you please let us know if you were successful at fixing this with our assistance or if you figured it out on your own.  

If you did figure it out on your own, we would love to have you share your fix - it helps us learn too!

Cheers,
NM