• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 791
  • Last Modified:

Logon Domain Problems

When I try to connect to active directory I get the following error:

Active Directory
Naming information cannot be located because:
The logon attempt failed.
Contact your system administrator to verify that your domain is properly configured and is currently online.

None of my users can connect to the file server right now because of this.  It looks like the server was hacked over the weekend.  What do I need to do to get active directory working again.
0
blaze2342
Asked:
blaze2342
  • 14
  • 12
  • 4
  • +1
1 Solution
 
blaze2342Author Commented:
This is on the domain controller.
0
 
Jay_Jay70Commented:
Hi blaze2342,

are you able to log on the actual domain controller itself?

run dcdiag for me if you can
0
 
blaze2342Author Commented:
I havent used that utility.. how do I run that
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
blaze2342Author Commented:
this is a win2k dc
0
 
Jay_Jay70Commented:
0
 
Keith AlabasterEnterprise ArchitectCommented:
Do you have just the one DC? Have you rebooted this box?
Can you ping the DC OK?
Can you get to the DC console and logon OK as administrator?
Anything in the event logs?
0
 
blaze2342Author Commented:
I can ping the domain
I can logon to the box
This is the only domain controller
Event log:
Netlogon: The computer COMPID1049 tried to connect to the server \\CARTMAN using the trust relationship established by the EI domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.

0
 
blaze2342Author Commented:
Userenv: Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine
0
 
blaze2342Author Commented:
Userenv: Windows cannot establish a connection to rdu.ei1.com with (0).
0
 
Keith AlabasterEnterprise ArchitectCommented:
Does the servername and the computer name relate to your own systems? ie Are they valid on your network? If not, then yes, it sounds like you have been hacked.

0
 
Jay_Jay70Commented:
nasty, i wonder if you are able to dcpromo the server out and then backup again - just not sure the extent of the damage
0
 
Keith AlabasterEnterprise ArchitectCommented:
What are you still doing up?
0
 
blaze2342Author Commented:
From DCDiag

Domain Controller Diagnosis

Performing initial setup:
   [cartman] LDAP bind failed with error 1323,
   Unable to update the password. The value provided as the current password is
incorrect..
   ***Error: The machine could not attach to the DC because the credentials
   were incorrect.  Check your credentials or specify credentials with
   /u:<domain>\<user> & /p:[<password>|*|""]
0
 
Keith AlabasterEnterprise ArchitectCommented:
Need to be careful here. If this is the only DC and its dcpromo'd down and backup, it will come up with new SID's.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Blaze, when was the last full system backup taken, including system state?
0
 
blaze2342Author Commented:
not sure
0
 
Keith AlabasterEnterprise ArchitectCommented:
Ah, I can spot a potential pitfall on the horizon looming up here.

The obvious solution here would be to perform a restore which would get you back to the state before the week end (just do a system state restore, not the data).

If you don't have a backup or at least one that is remotely current, then you may have a problem here.

The fact that you can logon to the box as administrator is encouraging as the 1323 error message suggests that the active directory did not like the credentials that it was passed.


http://support.microsoft.com/default.aspx?scid=kb;en-us;842715

0
 
blaze2342Author Commented:
Looks like I have a problem.. woo hoo
0
 
Keith AlabasterEnterprise ArchitectCommented:
Cripes....

Have you got a spare work station? If so, try and add it to the domain. If not, pick a PC that has little installed. Remove it from the domain into a workgroup and reboot it. When it comes up, change the PC name to something else. It may want a reboot again. Onvce it is back up, re-add it to the domain. log in as the user. Does it start operating as it should?
Lets establish if the domain is actually operating OK.

0
 
blaze2342Author Commented:
Yea the interesting thing is that we can log onto the console and even on to machines attached to the domain but once we log on we can't access any of the server shares.  On the console we can't access shares or the active directory snapin.
0
 
blaze2342Author Commented:
ok i'll try it real quick
0
 
Keith AlabasterEnterprise ArchitectCommented:
What do you get if you try?
0
 
blaze2342Author Commented:
I can't join it to the domain.. says user has not been granted the logon type to join to the domain.
0
 
Keith AlabasterEnterprise ArchitectCommented:
OH. So yes, the AD is in real trouble.
Are you sure there are no other messages in any of the event logs?

Have you downloaded and installed the windows 2000 resource kit and the windows 2000 admin kit?

What message do you get when you try and access a share?
0
 
blaze2342Author Commented:
I've downloaded some of the tools throughout my troubleshooting..

When I access a share it says the user has not been granted the requested logon type at this computer.
0
 
Keith AlabasterEnterprise ArchitectCommented:
It is an issue with the security policy, thats for sure but is likely going to be just a symptom rather than the root cause. Think James may be right; you may well be looking at a dcpromo down and back up again to install a clean Active Directory. This will require each user and machine re-adding again as well as all the other 101 things that will need doing.

in addition, I would seriously check your security regime for the future (including backups).
0
 
blaze2342Author Commented:
We reset the group policy using a utility and were able to get the active directory running again.  As for security it appears they got in through a vulnerability in VNC.  As for backups what do you recommend?  System State as often as possible?
0
 
Kini pradeepPrincipal Cloud and security consultantCommented:
this error occurs when the Senetworklogon rights have bee removed from the default domain controllers policy.
seems like the logonlocally have not been removed.
there is a gpttmpl.ini file in the sysvol 6AC or 31B.
i have seen a similar instance.
what you can do is login locally and check this file in notepad.

**************************************************************************************
Contents of the default GptTmpl.inf

[Unicode]
Unicode=yes
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Privilege Rights]
SeAssignPrimaryTokenPrivilege =
SeAuditPrivilege =
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeBatchLogonRight =
SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S-1-1-0
SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreatePermanentPrivilege =
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544
SeInteractiveLogonRight =
*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544,TsInternetUser

SeLoadDriverPrivilege = *S-1-5-32-544
SeLockMemoryPrivilege =
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0 (this is access this comp from network policy)
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544
SeSecurityPrivilege = *S-1-5-32-544
SeServiceLogonRight =
SeShutdownPrivilege =
*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-544
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeTcbPrivilege =
SeDenyInteractiveLogonRight =
SeDenyBatchLogonRight =
SeDenyServiceLogonRight =
SeDenyNetworkLogonRight =
SeUndockPrivilege = *S-1-5-32-544
SeSyncAgentPrivilege =
SeEnableDelegationPrivilege = *S-1-5-32-544
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySign
ature=4,1


This is how the file looks, compare SID and incase missing replace it. when replacing the SID remember to stop the FRS service.
or incase no encryption or PKI is used you could always run recreatedefpol, which is going to recreate the Default policies.

thanks,
0
 
Keith AlabasterEnterprise ArchitectCommented:
Nice move Sherlock :)

As for backups, a full system backup (data & system state) every weekend and differentials each week night.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
0
 
Jay_Jay70Commented:
nice work :) just got into the office  missed lots!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 14
  • 12
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now