blaze2342
asked on
Logon Domain Problems
When I try to connect to active directory I get the following error:
Active Directory
Naming information cannot be located because:
The logon attempt failed.
Contact your system administrator to verify that your domain is properly configured and is currently online.
None of my users can connect to the file server right now because of this. It looks like the server was hacked over the weekend. What do I need to do to get active directory working again.
Active Directory
Naming information cannot be located because:
The logon attempt failed.
Contact your system administrator to verify that your domain is properly configured and is currently online.
None of my users can connect to the file server right now because of this. It looks like the server was hacked over the weekend. What do I need to do to get active directory working again.
Hi blaze2342,
are you able to log on the actual domain controller itself?
run dcdiag for me if you can
are you able to log on the actual domain controller itself?
run dcdiag for me if you can
ASKER
I havent used that utility.. how do I run that
ASKER
this is a win2k dc
Do you have just the one DC? Have you rebooted this box?
Can you ping the DC OK?
Can you get to the DC console and logon OK as administrator?
Anything in the event logs?
Can you ping the DC OK?
Can you get to the DC console and logon OK as administrator?
Anything in the event logs?
ASKER
I can ping the domain
I can logon to the box
This is the only domain controller
Event log:
Netlogon: The computer COMPID1049 tried to connect to the server \\CARTMAN using the trust relationship established by the EI domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.
I can logon to the box
This is the only domain controller
Event log:
Netlogon: The computer COMPID1049 tried to connect to the server \\CARTMAN using the trust relationship established by the EI domain. However, the computer lost the correct security identifier (SID) when the domain was reconfigured. Reestablish the trust relationship.
ASKER
Userenv: Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine
ASKER
Userenv: Windows cannot establish a connection to rdu.ei1.com with (0).
Does the servername and the computer name relate to your own systems? ie Are they valid on your network? If not, then yes, it sounds like you have been hacked.
nasty, i wonder if you are able to dcpromo the server out and then backup again - just not sure the extent of the damage
What are you still doing up?
ASKER
From DCDiag
Domain Controller Diagnosis
Performing initial setup:
[cartman] LDAP bind failed with error 1323,
Unable to update the password. The value provided as the current password is
incorrect..
***Error: The machine could not attach to the DC because the credentials
were incorrect. Check your credentials or specify credentials with
/u:<domain>\<user> & /p:[<password>|*|""]
Domain Controller Diagnosis
Performing initial setup:
[cartman] LDAP bind failed with error 1323,
Unable to update the password. The value provided as the current password is
incorrect..
***Error: The machine could not attach to the DC because the credentials
were incorrect. Check your credentials or specify credentials with
/u:<domain>\<user> & /p:[<password>|*|""]
Need to be careful here. If this is the only DC and its dcpromo'd down and backup, it will come up with new SID's.
Blaze, when was the last full system backup taken, including system state?
ASKER
not sure
Ah, I can spot a potential pitfall on the horizon looming up here.
The obvious solution here would be to perform a restore which would get you back to the state before the week end (just do a system state restore, not the data).
If you don't have a backup or at least one that is remotely current, then you may have a problem here.
The fact that you can logon to the box as administrator is encouraging as the 1323 error message suggests that the active directory did not like the credentials that it was passed.
http://support.microsoft.com/default.aspx?scid=kb;en-us;842715
The obvious solution here would be to perform a restore which would get you back to the state before the week end (just do a system state restore, not the data).
If you don't have a backup or at least one that is remotely current, then you may have a problem here.
The fact that you can logon to the box as administrator is encouraging as the 1323 error message suggests that the active directory did not like the credentials that it was passed.
http://support.microsoft.com/default.aspx?scid=kb;en-us;842715
ASKER
Looks like I have a problem.. woo hoo
Cripes....
Have you got a spare work station? If so, try and add it to the domain. If not, pick a PC that has little installed. Remove it from the domain into a workgroup and reboot it. When it comes up, change the PC name to something else. It may want a reboot again. Onvce it is back up, re-add it to the domain. log in as the user. Does it start operating as it should?
Lets establish if the domain is actually operating OK.
Have you got a spare work station? If so, try and add it to the domain. If not, pick a PC that has little installed. Remove it from the domain into a workgroup and reboot it. When it comes up, change the PC name to something else. It may want a reboot again. Onvce it is back up, re-add it to the domain. log in as the user. Does it start operating as it should?
Lets establish if the domain is actually operating OK.
ASKER
Yea the interesting thing is that we can log onto the console and even on to machines attached to the domain but once we log on we can't access any of the server shares. On the console we can't access shares or the active directory snapin.
ASKER
ok i'll try it real quick
What do you get if you try?
ASKER
I can't join it to the domain.. says user has not been granted the logon type to join to the domain.
OH. So yes, the AD is in real trouble.
Are you sure there are no other messages in any of the event logs?
Have you downloaded and installed the windows 2000 resource kit and the windows 2000 admin kit?
What message do you get when you try and access a share?
Are you sure there are no other messages in any of the event logs?
Have you downloaded and installed the windows 2000 resource kit and the windows 2000 admin kit?
What message do you get when you try and access a share?
ASKER
I've downloaded some of the tools throughout my troubleshooting..
When I access a share it says the user has not been granted the requested logon type at this computer.
When I access a share it says the user has not been granted the requested logon type at this computer.
It is an issue with the security policy, thats for sure but is likely going to be just a symptom rather than the root cause. Think James may be right; you may well be looking at a dcpromo down and back up again to install a clean Active Directory. This will require each user and machine re-adding again as well as all the other 101 things that will need doing.
in addition, I would seriously check your security regime for the future (including backups).
in addition, I would seriously check your security regime for the future (including backups).
ASKER
We reset the group policy using a utility and were able to get the active directory running again. As for security it appears they got in through a vulnerability in VNC. As for backups what do you recommend? System State as often as possible?
this error occurs when the Senetworklogon rights have bee removed from the default domain controllers policy.
seems like the logonlocally have not been removed.
there is a gpttmpl.ini file in the sysvol 6AC or 31B.
i have seen a similar instance.
what you can do is login locally and check this file in notepad.
**************************
Contents of the default GptTmpl.inf
[Unicode]
Unicode=yes
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Privilege Rights]
SeAssignPrimaryTokenPrivil
SeAuditPrivilege =
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-55
SeBatchLogonRight =
SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S
SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreatePermanentPrivilege
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPriv
SeIncreaseQuotaPrivilege = *S-1-5-32-544
SeInteractiveLogonRight =
*S-1-5-32-550,*S-1-5-32-54
SeLoadDriverPrivilege = *S-1-5-32-544
SeLockMemoryPrivilege =
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S
SeProfileSingleProcessPriv
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-54
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-55
SeSecurityPrivilege = *S-1-5-32-544
SeServiceLogonRight =
SeShutdownPrivilege =
*S-1-5-32-550,*S-1-5-32-54
SeSystemEnvironmentPrivile
SeSystemProfilePrivilege = *S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-54
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeTcbPrivilege =
SeDenyInteractiveLogonRigh
SeDenyBatchLogonRight =
SeDenyServiceLogonRight =
SeDenyNetworkLogonRight =
SeUndockPrivilege = *S-1-5-32-544
SeSyncAgentPrivilege =
SeEnableDelegationPrivileg
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\System\CurrentCont
ature=4,1
This is how the file looks, compare SID and incase missing replace it. when replacing the SID remember to stop the FRS service.
or incase no encryption or PKI is used you could always run recreatedefpol, which is going to recreate the Default policies.
thanks,
seems like the logonlocally have not been removed.
there is a gpttmpl.ini file in the sysvol 6AC or 31B.
i have seen a similar instance.
what you can do is login locally and check this file in notepad.
**************************
Contents of the default GptTmpl.inf
[Unicode]
Unicode=yes
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Privilege Rights]
SeAssignPrimaryTokenPrivil
SeAuditPrivilege =
SeBackupPrivilege = *S-1-5-32-549,*S-1-5-32-55
SeBatchLogonRight =
SeChangeNotifyPrivilege = *S-1-5-11,*S-1-5-32-544,*S
SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreatePermanentPrivilege
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
SeIncreaseBasePriorityPriv
SeIncreaseQuotaPrivilege = *S-1-5-32-544
SeInteractiveLogonRight =
*S-1-5-32-550,*S-1-5-32-54
SeLoadDriverPrivilege = *S-1-5-32-544
SeLockMemoryPrivilege =
SeMachineAccountPrivilege = *S-1-5-11
SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S
SeProfileSingleProcessPriv
SeRemoteShutdownPrivilege = *S-1-5-32-549,*S-1-5-32-54
SeRestorePrivilege = *S-1-5-32-549,*S-1-5-32-55
SeSecurityPrivilege = *S-1-5-32-544
SeServiceLogonRight =
SeShutdownPrivilege =
*S-1-5-32-550,*S-1-5-32-54
SeSystemEnvironmentPrivile
SeSystemProfilePrivilege = *S-1-5-32-544
SeSystemTimePrivilege = *S-1-5-32-549,*S-1-5-32-54
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeTcbPrivilege =
SeDenyInteractiveLogonRigh
SeDenyBatchLogonRight =
SeDenyServiceLogonRight =
SeDenyNetworkLogonRight =
SeUndockPrivilege = *S-1-5-32-544
SeSyncAgentPrivilege =
SeEnableDelegationPrivileg
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\System\CurrentCont
ature=4,1
This is how the file looks, compare SID and incase missing replace it. when replacing the SID remember to stop the FRS service.
or incase no encryption or PKI is used you could always run recreatedefpol, which is going to recreate the Default policies.
thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks :)
nice work :) just got into the office missed lots!
ASKER