GPO problems: no access to Netlogon or TS
Hello all,
I work at district with 36 sites, and about 25 Child domains (yes i know it's crazy, but I inherited this, and working on fixing it).
We are running Active Directory 2000, with mixed servers running Windows 2000 server and Windows Server 2003.
As of yesterday, we had something happen , which I still can't pin point, but our default domain policy got corrupted somehow, and the scope of it got reduced to only one OU that we had within the scope. (Authenticated Users was no longer there). essentially, I no longer had a default domain policy.
I managed to restore that, and I ran the Default Domain Policy restore tool which I got from the MSFT site, since I didn't have many special perms in the default domain policy, it wasn't a big deal to do so. (I did do a system state backup prior).
As of last night, I was having some issues logging to my domain controllers, to which I came down to adding the administrators group back into the Allow Logon Locally, and Allow Logon Through Terminal Services.
This morning, suddenly, all access was gone again. I am not able to access the servers via RDP. Windows 2003 servers return the following error:
"To log on to this remote console session, you must have administrative permissions on this computer"
and on Windows 2000 Servers I get the following error:
"You do not have access to logon to this session"
From searching for this error, it all referred to the previously mentioned GPO for the domain controllers, which, in my case, is already setup correctly.
Couple things I noticed within that process:
1- the enterprise admin user is the only one that is still able to login to the domain controllers
2- I no longer seem to have access to write my NETLOGON directories on the domain controllers with my domain admin users. I have read access, but no write access. I get an access denied. this happens with all domain admins.
I'm still not quite sure what else has been broken, but not being able to write to netlogon sounds like a pretty big problem to me. (as an admin of course)
So, would anyone have any ideas as to what may be happening. I'm afraid that if I don't resolve some things quickly here, I'm going to have some major replication issues, which I'm assuming I'm probably already having right now, and at one point I'm going to completely crash and burn. so any help would be greatly appreciated!!
If you have any ideas on how to trouble the source of the problem, as I'm running out of ideas, and google is sort of sending me in circles about the issue.
Thanks in advance for your assistance!
Update:
Here's an update which may be relevant,
I noticed that the users, (other than my enterprise admin), are being automatically removed from my "Builtin\Administrators" group. even after I add them, this is the second time that I re-add them, and they get removed.
Though, I don't think that should affect Domain Admins TS logons to the servers, as I have added the Domain Admins group to the Allow Logon Locally, and Allow Logon Through Terminal Services.
I work at district with 36 sites, and about 25 Child domains (yes i know it's crazy, but I inherited this, and working on fixing it).
We are running Active Directory 2000, with mixed servers running Windows 2000 server and Windows Server 2003.
As of yesterday, we had something happen , which I still can't pin point, but our default domain policy got corrupted somehow, and the scope of it got reduced to only one OU that we had within the scope. (Authenticated Users was no longer there). essentially, I no longer had a default domain policy.
I managed to restore that, and I ran the Default Domain Policy restore tool which I got from the MSFT site, since I didn't have many special perms in the default domain policy, it wasn't a big deal to do so. (I did do a system state backup prior).
As of last night, I was having some issues logging to my domain controllers, to which I came down to adding the administrators group back into the Allow Logon Locally, and Allow Logon Through Terminal Services.
This morning, suddenly, all access was gone again. I am not able to access the servers via RDP. Windows 2003 servers return the following error:
"To log on to this remote console session, you must have administrative permissions on this computer"
and on Windows 2000 Servers I get the following error:
"You do not have access to logon to this session"
From searching for this error, it all referred to the previously mentioned GPO for the domain controllers, which, in my case, is already setup correctly.
Couple things I noticed within that process:
1- the enterprise admin user is the only one that is still able to login to the domain controllers
2- I no longer seem to have access to write my NETLOGON directories on the domain controllers with my domain admin users. I have read access, but no write access. I get an access denied. this happens with all domain admins.
I'm still not quite sure what else has been broken, but not being able to write to netlogon sounds like a pretty big problem to me. (as an admin of course)
So, would anyone have any ideas as to what may be happening. I'm afraid that if I don't resolve some things quickly here, I'm going to have some major replication issues, which I'm assuming I'm probably already having right now, and at one point I'm going to completely crash and burn. so any help would be greatly appreciated!!
If you have any ideas on how to trouble the source of the problem, as I'm running out of ideas, and google is sort of sending me in circles about the issue.
Thanks in advance for your assistance!
Update:
Here's an update which may be relevant,
I noticed that the users, (other than my enterprise admin), are being automatically removed from my "Builtin\Administrators" group. even after I add them, this is the second time that I re-add them, and they get removed.
Though, I don't think that should affect Domain Admins TS logons to the servers, as I have added the Domain Admins group to the Allow Logon Locally, and Allow Logon Through Terminal Services.
ASKER
Yes, my restricted groups are not set for both Domain Controllers and Default Domain.
I have checked gpresult, and it looks fine.
The DDP were broken, and In fact I'm not sure what "normal" looks like, I'm trying to figure out if the "User Rights Assignments" in the DDP are supposed to be all set to "Not Defined" .. or are these broken as well?
As an update though, after I re-added the domain admins, and the appropriate groups to the Builtin\Administrators group yesterday, things seem to have stuck. I haven't really changed anything, so it's either someone was fudging with the network, or something really weird was going on.
At this point, I believe I was able to get things back to be fairly stable. still looking more closely to do some damage control. but so far so good ..
I have checked gpresult, and it looks fine.
The DDP were broken, and In fact I'm not sure what "normal" looks like, I'm trying to figure out if the "User Rights Assignments" in the DDP are supposed to be all set to "Not Defined" .. or are these broken as well?
As an update though, after I re-added the domain admins, and the appropriate groups to the Builtin\Administrators group yesterday, things seem to have stuck. I haven't really changed anything, so it's either someone was fudging with the network, or something really weird was going on.
At this point, I believe I was able to get things back to be fairly stable. still looking more closely to do some damage control. but so far so good ..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
still waiting on moderator to award partial points and close question.
Thanks mods!
Thanks mods!
I'm having the similar problem with a smaller amount of sites. It seems the replication was setup to replicate from and to all sites, but all the sites cannot reach each other. I have now split up the replication from the sites that can reach each other. As soon as that has replicated properly I should see some improvement. Did you check your replication topology? Can the servers reach each other? Did you run dcdiag?
ASKER
Yes, I have done all the above. As a matter of fact, replication is working fine. this is after I had spent some hours with MSFT to resolve the issue of the DDP.
Apparently, even though I recreated the DDP, it wasn't enough to randomly create it. The GUID of that particular policy has to start with "{6AC-.." not sure why, but this is what the MSFT engineers said. once we resolved that, things seemed to get back to normal. Replication is working great now.
Apparently, even though I recreated the DDP, it wasn't enough to randomly create it. The GUID of that particular policy has to start with "{6AC-.." not sure why, but this is what the MSFT engineers said. once we resolved that, things seemed to get back to normal. Replication is working great now.
Have you checked with rsop or gpresult which policies you recieve on your DC's?
Since you write that your DDP has been broken have you checked that the Default Domain Controllers Policy still is intact and well?