Kismet80
asked on
Windows SBS 2003 Server Locked out with Symantec
So I have a major problem, anyway some backround first,
I took over as Systems and Network Administrator in a small company last week, the last administrator left 7 months ago and they have only found the money to replace him now, with me. i was a junior administrator in my last job and I always had someone to call on if I got stuck. There was supposed to be a senior guy here to oversee but he is gone since last week. So you can probably see how this is developing.
One of the guys in the office is a programmer and has been sort of looking after the network as well as doing his own job. anyway last week the day before I started he saw that the servers were due a restart and that symantec had to be updated.
So he did the following.
1. The network administrator password was changed about a month ago
2. Symantec updates were downloaded
3. Restart the Domain Controller
4. On restart unable to log into DC
5. Try to access it remotely but RPC service is not working
6. No Backup Network Admin account
7. No backup DC
So my problem is that i'm locked out of my DC which is also the file server
I dont have the local admin password because no one knows it.
I have the new and the old administrator password but neither of them work,
So far i've tried to run ntdsutil but this is what I get,
Because the local system doesn't support application password validation, ntdsut
il couldn't verify the password with the domain policy. But ntdsutil will contin
ue to set the password on DS Restore Mode Administrator account.
Setting password failed.
WIN32 Error Code: 0x6ba
Error Message: The RPC server is unavailable.
I've installed Windows 2003 Server Administration tools pack and I can open Active Directory Management but I cant actually do anything with it. I can see it and thats all.
If anyone could help with this problem I would be eternally grateful.
Thanks :D
I took over as Systems and Network Administrator in a small company last week, the last administrator left 7 months ago and they have only found the money to replace him now, with me. i was a junior administrator in my last job and I always had someone to call on if I got stuck. There was supposed to be a senior guy here to oversee but he is gone since last week. So you can probably see how this is developing.
One of the guys in the office is a programmer and has been sort of looking after the network as well as doing his own job. anyway last week the day before I started he saw that the servers were due a restart and that symantec had to be updated.
So he did the following.
1. The network administrator password was changed about a month ago
2. Symantec updates were downloaded
3. Restart the Domain Controller
4. On restart unable to log into DC
5. Try to access it remotely but RPC service is not working
6. No Backup Network Admin account
7. No backup DC
So my problem is that i'm locked out of my DC which is also the file server
I dont have the local admin password because no one knows it.
I have the new and the old administrator password but neither of them work,
So far i've tried to run ntdsutil but this is what I get,
Because the local system doesn't support application password validation, ntdsut
il couldn't verify the password with the domain policy. But ntdsutil will contin
ue to set the password on DS Restore Mode Administrator account.
Setting password failed.
WIN32 Error Code: 0x6ba
Error Message: The RPC server is unavailable.
I've installed Windows 2003 Server Administration tools pack and I can open Active Directory Management but I cant actually do anything with it. I can see it and thats all.
If anyone could help with this problem I would be eternally grateful.
Thanks :D
Were there are a number of tools that can help reset a local admin password on the DC. If you can get that reset then you can use F8 on boot up to access this Directory Service Restore Mode. From there you could reset the DC admin password. This website has some helpful infomation on accomplishing this.
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Let me know if you need further help and if this works for you.
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Let me know if you need further help and if this works for you.
ASKER
Hi,
Thanks for the information,
The developer is a member of the domain admins but I tried to log him on and it wouldnt log him onto the server.
It seems like the AD service is not after starting when the server starts.
Also I've been told that Symantec has problems and after updates it restarts its firewall and blocks all network access to the file server. Im wondering if this is anything to do with it,
Thanks for the information,
The developer is a member of the domain admins but I tried to log him on and it wouldnt log him onto the server.
It seems like the AD service is not after starting when the server starts.
Also I've been told that Symantec has problems and after updates it restarts its firewall and blocks all network access to the file server. Im wondering if this is anything to do with it,
Have you tried to log on at the console as a domain admin?
ASKER
Hi,
Yes, ive tried that, Ive tried all the domain admin accounts
Yes, ive tried that, Ive tried all the domain admin accounts
Perhaps the server could use another reboot?
But first, can you manage the computer remotely? (i.e. Computer Management on your workstation, then connect to remote server and choose the DC)? Maybe you can look at the event log that way, check on any services that may be off, etc
But first, can you manage the computer remotely? (i.e. Computer Management on your workstation, then connect to remote server and choose the DC)? Maybe you can look at the event log that way, check on any services that may be off, etc
ASKER
Hi,
Ive tried to connect remotely over Computer Managment but it tells me that computer XXX cannot be managed, the network path cannot be found.
Ive tried to connect remotely over Computer Managment but it tells me that computer XXX cannot be managed, the network path cannot be found.
Can you ping the server from your workstation?
Are people able to log into the network and get to secured file shares and such?
Are people able to log into the network and get to secured file shares and such?
ASKER
Hi,
Im not able to ping it at all,
Im able to log onto my laptop but I think the password may have been cached from when the developer set up my laptop the week before.
No access to any file shares
Im not able to ping it at all,
Im able to log onto my laptop but I think the password may have been cached from when the developer set up my laptop the week before.
No access to any file shares
It can happen but a restart of the server and updating symantec would seem unlikely to cause this many problems. Maybe ask some more questions about what has been done to the server over the past week.
Also...a try a reboot and see if it helps.
And finally, start looking for backups just in case you end up needing them.
Also...a try a reboot and see if it helps.
And finally, start looking for backups just in case you end up needing them.
ASKER
Hi,
Ive tried a couple of reboots,
I've also tried rebooting into safe mode and safe mode with networking
According to the guy in the office the only thing that was done was update symantec and change the passwords.
I do believe him because he is incredibly busy and doesnt really have the time to be messing around with the server.
The only reason he changed the password on the DC was because two developers left and they had the domain admin password.
I have the backup tapes but I dont know how recent they are.
Im hoping that the one in the drive is the latest one, and that it actually ran when it was supposed to.
Ive tried a couple of reboots,
I've also tried rebooting into safe mode and safe mode with networking
According to the guy in the office the only thing that was done was update symantec and change the passwords.
I do believe him because he is incredibly busy and doesnt really have the time to be messing around with the server.
The only reason he changed the password on the DC was because two developers left and they had the domain admin password.
I have the backup tapes but I dont know how recent they are.
Im hoping that the one in the drive is the latest one, and that it actually ran when it was supposed to.
What's odd is the combination of no network AND the inability to log onto the DC from the console. Those two problems should not be related.
The network issue could be anything from the firewall, symantec, etc. I would address that second.
You need to find out why you can't log in locally on the console as a domain admin. What error do you get?
The network issue could be anything from the firewall, symantec, etc. I would address that second.
You need to find out why you can't log in locally on the console as a domain admin. What error do you get?
ASKER
Hi,
Something that I forgot to mention, Exchange is still working,
I am still able to send and receive email and also to access the internet.
The error message that I get when I log in locally is
The system could not log you on. make sure your user name and domain are correct, then type your password again.
Something that I forgot to mention, Exchange is still working,
I am still able to send and receive email and also to access the internet.
The error message that I get when I log in locally is
The system could not log you on. make sure your user name and domain are correct, then type your password again.
When you reboot the server are you able to access the Active Directory restore mode from the F8 menu console? If you can will it let you log in to the system then?
ASKER
Hi,
I can access the Active Directory Restore mode but I dont have the DSRM password.
I can access the Active Directory Restore mode but I dont have the DSRM password.
Any luck? Do you know if you have a good backup?
ASKER
No luck so far,
I dont know if I have a good back up, im going to check the last backup tapes tomorrow and see what is there. if there is a decent back up then there is a spare server that I will use to build a new AD.
I dont know if I have a good back up, im going to check the last backup tapes tomorrow and see what is there. if there is a decent back up then there is a spare server that I will use to build a new AD.
Not sure how far you are willing to go to reset the password. But here is a program that says it has the ability to reset the administrative password on servers. Hope this helps.
http://www.lostpassword.com/windows.htm
http://www.lostpassword.com/windows.htm
Here is another link to a program that has the ability to change the admin password and displays the name of the administrator account (just incase it's been changed).
http://www.mirider.com/ntaccess.html
http://www.mirider.com/ntaccess.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Essentially, the only problem (not that its a small one) is that you can't administer the domain now and you can't log into the domain controller.
If this environment is common, I'm sure there is someone around that has domain admin rights (and may not even know it). You might want to check that first. Network admin, developer, etc.