?
Solved

Cannot change folder permissions on 2008 Domain controller

Posted on 2011-02-14
6
Medium Priority
?
1,217 Views
Last Modified: 2012-05-11
Having an issue with a new 2008 Server Standard installation. Domain controller. Added the server to the existing domain successfully and it is working fine for the most part. Users can access the file share just fine. DNS and Active Directory appear to be happy.

The problem is when attempting to change security permissions of a shared folder (add/remove users) on the server, I'm prompted with a user-name and password box with the instructions "Enter the name and password of an account with permissions for "server-name". I'm already logged in as domain\administrator. There is also a log generated with error4625 with a Null SID. It seems like the computer is not allowing the domain\administrator account permission to make changes. I can however browse the network from another DC and make changes to the share security from there (as domain\administrator). Another clue is that on the problem server if I browse the network to itself and then try to open the share folders I get the same user-name and password prompt. I can however see the share and access the share from any other server or workstation on the network. We installed two of these servers, the other one is fine.

I'm thinking I may dis-join and rejoin the computer to the Domain. What do you guys think? Let me know if yo need further details. Thanks!
0
Comment
Question by:stankfunk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1500 total points
ID: 34893530
Most like your DC has lost trust relationship with other DCs. Run dcdiag post results.

You can demote server as well to recreate secure channel password or use the netdom command to reset secure channel password but I would recommend demote  then repromote.

Make sure this DC only points to internal DNS servers and not any external DNS servers in the TCP\IP properties.
0
 

Author Comment

by:stankfunk
ID: 34893636
DCdiag.exe results:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.MARINCC>dcdiag.exe

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Server-SanRafael
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Connectivity
         ......................... SERVER-SANRAFAE passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Advertising
         ......................... SERVER-SANRAFAE passed test Advertising
      Starting test: FrsEvent
         ......................... SERVER-SANRAFAE passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER-SANRAFAE failed test DFSREvent
      Starting test: SysVolCheck
         User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for the target machine's domain.
         ......................... SERVER-SANRAFAE failed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER-SANRAFAE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER-SANRAFAE passed test
         KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [SERVER-SANRAFAE]:failed with 1326:
         Logon failure: unknown user name or bad password.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... SERVER-SANRAFAE passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER-SANRAFAE passed test NCSecDesc
      Starting test: NetLogons
         [SERVER-SANRAFAE] User credentials does not have permission to perform
         this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVER-SANRAFAE failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER-SANRAFAE passed test
         ObjectsReplicated
      Starting test: Replications
         ......................... SERVER-SANRAFAE passed test Replications
      Starting test: RidManager
         ......................... SERVER-SANRAFAE passed test RidManager
      Starting test: Services
         ......................... SERVER-SANRAFAE passed test Services
      Starting test: SystemLog
         ......................... SERVER-SANRAFAE passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER-SANRAFAE passed test VerifyReferences


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : marincc
      Starting test: CheckSDRefDom
         ......................... marincc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... marincc passed test CrossRefValidation

   Running enterprise tests on : marincc.org
      Starting test: LocatorCheck
         ......................... marincc.org passed test LocatorCheck
      Starting test: Intersite
         ......................... marincc.org passed test Intersite

C:\Users\administrator.MARINCC>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34897602
Are you running this a Domain Admin?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:stankfunk
ID: 34898458
Yes. running as admin'\domain. Wound up just completely rebuilding the server and adding to Domain.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34898767
Yeah that is what I was about sau just rebuild
0
 

Author Closing Comment

by:stankfunk
ID: 35013859
Had to completely rebuild the server to fix.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question