Solved

Cannot change folder permissions on 2008 Domain controller

Posted on 2011-02-14
6
1,211 Views
Last Modified: 2012-05-11
Having an issue with a new 2008 Server Standard installation. Domain controller. Added the server to the existing domain successfully and it is working fine for the most part. Users can access the file share just fine. DNS and Active Directory appear to be happy.

The problem is when attempting to change security permissions of a shared folder (add/remove users) on the server, I'm prompted with a user-name and password box with the instructions "Enter the name and password of an account with permissions for "server-name". I'm already logged in as domain\administrator. There is also a log generated with error4625 with a Null SID. It seems like the computer is not allowing the domain\administrator account permission to make changes. I can however browse the network from another DC and make changes to the share security from there (as domain\administrator). Another clue is that on the problem server if I browse the network to itself and then try to open the share folders I get the same user-name and password prompt. I can however see the share and access the share from any other server or workstation on the network. We installed two of these servers, the other one is fine.

I'm thinking I may dis-join and rejoin the computer to the Domain. What do you guys think? Let me know if yo need further details. Thanks!
0
Comment
Question by:stankfunk
  • 3
  • 3
6 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 34893530
Most like your DC has lost trust relationship with other DCs. Run dcdiag post results.

You can demote server as well to recreate secure channel password or use the netdom command to reset secure channel password but I would recommend demote  then repromote.

Make sure this DC only points to internal DNS servers and not any external DNS servers in the TCP\IP properties.
0
 

Author Comment

by:stankfunk
ID: 34893636
DCdiag.exe results:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.MARINCC>dcdiag.exe

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Server-SanRafael
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Connectivity
         ......................... SERVER-SANRAFAE passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Advertising
         ......................... SERVER-SANRAFAE passed test Advertising
      Starting test: FrsEvent
         ......................... SERVER-SANRAFAE passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER-SANRAFAE failed test DFSREvent
      Starting test: SysVolCheck
         User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for the target machine's domain.
         ......................... SERVER-SANRAFAE failed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER-SANRAFAE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER-SANRAFAE passed test
         KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [SERVER-SANRAFAE]:failed with 1326:
         Logon failure: unknown user name or bad password.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... SERVER-SANRAFAE passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER-SANRAFAE passed test NCSecDesc
      Starting test: NetLogons
         [SERVER-SANRAFAE] User credentials does not have permission to perform
         this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVER-SANRAFAE failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER-SANRAFAE passed test
         ObjectsReplicated
      Starting test: Replications
         ......................... SERVER-SANRAFAE passed test Replications
      Starting test: RidManager
         ......................... SERVER-SANRAFAE passed test RidManager
      Starting test: Services
         ......................... SERVER-SANRAFAE passed test Services
      Starting test: SystemLog
         ......................... SERVER-SANRAFAE passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER-SANRAFAE passed test VerifyReferences


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : marincc
      Starting test: CheckSDRefDom
         ......................... marincc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... marincc passed test CrossRefValidation

   Running enterprise tests on : marincc.org
      Starting test: LocatorCheck
         ......................... marincc.org passed test LocatorCheck
      Starting test: Intersite
         ......................... marincc.org passed test Intersite

C:\Users\administrator.MARINCC>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34897602
Are you running this a Domain Admin?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:stankfunk
ID: 34898458
Yes. running as admin'\domain. Wound up just completely rebuilding the server and adding to Domain.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34898767
Yeah that is what I was about sau just rebuild
0
 

Author Closing Comment

by:stankfunk
ID: 35013859
Had to completely rebuild the server to fix.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now