Solved

Cannot change folder permissions on 2008 Domain controller

Posted on 2011-02-14
6
1,214 Views
Last Modified: 2012-05-11
Having an issue with a new 2008 Server Standard installation. Domain controller. Added the server to the existing domain successfully and it is working fine for the most part. Users can access the file share just fine. DNS and Active Directory appear to be happy.

The problem is when attempting to change security permissions of a shared folder (add/remove users) on the server, I'm prompted with a user-name and password box with the instructions "Enter the name and password of an account with permissions for "server-name". I'm already logged in as domain\administrator. There is also a log generated with error4625 with a Null SID. It seems like the computer is not allowing the domain\administrator account permission to make changes. I can however browse the network from another DC and make changes to the share security from there (as domain\administrator). Another clue is that on the problem server if I browse the network to itself and then try to open the share folders I get the same user-name and password prompt. I can however see the share and access the share from any other server or workstation on the network. We installed two of these servers, the other one is fine.

I'm thinking I may dis-join and rejoin the computer to the Domain. What do you guys think? Let me know if yo need further details. Thanks!
0
Comment
Question by:stankfunk
  • 3
  • 3
6 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 34893530
Most like your DC has lost trust relationship with other DCs. Run dcdiag post results.

You can demote server as well to recreate secure channel password or use the netdom command to reset secure channel password but I would recommend demote  then repromote.

Make sure this DC only points to internal DNS servers and not any external DNS servers in the TCP\IP properties.
0
 

Author Comment

by:stankfunk
ID: 34893636
DCdiag.exe results:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.MARINCC>dcdiag.exe

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Server-SanRafael
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Connectivity
         ......................... SERVER-SANRAFAE passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Advertising
         ......................... SERVER-SANRAFAE passed test Advertising
      Starting test: FrsEvent
         ......................... SERVER-SANRAFAE passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER-SANRAFAE failed test DFSREvent
      Starting test: SysVolCheck
         User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for the target machine's domain.
         ......................... SERVER-SANRAFAE failed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER-SANRAFAE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER-SANRAFAE passed test
         KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [SERVER-SANRAFAE]:failed with 1326:
         Logon failure: unknown user name or bad password.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... SERVER-SANRAFAE passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER-SANRAFAE passed test NCSecDesc
      Starting test: NetLogons
         [SERVER-SANRAFAE] User credentials does not have permission to perform
         this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVER-SANRAFAE failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER-SANRAFAE passed test
         ObjectsReplicated
      Starting test: Replications
         ......................... SERVER-SANRAFAE passed test Replications
      Starting test: RidManager
         ......................... SERVER-SANRAFAE passed test RidManager
      Starting test: Services
         ......................... SERVER-SANRAFAE passed test Services
      Starting test: SystemLog
         ......................... SERVER-SANRAFAE passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER-SANRAFAE passed test VerifyReferences


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : marincc
      Starting test: CheckSDRefDom
         ......................... marincc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... marincc passed test CrossRefValidation

   Running enterprise tests on : marincc.org
      Starting test: LocatorCheck
         ......................... marincc.org passed test LocatorCheck
      Starting test: Intersite
         ......................... marincc.org passed test Intersite

C:\Users\administrator.MARINCC>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34897602
Are you running this a Domain Admin?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:stankfunk
ID: 34898458
Yes. running as admin'\domain. Wound up just completely rebuilding the server and adding to Domain.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34898767
Yeah that is what I was about sau just rebuild
0
 

Author Closing Comment

by:stankfunk
ID: 35013859
Had to completely rebuild the server to fix.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question