Solved

Cannot change folder permissions on 2008 Domain controller

Posted on 2011-02-14
6
1,215 Views
Last Modified: 2012-05-11
Having an issue with a new 2008 Server Standard installation. Domain controller. Added the server to the existing domain successfully and it is working fine for the most part. Users can access the file share just fine. DNS and Active Directory appear to be happy.

The problem is when attempting to change security permissions of a shared folder (add/remove users) on the server, I'm prompted with a user-name and password box with the instructions "Enter the name and password of an account with permissions for "server-name". I'm already logged in as domain\administrator. There is also a log generated with error4625 with a Null SID. It seems like the computer is not allowing the domain\administrator account permission to make changes. I can however browse the network from another DC and make changes to the share security from there (as domain\administrator). Another clue is that on the problem server if I browse the network to itself and then try to open the share folders I get the same user-name and password prompt. I can however see the share and access the share from any other server or workstation on the network. We installed two of these servers, the other one is fine.

I'm thinking I may dis-join and rejoin the computer to the Domain. What do you guys think? Let me know if yo need further details. Thanks!
0
Comment
Question by:stankfunk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 34893530
Most like your DC has lost trust relationship with other DCs. Run dcdiag post results.

You can demote server as well to recreate secure channel password or use the netdom command to reset secure channel password but I would recommend demote  then repromote.

Make sure this DC only points to internal DNS servers and not any external DNS servers in the TCP\IP properties.
0
 

Author Comment

by:stankfunk
ID: 34893636
DCdiag.exe results:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.MARINCC>dcdiag.exe

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Server-SanRafael
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Connectivity
         ......................... SERVER-SANRAFAE passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Advertising
         ......................... SERVER-SANRAFAE passed test Advertising
      Starting test: FrsEvent
         ......................... SERVER-SANRAFAE passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER-SANRAFAE failed test DFSREvent
      Starting test: SysVolCheck
         User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for the target machine's domain.
         ......................... SERVER-SANRAFAE failed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER-SANRAFAE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER-SANRAFAE passed test
         KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [SERVER-SANRAFAE]:failed with 1326:
         Logon failure: unknown user name or bad password.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... SERVER-SANRAFAE passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER-SANRAFAE passed test NCSecDesc
      Starting test: NetLogons
         [SERVER-SANRAFAE] User credentials does not have permission to perform
         this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVER-SANRAFAE failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER-SANRAFAE passed test
         ObjectsReplicated
      Starting test: Replications
         ......................... SERVER-SANRAFAE passed test Replications
      Starting test: RidManager
         ......................... SERVER-SANRAFAE passed test RidManager
      Starting test: Services
         ......................... SERVER-SANRAFAE passed test Services
      Starting test: SystemLog
         ......................... SERVER-SANRAFAE passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER-SANRAFAE passed test VerifyReferences


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : marincc
      Starting test: CheckSDRefDom
         ......................... marincc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... marincc passed test CrossRefValidation

   Running enterprise tests on : marincc.org
      Starting test: LocatorCheck
         ......................... marincc.org passed test LocatorCheck
      Starting test: Intersite
         ......................... marincc.org passed test Intersite

C:\Users\administrator.MARINCC>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34897602
Are you running this a Domain Admin?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:stankfunk
ID: 34898458
Yes. running as admin'\domain. Wound up just completely rebuilding the server and adding to Domain.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34898767
Yeah that is what I was about sau just rebuild
0
 

Author Closing Comment

by:stankfunk
ID: 35013859
Had to completely rebuild the server to fix.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question