Solved

Cannot change folder permissions on 2008 Domain controller

Posted on 2011-02-14
6
1,216 Views
Last Modified: 2012-05-11
Having an issue with a new 2008 Server Standard installation. Domain controller. Added the server to the existing domain successfully and it is working fine for the most part. Users can access the file share just fine. DNS and Active Directory appear to be happy.

The problem is when attempting to change security permissions of a shared folder (add/remove users) on the server, I'm prompted with a user-name and password box with the instructions "Enter the name and password of an account with permissions for "server-name". I'm already logged in as domain\administrator. There is also a log generated with error4625 with a Null SID. It seems like the computer is not allowing the domain\administrator account permission to make changes. I can however browse the network from another DC and make changes to the share security from there (as domain\administrator). Another clue is that on the problem server if I browse the network to itself and then try to open the share folders I get the same user-name and password prompt. I can however see the share and access the share from any other server or workstation on the network. We installed two of these servers, the other one is fine.

I'm thinking I may dis-join and rejoin the computer to the Domain. What do you guys think? Let me know if yo need further details. Thanks!
0
Comment
Question by:stankfunk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 34893530
Most like your DC has lost trust relationship with other DCs. Run dcdiag post results.

You can demote server as well to recreate secure channel password or use the netdom command to reset secure channel password but I would recommend demote  then repromote.

Make sure this DC only points to internal DNS servers and not any external DNS servers in the TCP\IP properties.
0
 

Author Comment

by:stankfunk
ID: 34893636
DCdiag.exe results:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.MARINCC>dcdiag.exe

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Server-SanRafael
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Connectivity
         ......................... SERVER-SANRAFAE passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER-SANRAFAE
      Starting test: Advertising
         ......................... SERVER-SANRAFAE passed test Advertising
      Starting test: FrsEvent
         ......................... SERVER-SANRAFAE passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER-SANRAFAE failed test DFSREvent
      Starting test: SysVolCheck
         User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for the target machine's domain.
         ......................... SERVER-SANRAFAE failed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER-SANRAFAE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER-SANRAFAE passed test
         KnowsOfRoleHolders
      Starting test: MachineAccount
         Could not open pipe with [SERVER-SANRAFAE]:failed with 1326:
         Logon failure: unknown user name or bad password.
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         ......................... SERVER-SANRAFAE passed test MachineAccount
      Starting test: NCSecDesc
         ......................... SERVER-SANRAFAE passed test NCSecDesc
      Starting test: NetLogons
         [SERVER-SANRAFAE] User credentials does not have permission to perform
         this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... SERVER-SANRAFAE failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER-SANRAFAE passed test
         ObjectsReplicated
      Starting test: Replications
         ......................... SERVER-SANRAFAE passed test Replications
      Starting test: RidManager
         ......................... SERVER-SANRAFAE passed test RidManager
      Starting test: Services
         ......................... SERVER-SANRAFAE passed test Services
      Starting test: SystemLog
         ......................... SERVER-SANRAFAE passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER-SANRAFAE passed test VerifyReferences


   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : marincc
      Starting test: CheckSDRefDom
         ......................... marincc passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... marincc passed test CrossRefValidation

   Running enterprise tests on : marincc.org
      Starting test: LocatorCheck
         ......................... marincc.org passed test LocatorCheck
      Starting test: Intersite
         ......................... marincc.org passed test Intersite

C:\Users\administrator.MARINCC>
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34897602
Are you running this a Domain Admin?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:stankfunk
ID: 34898458
Yes. running as admin'\domain. Wound up just completely rebuilding the server and adding to Domain.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34898767
Yeah that is what I was about sau just rebuild
0
 

Author Closing Comment

by:stankfunk
ID: 35013859
Had to completely rebuild the server to fix.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question