Domain Controller 2003 error

Posted on 2011-05-01
Last Modified: 2012-05-11

After restarting the 2003 DC i am unable to login and getting the below error at the login screen and i am not able to login into the DC using domain admin / user credential,  
"The name or security id (SID) of the domain specified is inconsistent with the trust information for that domain" how to fix this issue.

please help me to fix this issue
Question by:vijaygotur
    LVL 16

    Expert Comment

    Is this the first time you've seen it?  

    Did it work previously?

    Is this a cloned/copied server?

    This is usually due to SID information getting screwed up in the server.  Hard to answer what the best thing to do is without more info.  Sometimes you'll get pointed to newsid, but it's not necessarily the best option depending on the situation.
    LVL 8

    Expert Comment

    LVL 24

    Expert Comment

    If the DC is configured from image/snapshot, i would say its not recommend to configure DC using snapshot. The reason is it can introduce USN rollback, dns issue, replication etc. Sysprep tool is doesn't work with windows 2008, its for windows 2003 & below where as NewSID tool is inbuilt in windows 2008 & above.

    Configure OS with new media, because using images is not good practices.

    Author Comment

    Its not cloned, last week network card driver updated so was facing some issues, mean time restarted the serer.

    Then realised not able to login to the DC, then tried to use last known good configuration, that time got the error.

    Also logged in as local administrator in directory services, now i am not able to login as domain admin, olny using local user i can login.

    LVL 24

    Accepted Solution

    That mean server is no more alive with AD, something went wrong & DC is no more acting as an DC, demote it & repromote it will takes less time than troubleshooting.

    If you are not able to demote gracefully, use dcpromo /forceremoval followed by metadata cleanup.
    Prior to demotion, transfer all the AD services to another DC, format the server, reload fresh OS & promote it back using dcpromo.
    LVL 3

    Expert Comment

    if you have only One DC in network, please dont remove any role from current DC regardless its working or not working.
    shut down your DC, reomove network cables and start your DC. dont plug network cables try login to your DC. if suceed dont restart you DC again untill you add addiotional DC.


    Author Comment

    Its not allowing me to login using Domain admin account, so without login with domain its not possible to demote DC i think. Even i tried to login by disconnecting the netwrk cable also but no luck.
    I have one more DC but i am worried that how to fix this server.
    LVL 24

    Assisted Solution

    You can remove this server from network & then perform metadata cleanup using below articles.
    Transfer services to other, format the server, install fresh OS & promote the server back using DCPromo. This is the better solution i can think of.

    FSMO role transfer
    Metadata cleanup for windows 2003
    Metadata cleanup for windows 2008
    LVL 26

    Expert Comment

    by:Leon Fester
    You can only login to a DC with a domain account, the local accounts exist only the SAM database. Domain Controllers use the Active Directory database for authentication, and as such cannot authenticate using a local account.

    I'm guessing that that server is already not a Domain Controller, no matter what you tell it or what names you call it.

    You've got another domain controller running so rather just seize the roles if needs be and then do the metadata cleanup as mentioned by Awinish.

    You can then rebuild the old DC and promote it again.

    Author Comment

    thanks all of you for the help

    thanks a lot

    Author Closing Comment

    Above solutions partially helped me and i end up with creating the new DC instead of bringing up the problematic DC .

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now