Solved

DC is not a DC account?

Posted on 2011-09-26
11
1,704 Views
Last Modified: 2012-05-12
HI all

this morning i arrive at work with my dc reporting funny errors:  event 1126, 1655, and 1869 and 1863.  
It is a dc, gc and dns.  It is the RID master and the PDC master.

when i try open DNS i get "access is denied".

when i run dcdiag /v i get millions of errors, but this ones worries me the most:

Starting test: MachineAccount
         The account HPHS-VM1 is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of HPHS-VM1 is:
         0x91000 = ( WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION )
         Typical setting for a DC is
         0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... HPHS-VM1 failed test MachineAccount

      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=hphs,DC=ac,DC=za
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=hphs,DC=ac,DC=za
         ......................... HPHS-VM1 failed test NCSecDesc

from this problematic machine i can \\servername and it will show me and give me access to the resources on that machine, however when i \\HPHS-VM1 from any other machine in the domain i get "\\hphs-vm1 is not accessible.  you might not have permissions to use this network resource.  Contact the administrator of this server to find out if you have access permissions.  Logon Failure: The target account name is incorrect.  however if i \\machine-ip it gives me acess to the resources.

My remaining two DC2 are running fine and handling logons etc.

any advice?

0
Comment
Question by:luddiemey
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598233
Have you tried to reboot that "faulty" DC, first? Please try this simple step firstly :]

After all, if teh problem still perists, did you make any changes on that VM server? Any DC restoration from snapshot or something similar?

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598242
Additionally, please check in ADUC colsone under Domain Controllers if this server is still DC (if it is, there should be its account there). Maybe someone decommissioned it?

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36598276
thanks for the reply.

First thing i did was reboot it.  and no change.  No changes have been made on the server (or network for that matter) in more than a month.

if i open ADUC on the offending machine, inside the Domain Controllers OU, it is listed along side the other 2 DC's but under DC Type it is listed as DC.  

On the functional DC's under ADUC Domain Controller OU, it is listed as just a GC.  does that matter?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36598351
Nope. So, looks like you need to re-promote it. Try to demote DC from that server by running DCPROMO. You can find an article on my blog for that at
http://kpytko.wordpress.com/2011/08/29/decommissioning-the-old-domain-controller/

if you cannot do that because of errors, please force demotion by DCPROMO /FORCEREMOVAL
There is also a post on my blog for that at
http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

after forced DC decommission, do metadata cleanup for that DC
http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

uninstall DNS role from the server. While it is your FSMO role holder for PDC and RID, seize those roles to other available Domain Controller. Before seizing FSMO roles shut the broken server down.
http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/

Transfer all other roles/data to another DC and as the last step, reinstall your virtual server again with server OS. After all promote it as DC again
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36598375
i have a full server backup from friday night.  would it not be easier to first try restore to previous date?
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598391
Yes, if you have recent system state backup, do non-authoritative restore for that :)
http://technet.microsoft.com/en-us/library/cc784922%28WS.10%29.aspx

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36600557
worked fine untill i rebooted it just to make sure... then the same issues started creepying up. however i am now only receiving one error in from ADDS 1308.  but dns is still not running.  will continue to work at it.  
0
 

Author Comment

by:luddiemey
ID: 36601586
ok, restarted systemstate again, and i have left it running... not going to reboot it just yet.  i can only see one problem... its not show a sysvol folder, so there is obviously still something not right somewhere.  but i am tired, and will only care enough again in about 5 hours time.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36707684
OK, so try with this MS article about "How to rebuild SYSVOL"
http://support.microsoft.com/default.aspx?scid=kb;en-us;315457

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36895626
got it scheduled for tomorrow morning
0
 

Author Comment

by:luddiemey
ID: 36896983
so i jumpd the gun and started early.  following http://support.microsoft.com/default.aspx?scid=kb;en-us;315457 broken EVERYTHING!  restored everything from backup and now i am just back to where i originally started, and VM1 is giving me a few more errors to work with.


system log:
security-kerberos - event ID 4
GroupPolicy - event ID 1097
NETLOGON - event ID 5781

DFS Replication:
DFSR even: 1204

DNS Server Log:
DNS-Service-Server - event ID: 4000 and 4001

File Replication Service Log:
ntfsr - event 13562 and 13508

i also have the following:
C:\Users\administrator.HPHS>nltest /server:hphs-vm1 /sc_query:hphs.ac.za
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\Users\administrator.HPHS>nltest /server:hphs-fs2 /sc_query:hphs.ac.za
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\HPHS-VM1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\Users\administrator.HPHS>nltest /server:hphs-wsus /sc_query:hphs.ac.za
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\HPHS-VM1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\Users\administrator.HPHS>

C:\Users\administrator.HPHS>klist tickets

Current LogonId is 0:0x1f6ad6

Cached Tickets: (8)

#0>     Client: administrator @ HPHS.AC.ZA
        Server: krbtgt/HPHS.AC.ZA @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#1>     Client: administrator @ HPHS.AC.ZA
        Server: krbtgt/HPHS.AC.ZA @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#2>     Client: administrator @ HPHS.AC.ZA
        Server: HOST/HPHS-WSUS.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:25:55 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#3>     Client: administrator @ HPHS.AC.ZA
        Server: ldap/HPHS-WSUS.hphs.ac.za/hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:24:47 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#4>     Client: administrator @ HPHS.AC.ZA
        Server: cifs/HPHS-FS2.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:21 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#5>     Client: administrator @ HPHS.AC.ZA
        Server: ldap/HPHS-FS2.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:20 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#6>     Client: administrator @ HPHS.AC.ZA
        Server: ldap/HPHS-WSUS.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#7>     Client: administrator @ HPHS.AC.ZA
        Server: cifs/HPHS-WSUS.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


C:\Users\administrator.HPHS>

If i am starting to understand this problem correctly... could it be that this domain controller account hphs-vm1 has "reset" itself?  and thats is why all this bad shit is happening to me?

if i dont come right soon i will follow the instructions from the first post Krysztof made
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now