Solved

DC is not a DC account?

Posted on 2011-09-26
11
1,791 Views
Last Modified: 2012-05-12
HI all

this morning i arrive at work with my dc reporting funny errors:  event 1126, 1655, and 1869 and 1863.  
It is a dc, gc and dns.  It is the RID master and the PDC master.

when i try open DNS i get "access is denied".

when i run dcdiag /v i get millions of errors, but this ones worries me the most:

Starting test: MachineAccount
         The account HPHS-VM1 is not a DC account.  It cannot replicate.
         Warning:  Attribute userAccountControl of HPHS-VM1 is:
         0x91000 = ( WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION )
         Typical setting for a DC is
         0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION )
         This may be affecting replication?
         ......................... HPHS-VM1 failed test MachineAccount

      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=hphs,DC=ac,DC=za
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=hphs,DC=ac,DC=za
         ......................... HPHS-VM1 failed test NCSecDesc

from this problematic machine i can \\servername and it will show me and give me access to the resources on that machine, however when i \\HPHS-VM1 from any other machine in the domain i get "\\hphs-vm1 is not accessible.  you might not have permissions to use this network resource.  Contact the administrator of this server to find out if you have access permissions.  Logon Failure: The target account name is incorrect.  however if i \\machine-ip it gives me acess to the resources.

My remaining two DC2 are running fine and handling logons etc.

any advice?

0
Comment
Question by:luddiemey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598233
Have you tried to reboot that "faulty" DC, first? Please try this simple step firstly :]

After all, if teh problem still perists, did you make any changes on that VM server? Any DC restoration from snapshot or something similar?

Regards,
Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598242
Additionally, please check in ADUC colsone under Domain Controllers if this server is still DC (if it is, there should be its account there). Maybe someone decommissioned it?

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36598276
thanks for the reply.

First thing i did was reboot it.  and no change.  No changes have been made on the server (or network for that matter) in more than a month.

if i open ADUC on the offending machine, inside the Domain Controllers OU, it is listed along side the other 2 DC's but under DC Type it is listed as DC.  

On the functional DC's under ADUC Domain Controller OU, it is listed as just a GC.  does that matter?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36598351
Nope. So, looks like you need to re-promote it. Try to demote DC from that server by running DCPROMO. You can find an article on my blog for that at
http://kpytko.wordpress.com/2011/08/29/decommissioning-the-old-domain-controller/

if you cannot do that because of errors, please force demotion by DCPROMO /FORCEREMOVAL
There is also a post on my blog for that at
http://kpytko.wordpress.com/2011/08/30/decommissioning-broken-domain-controller/

after forced DC decommission, do metadata cleanup for that DC
http://kpytko.wordpress.com/2011/08/29/metadata-cleanup-for-broken-domain-controller/

uninstall DNS role from the server. While it is your FSMO role holder for PDC and RID, seize those roles to other available Domain Controller. Before seizing FSMO roles shut the broken server down.
http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/

Transfer all other roles/data to another DC and as the last step, reinstall your virtual server again with server OS. After all promote it as DC again
http://kpytko.wordpress.com/2011/09/05/adding-additional-domain-controller/

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36598375
i have a full server backup from friday night.  would it not be easier to first try restore to previous date?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598391
Yes, if you have recent system state backup, do non-authoritative restore for that :)
http://technet.microsoft.com/en-us/library/cc784922%28WS.10%29.aspx

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36600557
worked fine untill i rebooted it just to make sure... then the same issues started creepying up. however i am now only receiving one error in from ADDS 1308.  but dns is still not running.  will continue to work at it.  
0
 

Author Comment

by:luddiemey
ID: 36601586
ok, restarted systemstate again, and i have left it running... not going to reboot it just yet.  i can only see one problem... its not show a sysvol folder, so there is obviously still something not right somewhere.  but i am tired, and will only care enough again in about 5 hours time.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36707684
OK, so try with this MS article about "How to rebuild SYSVOL"
http://support.microsoft.com/default.aspx?scid=kb;en-us;315457

Krzysztof
0
 

Author Comment

by:luddiemey
ID: 36895626
got it scheduled for tomorrow morning
0
 

Author Comment

by:luddiemey
ID: 36896983
so i jumpd the gun and started early.  following http://support.microsoft.com/default.aspx?scid=kb;en-us;315457 broken EVERYTHING!  restored everything from backup and now i am just back to where i originally started, and VM1 is giving me a few more errors to work with.


system log:
security-kerberos - event ID 4
GroupPolicy - event ID 1097
NETLOGON - event ID 5781

DFS Replication:
DFSR even: 1204

DNS Server Log:
DNS-Service-Server - event ID: 4000 and 4001

File Replication Service Log:
ntfsr - event 13562 and 13508

i also have the following:
C:\Users\administrator.HPHS>nltest /server:hphs-vm1 /sc_query:hphs.ac.za
I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

C:\Users\administrator.HPHS>nltest /server:hphs-fs2 /sc_query:hphs.ac.za
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\HPHS-VM1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\Users\administrator.HPHS>nltest /server:hphs-wsus /sc_query:hphs.ac.za
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\HPHS-VM1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

C:\Users\administrator.HPHS>

C:\Users\administrator.HPHS>klist tickets

Current LogonId is 0:0x1f6ad6

Cached Tickets: (8)

#0>     Client: administrator @ HPHS.AC.ZA
        Server: krbtgt/HPHS.AC.ZA @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#1>     Client: administrator @ HPHS.AC.ZA
        Server: krbtgt/HPHS.AC.ZA @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#2>     Client: administrator @ HPHS.AC.ZA
        Server: HOST/HPHS-WSUS.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:25:55 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#3>     Client: administrator @ HPHS.AC.ZA
        Server: ldap/HPHS-WSUS.hphs.ac.za/hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:24:47 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#4>     Client: administrator @ HPHS.AC.ZA
        Server: cifs/HPHS-FS2.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:21 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#5>     Client: administrator @ HPHS.AC.ZA
        Server: ldap/HPHS-FS2.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:20 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#6>     Client: administrator @ HPHS.AC.ZA
        Server: ldap/HPHS-WSUS.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#7>     Client: administrator @ HPHS.AC.ZA
        Server: cifs/HPHS-WSUS.hphs.ac.za @ HPHS.AC.ZA
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
ate
        Start Time: 10/1/2011 17:06:13 (local)
        End Time:   10/2/2011 3:06:13 (local)
        Renew Time: 10/3/2011 20:42:42 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


C:\Users\administrator.HPHS>

If i am starting to understand this problem correctly... could it be that this domain controller account hphs-vm1 has "reset" itself?  and thats is why all this bad shit is happening to me?

if i dont come right soon i will follow the instructions from the first post Krysztof made
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question