Re: user authentication failure on windows 2000 domain
- From: "Paul Bergson" <pbergson@xxxxxxxxxx>
- Date: Mon, 2 Jan 2006 15:11:17 -0600
I'm beginning to think this all stems from the loss of your root CA. I
don't have a high level of exp.erience in this area, but believe you should
clean this up. Below is a start on removing the CA from AD. I would
recommend you get a good backup before you proceed. The CA provides signing
for the AD since it isn't available I'm not sure what it does to handle it
if it still thinks it is in the domain. But the system is complaining about
encryption, etc...
From:
http://support.microsoft.com/?id=889250
MORE INFORMATION
Utilities to help you remove CA objects
The Microsoft Windows Server 2003 Administration Tools Pack provides
utilities to help you remove CA objects from the domain.
The Certutil.exe utility
The Windows Server 2003 version of the Certutil.exe utility can be used to
remove both Windows Server 2003 and Windows 2000 CAs from Active Directory.
To remove a CA from Active Directory, type the following at a command
prompt:
certutil -dsdel CA Name
In this example, the CA name is Windows2000 Enterprise Root CA. Therefore,
the command line in this example is the following:
certutil -dsdel "Windows2000 Enterprise Root CA"
Note If your CA name contains spaces, you must enclose the name in quotation
marks.
The Pkiview.msc utility
This graphical MMC snap-in can be used to view, add, and remove certificates
and objects from Active Directory. To use the Pkiview.msc utility, follow
these steps: 1. Click Start, click Run, type MMC, and then click OK.
2. Click File, click Open, and then locate the folder where the
Pkiview.msc utility is installed.
3. Right-click the root node (Enterprise PKI), and then click Manage
AD Containers.
4. Click each tab, and then remove all references to the
decommissioned CA.
Note These utilities work for both Windows 2000 and Windows Server 2003
enterprise and stand-alone CAs.
For additional information about how to obtain the Windows Server 2003
Administration Tools Pack, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en)
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
<bjaming@xxxxxxxxx> wrote in message
news:1136234609.848183.157420@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> the only error I really see in either file is
>
>
> [WARNING] Failed to query SPN registration on DC 'dc2.domain.net'.
>
> same error for dc1 in netdiag and in dcdiag, I've read up on that error
> and it looks like it might actually be a problem with the version of
> dcdiag and netdiag I have (win 2k)
>
> if you'd like I can paste the entire output here if you like, its quite
> large though
>
.
- References:
- user authentication failure on windows 2000 domain
- From: bjaming
- Re: user authentication failure on windows 2000 domain
- From: bjaming
- Re: user authentication failure on windows 2000 domain
- From: Paul Bergson
- Re: user authentication failure on windows 2000 domain
- From: bjaming
- user authentication failure on windows 2000 domain
- Prev by Date: Re: user authentication failure on windows 2000 domain
- Next by Date: Re: user authentication failure on windows 2000 domain
- Previous by thread: Re: user authentication failure on windows 2000 domain
- Next by thread: My System node disappears on Sites and Services
- Index(es):
Relevant Pages
|
