Re: Receiving access denied accessing 2000 domain controller

Jorge:

After futzing with this all day and night Saturday and most of the
morning Sunday it is finally working.

I ended up removing AD again (third time actually). In each case I went
through the entire FSMO and metadata cleanup process and on the first
two times there were problems left behind. After this third time there
were no artifacts left behind so I reenabled AD and everything now
appears to be OK.

Thanks
John


Jorge Silva wrote:
Hi



There can be several reasons to this error, however in your case I think
something went wrong when you demoted the DC.

How did you remove the server?

Did you perform the steps in the link that I provided?

Did you seize any roles that the server held?

To remove the server and perform metadata cleanup follow this:

How to remove data in Active Directory after an unsuccessful domain
controller demotion

http://support.microsoft.com/kb/216498/

Don't forget to remove the server from Active Directory sites and services
and from DNS. Make sure that all servers replicate and then add the server
again.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"John" <ClipperMiami@xxxxxxxxx> wrote in message
news:1154224781.744019.235610@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Jorge:

As I said most things seem to be working. Other systems can now access
the machine.

However, I'm now getting Error 16550 in the System Log:

"The account-identifier allocator failed to initialize properly. The
record data contains the NT error code that caused the failure.
Windows 2000 will retry the initialization until it succeeds; until
that time, account creation will be denied on this Domain Controller.
Please look for other SAM event logs that may indicate the exact reason
for the failure. "

I've tried the procedures in "http://support.microsoft.com/?kbid=839879
Event ID 16650:
The account-identifier allocator failed to initialize in Windows 2000
and in Windows Server 2003" including deleting the replication links.

When I run the procedure in "Verify that Active Directory objects that
are related to RID allocation are valid" everything looks OK according
to the KB article.

However when i run the procedure in "Verify that the RID Master is
replicating with another domain controller" the values
"CN=IASIdentity" and "CN=RID Set" do NOT exist for the recovered DC.

John
-----------------------------------
John wrote:
Jorge:

Thanks very much, that did it! I was able to remove and reinstall AD on
the system and it APPEARS to be function almost normal. I'm still
having problems getting RRAS to authenticate VPN calls and there are
still some "odd" error messages in the log but it appears the worst of
it is "fixed"

It is interesting that for the most part the procedure was fairly
straightforward. Its a bit surprising that there isn't some single tool
or script that would accomplish all the steps in one automatic package
rather than "the crazy-quilt collection of this tool and that tool and
go here, delete this, enable that ..."

John


Jorge Silva wrote:
Hi

Inline

We have had a disk crash on our 2000 primary domain controller (AD)
and
have recovered by using a previously mirrored disk of the system.
This
mirror is about a week old (we broke the mirror for some testing).

Never do that AGAIN, the system has no way to check that was a restore
using
this method.
USE ONLY SUPPORTED DEVICES AD AWARE TO RECOVER AD.

read this:
How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/?kbid=875495

How to detect and recover from a USN rollback in Windows 2000 Server
http://support.microsoft.com/kb/885875/en-us

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"John" <ClipperMiami@xxxxxxxxx> wrote in message
news:1154199589.890150.69250@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Further to this if we try to access this machine using "Run
\\machinename" we get an error
"Log on failure. The target account name is invalid"

The Event Logs refelct a variety of errors. In Directory Service
there
are errors such as:

- The Directory Service consistency checker has noticed that 6
successive replication attempts with CN=NTDS
Settings,CN=LONDON,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXXXX,DC=YYY
have failed over a period of 21707 minutes. The connection object
for
this server will be kept in place, and new temporary connections will
established to ensure that replication continues. The Directory
Service
will continue to retry replication with CN=NTDS
Settings,CN=LONDON,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXXXX,DC=YYY;
once successful the temporary connection will be removed.
- The Active Directory database has been restored using an
unsupported
restoration procedure."
- Outbound Replication disabled"
- Inbound Replication disabled"
- NTDS (296) The database engine has successfully completed recovery
steps.
- NTDS (296) The database engine is replaying log file
e:\WINNT\NTDS\edb.log.

We did NOT do anything to attempt to restore the AD database, merely
booted from the old mirrored drive.




John wrote:
We have had a disk crash on our 2000 primary domain controller (AD)
and
have recovered by using a previously mirrored disk of the system.
This
mirror is about a week old (we broke the mirror for some testing).

It appears that we were successful in using this in the domain but
we
are now getting "Access Denied" on any other system in the network
that
attempts to access resources on this machine. Before we get too far
along with this backup is there any way to recover from this
problem?

Thanks
John



.

Relevant Pages

  • Re: Receiving access denied accessing 2000 domain controller
    ... and in Windows Server 2003" including deleting the replication links. ... mirror is about a week old. ... USE ONLY SUPPORTED DEVICES AD AWARE TO RECOVER AD. ... The Directory Service consistency checker has noticed that 6 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Receiving access denied accessing 2000 domain controller
    ... Did you seize any roles that the server held? ... and in Windows Server 2003" including deleting the replication links. ... mirror is about a week old. ... USE ONLY SUPPORTED DEVICES AD AWARE TO RECOVER AD. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Receiving access denied accessing 2000 domain controller
    ... Did you seize any roles that the server held? ... and in Windows Server 2003" including deleting the replication links. ... mirror is about a week old. ... USE ONLY SUPPORTED DEVICES AD AWARE TO RECOVER AD. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Receiving access denied accessing 2000 domain controller
    ... mirror is about a week old. ... USE ONLY SUPPORTED DEVICES AD AWARE TO RECOVER AD. ... established to ensure that replication continues. ... NTDS The database engine has successfully completed recovery ...
    (microsoft.public.windows.server.active_directory)
  • Re: mirroring 2 servers for disaster
    ... swapping shadow copies to restore your DS or Exchange server. ... to use the VSS (Volume Shadow copy Service) infrastructure in Windows ... > offsite DC you'd need to break the mirror, introduce the shadow copy disk, ... With DFS, database sync, and AD replication he'd lose less ...
    (microsoft.public.windows.server.general)