Problems after Restore System State
in [Active Directory]
|
Prev: How to change the SID on a Windows XP, Windows 2000, or Windows NT computer...
Next: Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
From: seeker01 on 21 Sep 2005 19:43 Hi Ace, I have ID4001 error "The DNS server was unable to open zone ssict.org.au in the Active Directory. This DNS Server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code" But do you think my problems is DNS related or aging related issue? "Ace Fekay [MVP]" wrote: > In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: > > Hi Ace, > > Both DC01 & DC02 already running with SP4 before 1Aug05. After the > > system state restore on DC02, am I supposed to re-apply the SP4 > > because I didnt. Is this the reason why? There were no more changes > > made on both DNS servers since the built more than a year ago. Can it > > be the DNS problem? Or perhaps the problem will go away if I run > > nltest to reset the security channel on DC02 since I have error > > "access denied" & "logon failure: unknown username or bad password"? > > Thanks heaps. > > August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about > the date? After 60 days, the backup is useless. Also, the dcdiag you posted > upon Jorge's request, shows numerous issues related to out-of-date data. You > can try the nltest command, which should reset the channel: > > nltest /sc_verify:[YourDomainName] > > if that doesn't work, try: > nltest /sc_reset:[YourDomainName] > > More info on it here: > > About nltest: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx > > nltest syntax: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx > > Ace > > >
From: seeker01 on 21 Sep 2005 21:54 Ace, I got the following results. Is it still safe to run nltest /sc_reset:[domain name] from DC02? Thanks. The results when I run ?nltest? from DC02 nltest /server:ssradcert02 /sc_query:ssict Flags: 0 Trusted DC Name Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED The command completed successfully The results when run from DC01 C:\>nltest /sc_query:ssict I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN "Ace Fekay [MVP]" wrote: > In news:BEF3B4D3-7C88-4574-A4A5-4E15D0814D04(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: > > Hi Ace, > > Both DC01 & DC02 already running with SP4 before 1Aug05. After the > > system state restore on DC02, am I supposed to re-apply the SP4 > > because I didnt. Is this the reason why? There were no more changes > > made on both DNS servers since the built more than a year ago. Can it > > be the DNS problem? Or perhaps the problem will go away if I run > > nltest to reset the security channel on DC02 since I have error > > "access denied" & "logon failure: unknown username or bad password"? > > Thanks heaps. > > August 1, 2005? Wow. That is approaching the 60day limit. Are you sure about > the date? After 60 days, the backup is useless. Also, the dcdiag you posted > upon Jorge's request, shows numerous issues related to out-of-date data. You > can try the nltest command, which should reset the channel: > > nltest /sc_verify:[YourDomainName] > > if that doesn't work, try: > nltest /sc_reset:[YourDomainName] > > More info on it here: > > About nltest: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ea7f8494-ee1e-4d99-b28f-8f2fd8a72df2.mspx > > nltest syntax: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/c694f7f1-e05a-474c-b02b-19a7575ed860.mspx > > Ace > > >
From: Ace Fekay [MVP] on 21 Sep 2005 22:41 In news:815F60A4-8783-4F4D-ADB1-94BD32D3F359(a)microsoft.com, seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then commented about below: > Ace, > I got the following results. Is it still safe to run nltest > /sc_reset:[domain name] from DC02? Thanks. > > The results when I run "nltest" from DC02 > nltest /server:ssradcert02 /sc_query:ssict > Flags: 0 > Trusted DC Name > Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED > The command completed successfully > > The results when run from DC01 > C:\>nltest /sc_query:ssict > I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is approaching. As for the session password, it renews every 7 days, which is configurable in the default domain policy, under Comp\Windows\Security\Kerberos. Ace
From: seeker01 on 22 Sep 2005 03:29 Hi Ace, I have no intention to ignore your advice but I am still blur because of my ignorance. What exactly is this 60days limit may I know? I thought I am now still within the 60days but why I face so many errors. Or perhaps I should learn that "nltest" is always the command to run whenever we restore system state? Because I am on leave next week so my boss shows great concern I can cause further damage. Also he argued that we are not any worst because the backup tape from 60days limit is already causing the errors, there is no difference to even restore it from yesterday's tape now. Does it make sense? "Ace Fekay [MVP]" wrote: > In news:815F60A4-8783-4F4D-ADB1-94BD32D3F359(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: > > Ace, > > I got the following results. Is it still safe to run nltest > > /sc_reset:[domain name] from DC02? Thanks. > > > > The results when I run "nltest" from DC02 > > nltest /server:ssradcert02 /sc_query:ssict > > Flags: 0 > > Trusted DC Name > > Trusted DC Connection Status Status = 5 0x5 ERROR_ACCESS_DENIED > > The command completed successfully > > > > The results when run from DC01 > > C:\>nltest /sc_query:ssict > > I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN > > Yes, run it. DC02 is not functioning and the 60 Tombstone Lifetime is > approaching. > > As for the session password, it renews every 7 days, which is configurable > in the default domain policy, under Comp\Windows\Security\Kerberos. > > Ace > > >
From: Ace Fekay [MVP] on 22 Sep 2005 09:28
In news:39FD1F53-40AF-457E-ABFA-7566A461E99B(a)microsoft.com, seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then commented about below: > Hi Ace, > I have no intention to ignore your advice but I am still blur because > of my ignorance. What exactly is this 60days limit may I know? I > thought I am now still within the 60days but why I face so many > errors. Or perhaps I should learn that "nltest" is always the command > to run whenever we restore system state? Because I am on leave next > week so my boss shows great concern I can cause further damage. Also > he argued that we are not any worst because the backup tape from > 60days limit is already causing the errors, there is no difference to > even restore it from yesterday's tape now. Does it make sense? Maybe in all honesty, if you are not trusting what you are hearing, whether from me or anyone else in this group, I would HIGHLY suggest you call Microsoft PSS and let them guide you. I believe there will be a charge, unless you have an MSP agreement. It's your call. What are you waiting for? Your vacation? You are running Certificate services. It even complicates it. I would suggest to ACT QUICKLY and forget your vacation next week and concentrate on this important matter. It seems like you and your boss are gambling that the tombstone issue doesn't mean anything to you. I'm just giving you an option before you have no more options once the 60 Tombstone Lifetime comes up. Your issue is a secure channel password. You are not comprehending the seriousness of the 60 day tombstone. Once it comes up, you will have NO OTHER CHOICE but to trash the server, seize the FSMO roles over to the existing server, run a metadata cleanup using ntdsutil, clean up any remaining lingering objects from the old server in Sites and Services and using ADSI Edit, then re-format the old server and reinstall it from scratch. Good luck. Below taken from: http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch10.mspx It is not possible to restore a backup image into a replicated enterprise that is older than the tombstone lifetime value for the enterprise. When an Active Directory object is deleted, it is not fully and immediately removed from Active Directory. Instead the majority of the attributes are stripped out and the object is moved to the deleted items container. This remaining object is called a tombstone. This tombstone object is replicated to all domain controllers in that respective domain so that they can learn of the object deletion. In this manner, the original object is no longer available to anyone searching Active Directory for it, but it is tombstoned. The tombstone lifetime value represents the number of days that the deleted object (or tombstone) must be retained before it can be permanently removed from the directory. This value can be set by using the Active Directory Service Interfaces (ADSI) edit at the directory service path below: Cn=Directory Services, cn=WindowsNT, cn=Services, cn=Configuration, dc=<<Domain_Name>>,dc=<<Domain_prefix>> The default tombstone lifetime value is 60 days. Active Directory will not allow data to be restored to the directory from a backup image that is older than the tombstone lifetime. If this were to happen, the restored object would have an Update Sequence Number (USN) too old to trigger Active Directory replication. In this scenario, the object would never be replicated out to other domain controllers, and the restored domain controller would never replicate in to the necessary information to delete the object. Active Directory on the local server would thus become inconsistent. Ace |