Problems after Restore System State
in [Active Directory]
|
Prev: How to change the SID on a Windows XP, Windows 2000, or Windows NT computer...
Next: Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
From: seeker01 on 20 Sep 2005 10:26 current environment: 2 x Windows 2000 Domain Controllers with CA services running. This morning, I have performed the non-authoritative system state restore on DC2 because no users can request new certificate. The system state restore solved the CA problem but introduced other new non-trusted errors & DNS errors . DC1 complaint "The session setup from the computer DC02 failed to authenticate. The name of the account referenced in the security database is SSRADCERT02$. The following error occurred: Access is denied." I can ping the DC by host & fqdn but why cant I do net time \\DC02computername /set /y from ssradcert02 encounters errors ?access denied?. I have to run "net time \\DC02IPaddress /set /y. Any clues why? I have coldfeet really. Thanks !
From: seeker01 on 20 Sep 2005 10:33 Oh yes, I got this error on DC02 server, "Failed to authenticate with \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller for domain "XYZ". I am so scared to make more changes because that may break certificate service cant do new certificate. I am very desperate to hear anyone that knew why. Thanks muchly. "seeker01" wrote: > current environment: 2 x Windows 2000 Domain Controllers with CA services > running. > > This morning, I have performed the non-authoritative system state restore on > DC2 because no users can request new certificate. The system state restore > solved the CA problem but introduced other new non-trusted errors & DNS > errors . DC1 complaint "The session setup from the computer DC02 failed to > authenticate. The name of the account referenced in the security database is > SSRADCERT02$. The following error occurred: Access is denied." I can ping the > DC by host & fqdn but why cant I do net time \\DC02computername /set /y from > ssradcert02 encounters errors ?access denied?. I have to run "net time > \\DC02IPaddress /set /y. > > Any clues why? I have coldfeet really. Thanks ! >
From: Ace Fekay [MVP] on 20 Sep 2005 22:54 In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8(a)microsoft.com, seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then commented about below: > Oh yes, I got this error on DC02 server, "Failed to authenticate with > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller > for domain "XYZ". I am so scared to make more changes because that > may break certificate service cant do new certificate. I am very > desperate to hear anyone that knew why. Thanks muchly. > > "seeker01" wrote: > How old was the system state that you restored? What errors are in the event logs of both DCs? Does DC01.ssict.org.au exist as a record and do the SRV records reference this as a DC hosting services under the zone? -- Regards, Ace If this post is viewed at a non-Microsoft community website, and you were to respond to it through that community's website, I may not see your reply. Therefore, please direct all replies ONLY to the Microsoft public newsgroup this thread originated in so all can benefit. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft Windows MVP - Windows Server - Directory Services Infinite Diversities in Infinite Combinations. =================================
From: seeker01 on 20 Sep 2005 23:22 Hi Ace, Thanks for your email. The system state that I restored was from 1Aug05 tape. DC01 errors are: (1) ID5722 from NETLOGON "The session setup from the computer DC02 failed to authenticate. The name of the account referenced in the security database is DC02$. The following error occurred: Access is denied." (2) ID3034 from MRxSMB "The redirector was unable to initialize security context or query context attributes". (3) ID13508 from NfFrs "File Replication Service is having trouble enabling replication from DC02 to DC01 for c:\winnt\sysvol\domain using the DNS name DC02.ssict.org.au. FRS will keep retrying. DC02 errors are: (1) ID1000 from Userenv "Windows cannot determine the user or computer name. Return value (-2146893022)" (2) ID3034 from MRxSMB "The redirector was unable to initialize security context or query context attributes". (3) ID16650 from SAM "The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure" I am not sure if this is DNS related issue because my nslookup works fine. Is this to do with the security channel need resetting? What is the right command & run from where? Thanks a bunch really :-/ Seeker01 "Ace Fekay [MVP]" wrote: > In news:AE36A601-F8E7-45DE-9D05-92A3B81502B8(a)microsoft.com, > seeker01 <seeker01(a)discussions.microsoft.com> made this post, which I then > commented about below: > > Oh yes, I got this error on DC02 server, "Failed to authenticate with > > \\DC01.ssict.org.au, a Windows NT or Windows 2000 domain controller > > for domain "XYZ". I am so scared to make more changes because that > > may break certificate service cant do new certificate. I am very > > desperate to hear anyone that knew why. Thanks muchly. > > > > "seeker01" wrote: > > > > How old was the system state that you restored? > > What errors are in the event logs of both DCs? > > Does DC01.ssict.org.au exist as a record and do the SRV records reference > this as a DC hosting services under the zone? > > -- > Regards, > Ace > > If this post is viewed at a non-Microsoft community website, and you were to > respond to it through that community's website, I may not see your reply. > Therefore, please direct all replies ONLY to the Microsoft public newsgroup > this thread originated in so all can benefit. > > This posting is provided "AS-IS" with no warranties or guarantees and > confers no rights. > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP > Microsoft Windows MVP - Windows Server - Directory Services > Infinite Diversities in Infinite Combinations. > ================================= > > >
From: Jorge_de_Almeida_Pinto on 20 Sep 2005 23:35
"" wrote: > Oh yes, I got this error on DC02 server, "Failed to > authenticate with > \DC01.ssict.org.au, a Windows NT or Windows 2000 domain > controller for > domain "XYZ". I am so scared to make more changes because > that may break > certificate service cant do new certificate. I am very > desperate to hear > anyone that knew why. Thanks muchly. > > "seeker01" wrote: > > > current environment: 2 x Windows 2000 Domain Controllers > with CA services > > running. > > > > This morning, I have performed the non-authoritative system > state restore on > > DC2 because no users can request new certificate. The system > state restore > > solved the CA problem but introduced other new non-trusted > errors & DNS > > errors . DC1 complaint "The session setup from the computer > DC02 failed to > > authenticate. The name of the account referenced in the > security database is > > SSRADCERT02$. The following error occurred: Access is > denied." I can ping the > > DC by host & fqdn but why cant I do net time > \DC02computername /set /y from > > ssradcert02 encounters errors ?access denied?. I have to > run "net time > > \DC02IPaddress /set /y. > > > > Any clues why? I have coldfeet really. Thanks ! > > what does DCDIAG /V say? -- Posted using the http://www.windowsforumz.com interface, at author's request Articles individually checked for conformance to usenet standards Topic URL: http://www.windowsforumz.com/Active-Directory-Problems-Restore-System-State-ftopict423569.html Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1417532 |