Announcement

Collapse
No announcement yet.

I will be fired if I can't save this DC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • I will be fired if I can't save this DC

    I have been on this domain controller for a few days.

    The symptom: I can not log into any domain on this domain controller, it keeps telling me incorrect username or password.

    Booting in DRSM shows a myriad of errors suggesting it is not a domain controller, it can't start KKDC or NETLOGON services. It can't authenticate to anything and nothing can authenticate to it. Obviously it can't connect to the other DC's anymore, the last information message before the crash was "Security update successfully applied" But since I can't authenticate to the domain, I can not affect the Group Policies, locally or domain wide. My users are lighting their torches and are preparing to storm the helpdesk.

    I have been looking at it for the last two days if anyone knows of any back doors or something, I could try disabling the policies if I had rights to my own file systems with the directory restore password, but its all "access denied". Help

    I think I should mention it is Server 2003 Ent, child domain
    Last edited by Daxxian; 19th September 2007, 08:53. Reason: details detail details

  • #2
    Re: I will be fired if I can't save this DC

    You can reset the domain admin password in a Windows 2003 domain using the following document if you are able to log onto the Domain Controller in Directory Services Restore Mode.

    http://www.petri.com/reset_domain_ad...er_2003_ad.htm

    Does your child domain only contain the one domain contoller?
    MCSA 2000/2003

    Comment


    • #3
      Re: I will be fired if I can't save this DC

      The domain I am troubleshooting has multiple domain controllers, but only one online right now, the others are on ship right now, in our environment we lose connectivity with them for weeks at a time, and they are experiencing the same problems.

      I have no problem logging into DSRM. I did the domain administrator password reset. But upon booting again, I got the "some services failed to start" and it gave me the same old "[your username or password or wrong]"

      Kerberos cant start because "The local machine must be a Kerberos KDC (domain controller) and it is not", and I think this is what is causing it. I just have no clue how to fix it.

      Comment


      • #4
        Re: I will be fired if I can't save this DC

        in our environment we lose connectivity with them for weeks at a time
        But not for more than 60/90 days right?

        This is not a good environment for an AD Domain to be in, even if it is never more than 90 days... was it your design?


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: I will be fired if I can't save this DC

          We have the tombstone set to 90 days, and we occasionally go over that. In such cases I just wipe the old servers out of AD from the root here, and the deployed units rebuild thier domain controllers, it happens every few months. But this time, their domains DC I hold here when they are offline is dieing. And I really need to save this domain partition.

          Our AD structure is designed to be always flexible to unreliable links and untrained personal at the remote sites... Such is the USMC.

          Comment


          • #6
            Re: I will be fired if I can't save this DC

            Have you performed an Authoritative Restore using AD restore under the F8 key before booting?

            Also do you have a good back up of the DC before it went tits up?

            If you have not tried the above I would suggest restoring from back up first using the Authoritative restore. This should restore the current DC to its formal working glory.

            Then I recommend you perform a forced Replication.

            hope this helps.

            Comment


            • #7
              Re: I will be fired if I can't save this DC

              Attempt an Authoritative Restore by pressing F8 during boot but prior to OS loading. If that doesn't work, make another post here.

              Tim Macking
              MCT, MCSE (NT, 2000 & 2003), MCSA with Security - MCDBA - MCDST - MCITP - MCTS - MCP - CCNA
              IT Manager / Consultant
              USA

              Comment


              • #8
                Re: I will be fired if I can't save this DC

                That is why I like Symantec Backup Exec System Recover. Had a situation like this and it took me like 10 min to bring every thing back up.

                That was sweet. Any ways how about demoting this DC and running DCPROMO again on it and let it sync with other DC in the domain?

                Comment

                Working...
                X