Windows Server 2000/2003 Thread, Server Down - Administrator Cannot Login / Directory Services Unavailable in Technical; Afternoon All,
Well, Whilst I'm waiting on Microsoft calling me back to have a look into this issue I thought ...
21st June 2011, 02:22 PM #1
Server Down - Administrator Cannot Login / Directory Services Unavailable
Well, Whilst I'm waiting on Microsoft calling me back to have a look into this issue I thought I would throw it up here in case anyone has ever come accross this before.
- No One Knows Previous Administrator Passwords
- No One Knows Directory Restore Password
- No Documentation has ever been made
- No other Admin Account can login
=== So that gave me a mad morning, but now I am getting the following error message also.
Now that is all well and good, but i don't know the Directory Restore Login?
Directory Services could not start because of the following error: The system cannot find the file specified. Error status: 0xc000000f. Please click Ok to shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detail information.
I have been on site here for 4 days now and have built up an aweful lot of documentation but still have a long way to go. So before anyone starts screaming none of this (documentation does not exist) is down to me
any one got any ideas? or am i best just waiting for MSFT to hopefully break into it (if they can).
Oh! and backups were failing for the past 4 months, I managed to get a sucesful backup last week before this happened. so fingers crossed that backup is all well and good.
also, without going into detail the previous IT guy was here for the first day but aint seen him since.. I was asked to lock him out of the system yesterday (change password etc.) but that is all that was done, and the new administrator password worked fine after changing it and rebooting the servers and logging in again worked fine.. but over night something weird happened.
Last edited by EduTech; 21st June 2011 at 02:26 PM.
IDG Tech News
21st June 2011, 02:38 PM #2
- Rep Power
What version of Windows Server is it running?
If it is Windows 2000 then as per the KB article Here then you could try using the backup software to restore Ntds.dit to %SystemRoot%\NTDS folder (default location of Ntds.dit..... the location can be changed at promotion time but usually isnt).
As for breaking into the password I would be inclined to run something along the lines of ophcrack on a client and see if the admin password on the clients is the same as the directory services restore mode or admin on the server (Good reason to have your clients administrator account disabled, and the password completely different to any domain passwords).
Are you only running a single server with no redundancy?
That would be where I would start at least.........
21st June 2011, 02:46 PM #3
Yeah I have already come accross that KB Article for Server 2000, This server is running Small Business Server 2003 Standard. There is no Failover etc.
Originally Posted by iMash
I plan to get rid of SBS in the very near future and do it properly, but being here 4 days you can understand it's not something i could of sorted in that amount of time.
I have tried all of the passwords which i have found from doing a scan, none of which work. I even phoned the support company that installed this a few years ago and they gave me a few to try but they did not work either.
21st June 2011, 03:16 PM #4
- Rep Power
I have found a few things from a website that is for the exchange of experts information (am unsure of the rules of links to 3rd party sites on here can PM you the link if needed).
They were for Server 2003. But i can imagine that SBS will be very very similar (Never used SBS myself).
That suggested using ERD Commander to reset the domain admin account. I was always under the impression that as a DC does not use a SAM you would not be able to reset it via ERD Commander but others on the site believed you could. So may be worth a try?
The other suggestion was...........
I just ran into this issue yesterday. I spent hours struggling to find an answer scouring the internet. Luckily, I found out that since I was a MS certified partner, they (Microsoft) would help me for free! Instead of trying to find the original password, the answer is actually rather simple.
Install a parallel copy of the OS (making note of the new password that you create during install). After install, activate product, and simply copy over the new SAM, SOFTWARE, DEFAULT, SYSTEM, and SECURITY from "%systemroot%\system32\config" to your old installation with the same directory. Reboot into the old Operatiing system (Having to activate again). Then, you can restore from a backup a previous copy of the files listed above (I used the previous night's backup system state and restored the whole stinking thing) to bring your Active Directory and settings back. Your server will (fingers crossed) be back to normal and your system will boot up normally. Mine was as if it never happened and lost no data, settings, etc. during the process.
The procedure took me approx. 4 hours on a 2003 server including OS install.
Last edited by iMash; 21st June 2011 at 03:18 PM.
21st June 2011, 03:23 PM #5
I was under the impression ERD Commander would not work to be honest as that had crossed my mind also.
Originally Posted by iMash
I'll keep the lata in mind as it might get to me having to do that... joys! it is going to be a long night indeed!
21st June 2011, 03:25 PM #6
A system restore is definitely needed here, as clearly it appears AD and possibly other services are corrupted. Is there no RAID setup on this system at all?
I presume you've tried just a blank password to restore the directory?
21st June 2011, 03:32 PM #7
Yup, Tried Blank Password, and the usual common passwords.
Originally Posted by Michael
It is RAID, type I will have to get back to you as I have not looked yet.
21st June 2011, 03:46 PM #8
@EduTech that is a total bollox point.
Hiren's BootCD 14.0 - All in one Bootable CD » www.hiren.info may help in this case. This is my little O Crap CD. I can't remember, but there is a tool for replacing the System Restore Password. With any luck you can just boot the server, replace it and use that to fix the root of the issue.
Security 101 Keep server in locked secure location, cause if your at the terminal and have enought time, no password is strong enough. Unless its BitLocked ofc
Hope it helps buddy and good luck!
21st June 2011, 03:47 PM #9
21st June 2011, 03:49 PM #10
Did you suspend VPNs? I suspect foul play or a severely corrupted AD database. If you have successfully logged in with an administrator account then either AD has turned very corrupt in which case it would be restore from backups anyway or someone has killed the account password.
new administrator password worked fine after changing it and rebooting the servers and logging in again worked fine.. but over night something weird happened.
Obviously if you restore from backup you wont have an administrator account yet again (although the previous IT guy will have his account active again). Is anyones PERSONAL account a member of domain admins?
Ntds.dit is the usual culprit of directory services errors. Since you havent reinstalled then the certificates on the server are still valid so if a backup exists then try copying that back over. TBH though you can either waste time cracking the admin account or start from scratch. I dont think you can reset the password in the same way as a normal windows machine as there isnt a local admin password on a DC. Domain controllers store their password in the AD directory - only after a DCPROMO demotion will you get a local admin password (having said that I have never used SBS therefore SBS could behave differently to a regular DC server)
Not nice but you arent a miracle worker!
Last edited by KK20; 21st June 2011 at 03:55 PM.
21st June 2011, 04:01 PM #11
Security is something I am getting on top off, they had 5900, 3389 and various other ports wide open and did not know the password the to WatchGuard Firewall so I had to rebuild that from scratch on thursday. I have not been able to lock down 3389 as of yet because I have to deploy a new solution quickly and I don't want to have to do it twice when the least line goes live in a couple of days so i'm just keeping my fingers crossed for the time being. (that will get locked down, and people will only be able to login using an SSL VPN via the Watchguard Firewall).
No User Accounts can login, Only the Administrator, Myself and another account has Domain Admin / Enterprise Admin Rights and neither of them work.
I am not sure if the previous guy has done something malicious over the weekend that has only caused an issue since me rebooting because last night even though i could auhenticate fine, it did feel a bit ropy and then around 10pm the server went offline.. and i came in this morning and it was powered on but had crashed so i had to reboot it and that is when i could not login at all (and i got quite worried) and then after trying a few things, safe mode, restore mode etc. this error now comes up with regards to the ntds.dit file etc.
I just hope to god that this backup is in a good state because it has not been tested or anything.
One thing that made me think this morning is that an SBS Server normally sits at the pre logon screen for a while doing it's business because of how much it has to deal with, but yet it got to the logon box in less than 30 seconds which is odd.. as if all the services was not started so i just assumed that maybe the logon/ad services were not starting which is why i could then not authenticate would make sense, but it leaves me stuck.
MD wants to know how it has happened, as he is convinced the previous guy has done it and I can't say nowt as i don't know and won't be saying anything UNTIL i have concrete facts. and even then I want to stay out of it as much as possible. (they really upset him, and he has threatened with causing problems in the past like this).
anyway, no call from MSFT as of yet even then the SLA is less than 1hr and that was 2hrs ago! I'm serously going to have to start doing some of the above soon.
Thanks for your help chaps,
21st June 2011, 04:53 PM #12
Well I hope it's RAID1 or RAID5 and not RAID0. That would be a little silly...
It is RAID, type I will have to get back to you as I have not looked yet.
I would check the status of the RAID array in the RAID BIOS. This should give you a better indication what's going on. Also, the fact the server is POSTing OK, hopefully the issue isn't hardware related.
The link IanT posted looks promising and would definitely be something I would explore. If the backup doesn't work, then it doesn't work. You can't be held responsible for this! It sounds to me you're doing a fab job given the circumstances.
21st June 2011, 05:04 PM #13
I have a SAM password cracker (for emergencies).
Create a boot cd from the iso boot the server. It's a command line tool. Have used it here when I first took up post. I done the job for me.
PM me if your interested
All the best
21st June 2011, 05:45 PM #14
@ozydave that is not going to help here.
21st June 2011, 07:40 PM #15
Right, There are 2 arrays (RAID 1 and RAID 5) for reference.
Tried a few more things with MSFT this afternoon, but they now basically want me to restore the system state from a backup (LTO3 Media) to another server (which i have not got) so they can grab somes files, and then using Server 2008/Windows 7 and a USB Drive with the files on they want me to copy the files to the Server and then I am guessing they are hoping it will then work.
I am going to struggle to get that data of an LTO3 Catridge because I don't know anyone with one at the moment, I am going to get a copy of the server using Symantec System Recovery or something so i can at least get access to the data using a Virtual Machine if needs be. And then I shall fight with Microsoft with sorting that server.
I can't re-build it, no chance with no documentation etc. just a complete nightmare!
Don't help that I have the MD jumping up and down because he wants to know if he can take legal action against someone as he thinks that certain person did it maliciously, but to be honest that is the least of my worries right now i need to damn thing up and running.
Joy oh Joy! I cannot believe how much of a mess this entire network is, nothing right about it at all and they are an international company! eek! i have not stopped dripping with sweat all day.. :/ scary stuff!
I don't think it is hardware related.
I'll update everyone in the morning, for now i need to find some drivers and get another box and a LTO3 Backup Drive to restore this media.
By farquea in forum Windows
Last Post: 24th March 2011, 10:13 AM
By deano in forum O/S Deployment
Last Post: 7th October 2010, 12:49 PM
By eiger in forum Hardware
Last Post: 14th September 2009, 08:51 AM
By ronanian in forum Wireless Networks
Last Post: 4th August 2009, 08:59 PM
By exsupport in forum Windows
Last Post: 6th October 2007, 10:30 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)