+ Post New Thread
Results 1 to 11 of 11
Windows Thread, Broken DC eww in Technical; Here's the situation: I have AD setup so that I have One forest with multiple trees for each building. ie... ...
  1. #1
    Bestbett's Avatar
    Join Date
    Apr 2007
    Location
    Hiding
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Broken DC eww

    Here's the situation:
    I have AD setup so that I have One forest with multiple trees for each building. ie... headhoncho.my.dist is the main parent with child domains off that like child1.elem1.my.dist at a Elementary school and child2.high.my.dist at a Secondary school. ( I know it's not flat, Im gonna move that way if I can fix my problem!)

    So normally a secondary student logs into the high domain and accesses shares on the server child2. And this has worked well all around until about 4 months ago. When...

    My issue is very complicated, the child2 server works in so much as it allows logins, allows access to shares, printing, apllies gpos, and does its job in general as long as you are a client. However, when you access the server locally you become limited but only partially. I can add and remove user accounts in AD, and access local admin (C$) shares on clients. I can NOT access GPO at all, I receive access denied. I can NOT access my own shares ie.. logged into child2 as Administrator of the domain but cant access \\child2\netlogon (or any share on any domain in my forest).

    Permissions look fine, and a whoami returns high\administrator. I even tried bringing a DC up as a backup of the high domain and it inherits all the symptoms of child2. Please.... please.. helP ME!

  2. #2
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Broken DC eww

    Is child2 a DC? If so, have you tried the usual tools such as DCDIAG, NETDIAG. If it's anything to do with replication then there may be something in the event logs.

  3. #3

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    10,486
    Thank Post
    613
    Thanked 2,194 Times in 1,006 Posts
    Blog Entries
    23
    Rep Power
    634

    Re: Broken DC eww

    DNS Issue methinks. Is DNS replication enabled on the DCs?

  4. #4

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,950
    Thank Post
    1,345
    Thanked 1,799 Times in 1,117 Posts
    Blog Entries
    19
    Rep Power
    597

    Re: Broken DC eww

    Have you been changing anything with Enterprise Admins or Schema Admins?

    Are there any errors on site replication?

    Have you another child domain you can duplicate and then make the changes to get the second child domain setup?

    Do you get the same errors if you have child3?

  5. #5
    Bestbett's Avatar
    Join Date
    Apr 2007
    Location
    Hiding
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Broken DC eww

    Posting my dcdiag with names changed to protect the innocent (edited with failures only):

    Starting test: NetLogons
    [child2] An net use or LsaPolicy operation failed with error 5, Access i
    s denied..
    ......................... child2 failed test NetLogons

    Starting test: MachineAccount
    Could not open pipe with [child2]:failed with 5: Access is denied.
    Could not get NetBIOSDomainName
    Failed can not test for HOST SPN
    Failed can not test for HOST SPN
    * Missing SPN null)
    * Missing SPN null)
    ......................... child2 failed test MachineAccount
    Starting test: Services
    Could not open Remote ipc to [child2]:failed with 5: Access is denied.
    ......................... child2 failed test Services

    Starting test: frssysvol
    [child2] An net use or LsaPolicy operation failed with error 5, Access i
    s denied..
    ......................... child2 failed test frssysvol
    Starting test: frsevent
    ......................... child2 failed test frsevent
    Starting test: kccevent
    Failed to enumerate event log records, error Access is denied.
    ......................... child2 failed test kccevent
    Starting test: systemlog
    Failed to enumerate event log records, error Access is denied.
    ......................... child2 failed test systemlog


    netdiag passes all

    It has worked fine for over a year until about 4 months ago. It can resolve itself from itself when typing \\child2 in run , you see all shares and printers but when you click one it asks you to authenticate. It seems like it has lost connection with whomever is logged in locally. but again whoami resolves fine. I tried to put in a bdc for child2 and it has the exact same issues as child2.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Broken DC eww

    netdiag fails with error:
    The procedure entry point DnsGetPrimaryDomainName_UTF8 could not be located in the dynamic link library DNSAPI.dll.
    Your using the wrong version of netdiag. The one you have is for Windows 2000.

  7. #7

    Join Date
    Sep 2006
    Location
    Essex
    Posts
    783
    Thank Post
    1
    Thanked 33 Times in 31 Posts
    Rep Power
    24

    Re: Broken DC eww

    Maybe he was running server 2000!

  8. #8
    Bestbett's Avatar
    Join Date
    Apr 2007
    Location
    Hiding
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Broken DC eww

    Update! Thanks to the helpful dcdiag and netdiag which I had never used, I was able to hammer down the issue, and partially.. fix it.
    My DC is unable to create a digital signature. So by changing some registry entries and restarting a few services I can now access my own shares.. yay. dcdiag and netdiag both run through fine now however, I am unable to access shares or gpos on other DCs because I havent lowered thier policys to not enforce digital signatures. I would rather figure out how to fix my broken DC into being able to create them again.

  9. #9
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Broken DC eww

    Unless 'child2' is the only DC for the domain (and maybe even if it is), I think I would be considering a reinstall at this point. If you have other working DCs then the loss of 'child2' as a DC would not be a problem. If it is the sole DC for it's domain then it might be worth building a VM and trying to swing the AD, FSMO and GC roles onto. You could then reinstall the OS on child2 and bring it back to DC status.

    EDIT: I certainly don't want to play down the level of Windows expertise on EduGeek, but you could also consider posting on the Minasi reader forums just to get some other opinions/options.

  10. #10
    Bestbett's Avatar
    Join Date
    Apr 2007
    Location
    Hiding
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Broken DC eww

    child2 is a DC and was the only DC for the entire high domain, until I tried to bring up another DC on the high domain so I could rebuild child2 without having to touch every pc on the high domain. However the new DC on high "caught" all the symptoms of child2 and can not create digital sigs either. Also since it can't "authenticate" to other DCs within my.dist I can not ADM up to another unbroken DC anywhere on the list. Oh and I dunno what VM means outside of VMware used to get OSs on systems they wouldnt normally work on.

  11. #11
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Broken DC eww

    Check the following policies for any settings which refer to 'digital signing' of packets; Local Security Policy, Domain Controllers Policy, Default Domain Policy. (And any policies linked to the Site).

SHARE:
+ Post New Thread

Similar Threads

  1. IIS Broken?
    By darkstar in forum Wireless Networks
    Replies: 5
    Last Post: 6th April 2006, 03:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •