- Posts: 98
- Thank you received: 0
Can not acces shared folder on server (Urgent help)
18 years 2 months ago #16995
by chandak76
Replied by chandak76 on topic Re: Can not acces shared folder on server (Urgent help)
I thought my problems were sorted but doesn't look like it,I just tried to get a new pc to join the domain but i get an error "The following error occured attempting to join the domain."Domain-name". Logon failure:The user has not been granted the requested logon typeat this computer".
And when I check Domain controller security seings--local policies--user rights assignments, there is no one assingned, when I try to assign some eg administrator I get this error "An Extended error has occured: filed to save \domain-name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf",
How can I sort this one out?
And when I check Domain controller security seings--local policies--user rights assignments, there is no one assingned, when I try to assign some eg administrator I get this error "An Extended error has occured: filed to save \domain-name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf",
How can I sort this one out?
18 years 2 months ago #17018
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Can not acces shared folder on server (Urgent help)
Hi matey,
Sorry i have not been keeping upto date with this thread, been in London over the weekend for a long weekend with Fiancee
Can you check the event logs for my and see if there are any errors and post them. Also, can you confirm the file is there and that you can access the file through the share ok ?
Cheers
Sorry i have not been keeping upto date with this thread, been in London over the weekend for a long weekend with Fiancee
Can you check the event logs for my and see if there are any errors and post them. Also, can you confirm the file is there and that you can access the file through the share ok ?
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
18 years 2 months ago #17026
by chandak76
Replied by chandak76 on topic Re: Can not acces shared folder on server (Urgent help)
Hi,
The file is mthere but I can not access it through a file share,
here are some of the directory logs
This is the replication status for the following directory partition on the local domain controller.
Directory partition:
CN=Configuration,DC=Holiday,DC=ecb,DC=co,DC=za
The local domain controller has not received replication information from a number of domain controllers within the configured latency interval.
Latency Interval (Hours):
24
Number of domain controllers in all sites:
1
Number of domain controllers in this site:
1
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>".
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Schema,CN=Configuration,DC=Holiday,DC=ecb,DC=co,DC=za
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on support.microsoft.com .
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
system log
The dynamic registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.Holiday.ecb.co.za. 600 IN SRV 0 100 389 ecbwebdc.Holiday.ecb.co.za.' failed on the following DNS server:
DNS server IP address: 196.35.64.120
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
The file is mthere but I can not access it through a file share,
here are some of the directory logs
This is the replication status for the following directory partition on the local domain controller.
Directory partition:
CN=Configuration,DC=Holiday,DC=ecb,DC=co,DC=za
The local domain controller has not received replication information from a number of domain controllers within the configured latency interval.
Latency Interval (Hours):
24
Number of domain controllers in all sites:
1
Number of domain controllers in this site:
1
The latency interval can be modified with the following registry key.
Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours)
To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe.
You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>".
This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
FSMO Role: CN=Schema,CN=Configuration,DC=Holiday,DC=ecb,DC=co,DC=za
User Action:
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors. Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on support.microsoft.com .
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
system log
The dynamic registration of the DNS record '_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.Holiday.ecb.co.za. 600 IN SRV 0 100 389 ecbwebdc.Holiday.ecb.co.za.' failed on the following DNS server:
DNS server IP address: 196.35.64.120
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: DNS bad key.
18 years 2 months ago #17033
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Can not acces shared folder on server (Urgent help)
Thats very interesting because you only have the one domain and i have only seen these errors when replicating between multiple domain controllers.
It does appear that the issue may be related to DNS. Can you confirm that DNS is working ok from the server ?
If you try nslookup from the server and enter the FQDN name for your domain to see if it comes back with the domain controller. Also, is the reverse pointers configured ok ?
"dos prompt
type nslookup --> press enter
type domainame --> press enter (where domain name is you active directory domain)"
It should come back will all domain controllers registered in that domain (in your case the one)."
We need to ensure that DNS isn't coming up with any errors before we can progress this one any further.
Its worth installing the support tools also.
Cheers
Wayne
It does appear that the issue may be related to DNS. Can you confirm that DNS is working ok from the server ?
If you try nslookup from the server and enter the FQDN name for your domain to see if it comes back with the domain controller. Also, is the reverse pointers configured ok ?
"dos prompt
type nslookup --> press enter
type domainame --> press enter (where domain name is you active directory domain)"
It should come back will all domain controllers registered in that domain (in your case the one)."
We need to ensure that DNS isn't coming up with any errors before we can progress this one any further.
Its worth installing the support tools also.
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
18 years 2 months ago #17038
by chandak76
Replied by chandak76 on topic Re: Can not acces shared folder on server (Urgent help)
That seems fine,
nslookup -->
Server:DNS Server
Address:DNS ip address
Domainename -->
Server:DNS Server
Address:DNS ip Address
Name: Domainname
I've just discovered that there is another machine running windows 2000 server with the same domainname on the network,that was used before upgrading to server 2003, but they say this problem only started 10 moths after,I can not remove this server cov its the sql server,It's also the alternate DNS.Could that be causing the proble?
nslookup -->
Server:DNS Server
Address:DNS ip address
Domainename -->
Server:DNS Server
Address:DNS ip Address
Name: Domainname
I've just discovered that there is another machine running windows 2000 server with the same domainname on the network,that was used before upgrading to server 2003, but they say this problem only started 10 moths after,I can not remove this server cov its the sql server,It's also the alternate DNS.Could that be causing the proble?
18 years 2 months ago #17040
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Can not acces shared folder on server (Urgent help)
Hi,
Is this Windows 2000 server a Domain Controller ? I could cause issues however the main way that Windows 2003 does name resolution is now with DNS (Although even with Exchange 2003 it does rely on NetBios still so we have to update our LMHost files for subdomains in our AD Structure).
If DNS is somehow not working correctly, it will resort to NetBIOS and as such get the servers mixed up.
If you install the support tools and run DCDiag, see if that fails. You are best to pipe the output to a text file as it'll scroll down the dos window.
Is this Windows 2000 server a Domain Controller ? I could cause issues however the main way that Windows 2003 does name resolution is now with DNS (Although even with Exchange 2003 it does rely on NetBios still so we have to update our LMHost files for subdomains in our AD Structure).
If DNS is somehow not working correctly, it will resort to NetBIOS and as such get the servers mixed up.
If you install the support tools and run DCDiag, see if that fails. You are best to pipe the output to a text file as it'll scroll down the dos window.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.138 seconds