server lockdown

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Guys been a big ballsup where I work our main Domain Controller has locked itself down and won't allow anyone to log into it. No accounts were deleted and we aren't sure why this has happend.

does anyone know of a way to get around this or a cause of why this may of happend.



Cheers in Advance

Michael

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

When you say "locked up" I'm assuming that you mean it has somehow had some security applied to it that has changed something?

You have tried just un plugging the power to it and re booting it havent you?

Need more info - What OS, are there other DC's, etc?

 

Simon, it's a windows 2000 server that seems to have locked down all permissions and won't allow anyone to access the OS to gain control. The lads I work with say they haven't touched it and it's hosted offsite. We did power it off and on again removing the plug as well. We are sorta screwed as it's our master of operations server...

 

Can't you assign the FSMO roles to other DC's?

At least then you're giving yourself some leverage.

 

what is the exact message that you get when you try to log on?

 

It says can't loggon interactively

 

That sounds asthough you don't have the permissions to (duh! State the obvious Simon!)

Are you trying to log in as the Domain Administrator?

You say that this DC is not local to you, can someone who is local to it try logging on? it may simply be a problem with the VPN, Terminal Services, or however you access the DC normally?

 

Simon, it's hosted at a nearby site the lads have been onsite to try everything. We have full admin rights but something has caused it to lockdown the server. As it stands we might have to rebuild the whole companies network as it won't allow the policies to be migrated onto another server. Thats 9 sites across the UK...

 

Hi Slypie,

I think I had the same problem you mention with a home lab I had set up. I couldn't login to the DC interactively. You have to use a program which comes with the W2K Resource kit called ntrights.exe. I had a copy but I don't have it anymore. Here's a link that might help you also.

 

FOOOOOOK!!!!!!

I hope Pablo1888's link can help you then.

 

cheers for the help guys. I've tried ntrights program without any luck. It looks like we are well and truly screwed. Me thinks I need a change in career...

 

Seems rather strange to me though that a server can automatically change it's security policies.

Do you not have any backups of the system state? can you not perform a restore from an earlier time?

 

slypie,

do you have the admin tools installed on a workstation, and can you currently still successfully administer the domain with the appropriate account? if so, then you would only need to rebuild the server in the worst case, not the entire network.

someone asked if you tried to logon as domain admin. you answered you had full admin rights. that's not quite the same. so, is it a (or the) domain admin account that is locked out? if so, are there other accounts that are member of the domain admins group, and have you tried them? have you tried the same account, or the same other domain admin accounts on other domain controllers? again, if so, then you would only need to rebuild the server in the worst case, not the entire network.

you said "it won't allow the policies to be migrated onto another server". i'm not sure what that means, let alone what it has to do with transferring the fsmo roles. the roles are to be seized. the server has nothing to allow or disallow. it can be completely down, and the roles can still be seized by another domain controller.

 

The domain Server that has died is our master of operations domain controller. I don't understand what has happend with it locking down the security. Unfortunately my manager for some reason demoted our Newcastle server screwing the newcastle office up. We can't promote the server as our main domain controller is screwed. I feel like throttling my manger as it's caused a lot of crap for us all and a lot of work.

Either someone has been messing with the server (it's hosted at an external site not managed by us) or they have been hacked. Potentially we might have to rebuild 20+ servers and re-add 250 clients across 9 sites...

 

Slypie, when you say that the server is your "master of operations domain controller" can you clarify a bit more on that?

Its a term that I've never heard before, yeah I'm familliar with the FSMO roles but as d-faktor said these can be re assigned.

Are you saying that you don't have another DC in the network?

 

Slypie

Hello -

How many DC's have you in the domain?

The interactive logon issue could be due to:

1. Group policy - there is a setting for "log on interactively"
2. Some has applied a security template (inf) file

Given you can't log on have you tried installing the admin tools locally and running dsa.msc to connect to a DC and looking at the policies for the server - can you run RSOP against the server?

When your lads went on site did they try and log on locally?

Mark

 

Slypie

Try these, try 285793 first

http://support.microsoft.com/default.aspx?scid=kb;en-us;276590

http://support.microsoft.com/default.aspx?scid=kb;en-us;285793

 

it's our main domain controller that all our other domain controllers are controlled from.

 

Mark, I've already tried it but cheers anyway mate.

 

there is no such thing in active directory. all domain controllers are equal, although one is a bit more equal than the others.
the only thing that can differentiate that domain controller from the others is based on the fsmo roles, and you don't need that domain controller to transfer those.

[edit] i might add that i (we) have asked a couple of questions, and you didn't answer them. it's difficult to help you if you don't help us help you.