server lockdown

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

ok - no probs

Can you get to the group policy that is being applied to the server, I have seen this a couple of times in the past, nearly always policy based, have you tried this

http://support.microsoft.com/?kbid=234237

Are there any other problems other than the log on issue, can you open mmc snap-ins targeted at the server etc etc?

What is set in this location:
Administrative Tools>Domain Controller Security Policy>Security Settings>Local Policies>User Rights Assignment>Policy>Log on Locally>

It would be nice to see which groups (if any) have access

If it is due to a security template being applied with unwanted effects you can reset the settings here http://technet2.microsoft.com/WindowsServer/en/Library/bcfa2788-4b48-4868-b711-b87cace5179b1033.mspx

Let us know how you get on

Mark

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

sorry d-faktor, my head is fried at the mo. We are all admins and all have admin rights on our accounts. We have tried all our passwords and our generic admin password.

As I understand it the reason we can't re-add Newcastles DC is because it can't find the domain which it would do from our locked down server. Our network is setup shite (years before I joined ) and all the other 9 DC's only interact with the locked down server which routes all our email.

Sorry guys I'm drained at the mo been a really bad day due to my manager destroying the newcastle server cause he can't be arsed to discuss things with us he just goes ahead and does it.

As for the domain policies they haven't been changed and the logon interactively policy hasn't been modified either.

 

Slypie - apologies if these are basic questions that you have already gone through - just starting at the bottom and working up.

What error do you get when trying to add the Newcastle server?


Do any of the other 9 DC's have DNS installed? If so they will have a copy of the AD Integrated zone for the domain, does the Newcastle server point to the problem one re DNS? If the zone appears on another DNS server can you point the newcastle server to it?

 

re reading the posts it may be due to the FSMO role holder not responding if they are on the problem box. Assuming you have DNS elsewhere you would have to seize the roles on another DC and then try adding the Newcastle box

 

no probs, slypie. i know how it is.
i agree with markn. let's start from the beginning. in addition to markn's questions, i have a couple more, and it would help if you just answer them yes or no. that would already give us some insight.

- are the accounts that have been tried domain admins. i understand that they are admin accounts, and that they have admin rights, but are they domain admins?
- are you able to logon, using one of the aforementioned accounts, on one of the other domain controllers?
- do you have wins and/or dns running on the locked down server?
- do you have wins and/or dns running on other servers?
- do you have the admin tools (active directory users and computers, active directory domains and trusts, active directory sites and services, dns manager, wins manager) installed on a workstation that you can access?

 

Has anyone tried re-booting it hitting F8 and choosing *Last Known Good*

This has worked for me a few times when users have been locked out of XP for no good reason, just a glytch.

Last known good only works if you haven't been able to log in. I presume that is the case here?

As has been said, all domain controllers in a W2K domain are peers (multi-master). They all hold a writable copy of the active directory database and they replicate all changes to sysvol to each other depending on the settings in AD Sites and Services. If you have to blow away the box and start again, you should be able to restore the AD database from system state backup and replication from another server. You might want to temporarily move the newly built DC to the same location as an existing DC in the same domain, if you don't have fast WAN links in place.

First though, you need to seize any FSMO roles that the server currently holds.

 

Guys a BIG thanks for your help. We are rebuilding our Newcastle network and are going to have two networks for now to get everyone back up and running then start switching the other networks over little by little.

Personally I think we were hacked as the server is hosted offsite and this is a strange thing to happen that the server just locks down.

Not one of my best days but it's things like this that you learn lessons from and what I've learned is to not have servers offsite that we don't monitor...

Again guys cheers for all the help...

 

Well, I suppose you have learn't from the experience!

Just out of interest though, why was the server located offsite in the first place? Was this the only one that was located off site?
Just seems strange to me, I could understand it if all of the servers were offsite, but only one of them?

 

Simon, We used before I joined get all of our IT equipment from this company and they hosted our mail router at their data centre. It's an agreement that they made way before my time. I personally can't see why this was done as they don't really manage the server and it causes all sorts of problems for us.

The IT director at the time (a total tosser who I don't get on with) wouldn't allow us to bring the server back onsite and now I feel we are paying for it.

 

shame, i think you would have learnt so much more had you and your colleagues been able to spend more time on trying to solve the problem at hand. by building a second network you are solving the situation, not the problem, and you have gained little technical experience.
but i understand the need and the pressure to minimize the impact on the users and/or business. we have all been there.

 

Sorry to hear that my link wasn't any help.

 

My couple coppers to add:

We had a simular problem;

Our security officer (someone who does not have a clue about normal life let alone security (but that ios another matter!)) decided to run a dictionary attack on our domain controller. He got a list of the users...initiated this attack....you guessed it....the accounts started locking out, from A to Z.

Luckly, we have some people with funny names in out office...names starting low down on the alphabet. We could log in with their account.

This makes me think that maybe simular has happened to you.

Have you tried logging in with an Enterprise admin account?

do you know the username of the origional (built-in) admin account. If so, try something along the lines of passware or the like (http://www.lostpassword.com/windows-xp-2000-nt.htm) which resets the password (you going into W200- setup, press F6 when prompted).

To be honest, I doubt this is your problem...just another idea for you to try!

 

Eyeball, when you promote a Windows 2000 server to a domain controller, you no longer have access to local accounts, you can only log into the domain accounts and they are stored in Active Directory, not the local SAM.

 

Well I have seen something similar where a DC is demoted and it does not demote cleanly...you end up with a split horizon DNS.

What you have to do is:


1. Verify DNS and us replmon to verify AD replication.
2. Demote the controller
3. verify replication and DNS
4. If the DC does not demote cleanly, do a metadata cleanup using ntdsutil....
http://support.microsoft.com/default.aspx?scid=KB;en-us;Q216498
5. If it does not work after reset the machine account and reboot...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575

Note that...
http://support.microsoft.com/?kbid=234237
...has to be setup before hand and is of limited value if the machine account is hosed....

I would have formatted the offending server [as long as not a file server also], rebuilt it, seized FSMO roles [PDC emulator], done a metadata cleanup elsewhere and reinstalled/recovered the server only.

A FSMO seize roles from another DC means that the either you rebuild you network and DC's from scratch or just format the crook DC first.

yes - I have also worked worked with useless IT management before so hang in there buddy

 

That is so funny I have worked with an !d!07 rather like that in Security...

Note that I dont think his DC was hosed due to hostile action as the local policy is not accessible on a DC and if the domain controller policy was hosed then none of his DC's would work....

Another possibility with a remote DC is that the AD and DNS was hosed for a few weeks [comms/firewall issue maybe??] - or as a result of the other DC being demoted. Therefore the accounts on the DC could have tombstoned after the default period or once again resulted in a disjointed/split horizon DNS.

 

Slypie,

After reading this thread I have to ask, Was this problem DC the DC for an empty root domain in a forest that has multiple levels of child domains? Is that why you had to rebuild your entire AD structure rather than just seizing the FSMO roles?

If not it seems as if you went through a lot of unnecessary work when you rebuilt your entire Domain structure.