Cannot Login to Read Only Domain Controller

One of my Read Only Domain Controller Servers shut down unexpectedly due to a power outage and now I cannot login to it anymore. When the server powered on again, it came up with an error regarding on of the hard drives failing (RAID1)
I get a message Access is Denied when I try to login with one of my domain admin accounts. As it is a RODC, there are no local accounts for me to use. The RODC is running on Windows Server 2008 R2. The server is also running as a DHCP/Print/File server for
the office so these are not working as well.
I checked my PDC and it is coming up with the following error in the event viewer
Log Name: System
Source: Security-Kerberos
Event ID: 4
Level: Error
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server rodc01$. The target name used was domain/rodc01.domain.local. This indicates that the target server failed to decrypt
the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account
used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the
server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain.local) is different from the client domain (domain.local), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
I have tried to reset the computer password with netdom but I get the following error
netdom resetpwd /server:rodc01 /userd:administrator /passwordd:*
The machine account password for the local machine could not be reset.
Logon Failure: The target account name is incorrect.
The command failed to complete successfully.
If I try to reset the password using the IP address instead, I get the following error
netdom resetpwd /server:192.168.10.1 /userd:administrator /passwordd:*
The machine account password for the local machine could not be reset.
Access is denied.
The command failed to complete successfully.
I checked my AD and DNS and the rodc object  is present
If I run repadmin /replsum on the PDC I get the message for the faulty RODC server
Experienced the following operational errors trying to retrieve replication information:
        8341 – rodc01.domain.local
Any advice is appreciated
Thanks

Logon to the server in Directory Services Restore Mode (DSRM) using the password you supplied during DCPROMO and verify that the Active Directory database isn't corrupted on the RODC - You will most likely see indications on this in the Directory
Services log.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog

Similar Messages

  • What is the difference between using the command "dsmgmt" and the "Managed By" tab when adding users to the local administrators Account on a Read-Only Domain Controller?

    When I use the
    "dsmgmt" command to add a user to the local administrators account of a RODC I can actually see the user when I use the "Show Role Administrators" parameter. However, I can't see the members of the
    group added to the "Managed By" tab of the RODC object in AD. Even though, the users added using
    "dsmgmt" and by the "Managed By" tab can all log in locally and have admin rights to the RODC. Are there any differences between these two ways of adding users to the local administrators account? 

    Hi,
    For groups, managedBy is an administrative convenience to designate “group admins”. Whatever principal listed in
    managedBy gets permission to update a group’s membership (the actual security is updated on the group’s AD object to allow this).
    In Win2008 and later managedBy also became the way you delegated local administration on an RODC, allowing branch admins to install patches, manage shares, etc. (http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx). 
    On the RODC, this is updating the RepairAdmin registry value within RODCRoles.
    So the difference between them should be only the way they do the same thing.
    For more details, please refer to the below article:
    http://blogs.technet.com/b/askds/archive/2011/06/24/friday-mail-sack-wahoo-edition.aspx
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Update Deployments not showing up on Read-Only domain controllers

    At several of my remote sites, I have a server08 machine functioning as a read-only domain controller and a server share dist point. We're using a software update point to deploy microsoft patches and it's been working fine with the exception of the read-only domain controllers. When I run the complaince report, they correctly show that they need updates but the icon never appears. Clients at their sites are receving updates.
    Anybody have any ideas?
    thanks!

    Yes, I know this is an old post, I’m trying to clean them up. Did you figure this out, if so how?
    http://www.enhansoft.com/

  • Prerequisite not satisfied: This product cannot be installed on a Domain controller.

    I have a English version of Lync Server... here is the translation
    Checking prerequisites for roles...
    Checking prerequisite SupportedOS...prerequisite satisfied.
    Checking prerequisite SupportedOSNoDC...prerequisite missing.
    Checking prerequisite NoUnsupportedSqlRtcLocal...prerequisite satisfied.
    Checking prerequisite NoUnsupportedSqlRtc...prerequisite satisfied.
    Checking prerequisite WMIEnabled...prerequisite satisfied.
    Checking prerequisite NoOtherVersionInstalled...prerequisite satisfied.
    Checking prerequisite PowerShell2...prerequisite satisfied
    Prerequisite not satisfied: This product cannot be installed on a Domain controller.

    Hi,
    Lync server cannot be installed on a domain controller.there is a workaround but not supported by Microsoft
    https://itbasedtelco.wordpress.com/2012/02/04/installing-lync-on-a-domain-controller/
    Kindly if my reply helped, check as a solution
    thank you

  • TG4MSQL ora-28500 error on RECOVER login in READ-ONLY mode

    We're connecting from a 10.2 dbase to SqlServer2000 via TG4MSQL. No upfront problem connecting but the Oracle .trc file shows below error:
    ORA-28500: connection from ORACLE to a non-Oracle system returned this message: [Transparent gateway for MSSQL][Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'RECOVER'. (SQL State: 00000; SQL Code: 18456)
    Below is the content of .ora file:
    HS_FDS_CONNECT_INFO=INETSQL3.ComPro
    HS_FDS_TRACE_LEVEL=OFF
    HS_FDS_TRANSACTION_MODEL=READ_ONLY
    We are using READ-ONLY mode so the RECOVER login was not defined on SqlServer.
    Anyone know why TG4MSQL is trying to open a connection as RECOVER? And is there a way to stop it?

    Pending transactions turned out to be the culprit. Below is info from our TAR that
    provides some detail on what RECOVER is doing.
    Oracle handles all transactions as if they were distributed transactions. He takes a very conservative approach on the assumption that you may want to update
    or insert later. This has been like this since Oracle version 6 and will never
    change. Hence all transactions get handled as a distributed transactions even though there are no simultaneous updates. A common remote transaction would involve reading from SQL Server and then taking that data an inserting into an Oracle database. In the event a transaction gets aborted for some reason RECO must rollback the transaction. SQL Server requires a valid username/password and hence uses the recovery username/password specified in the gateway init file. The default parameters for both are RECOVER , if they are omitted in the init.ora file for the gateway. Obviously these do not exist on SQL Server. Note that this recovery process is detected and processed by the Oracle kernel. READONLY mode only prevents inserts, updates or deletes to be issued to SQL Server and nothing else. The gateway has nothing to do with handling and monitoring transactions to SQLServer. In all likelyhood you have several in doubt transactions in the dba_2pc_pending view. As long as those entries remain RECO will continue to try and rollback these in doubt transactions and fail each time due to an invalid username/password. This will go on until you either manually remove them or give RECO a valid SQL Server username/password to use.
    OPTION 1
    ==========
    Code the follwing in your gateway init.ora file
    HS_FDS_RECOVERY_ACCOUNT=use the username specified in your db_link
    HS_FDS_RECOVERY_PWD=use the password specified in your db_link
    OPTION 2
    ==========
    Define a username with password RECOVER on the SQL Server database you are connecting to
    OPTION 3 (Manually removing in doubt transactions)
    ================
    Use dbms_transaction.purge_lost_db_entry(local_tran_id)
    STATUS should be in collecting
    Please see Metalink
    Note.126069.1 Ext/Pub Manually Resolving In-Doubt Transactions Different Scenarios
    for detailed information

  • Cannot put in read-only the vendor screen - Authorization

    Hi all,
    I would like a role to display in read-only mode the vendor (business partner) screen (BBPMAININT).
    I assigned the BBP_PD_VL and BBP_VEND authorization objects with the 'display' attributes but the user still has 'edit' rights on the vendor profile.
    What am I missing?
    Thanks for your inputs
    chris

    Hi
    I am afraid, it's not possible to make read-only mode using SAP Roles (using PFCG transation and authorization values). BBPMAININT transaction is a Web transaction and is Intended for Edit/Change/Display in same transaction.. and hence cannot be controlled via Authorizations/ Roles.
    <u>Anyways, try these pointers -></u>
    Note 956723 BBPMAININT:Bus. partner display switches to maintenance mode
    Note 825199 Restricting maintenance to own data for 'ext. employees'
    How to change Field display name for bbpmainint internet service?
    Re: Creation of business partners - entries of drop down box
    Do let me know.
    Regards
    - Atul

  • Cannot login to Windows 8 Domain PC with AD account

    I have a Dell Inspiron 15Z which is joined to the domain. The laptop is running Windows 8. I am unable to login to the computer with any domain account (even accounts that have profiles saved on this device). I can ping the DC and I am able to login to the
    DC with one of the accounts via RDP, so I know the account is not locked out. Just to be safe I reset the password for the account and still it gives me the "Incorrect password or username. Try again" error.
    A little background:
    I recently did a Windows Refresh on the computer due to some software issues. After Windows Refresh was completed I was able to login fine. But after a while it started throwing me the above error. I reset the password and was able to login under both accounts.
    Now neither accounts work. My domain has two domain controllers, one is currently offline due to hardware issues.
    I have used to lockoutstatus.exe tool to verify that the account is not locked out. I also verified that each unsuccessful attempt to login to the domain PC does not register on the Bad Pwd Count tab. I then entered in a bunch of garble for the domain account
    and it did register bad login attempts so I know the domain is functioning correctly. I forced a gpupdate and I also forced a replication on the dc, still nothing.
    Any help would be greatly appreciated. I am able to login to the computer using local accounts and Microsoft accounts, but no domain accounts.

    Since you did a refresh, then run Windows Update and install all updates. Try disconnect from domain and rejoin and check if problem persist or not.

  • Cannot clear "Current read-only" on pass through disk

    This is not the end of the world, but it's very annoying so I'm hoping somebody can explain what's going on or perhaps suggest some additional troubleshooting.
    Here's the scenario: Server 2012 Core VM  with the file services role installed and running as a role on a Server 2012 Hyper-V failover cluster. IDE 0 is a standard VHDX in clustered storage. There are 2 pass through disks on SCSI targets 1 and 2. I
    proceed to attempt to add a 3rd pass-through disk:
    1. Create a 750GB LUN
    2. Mask the LUN to the cluster
    3. Online the new disk on a cluster node
    4. Initialize the disk on the node
    5. Offline the disk
    6. Using Failover manager, add the disk as new Available Storage in the cluster
    7. Using Failover manager to modify the file server VM's settings, add the new storage to SCSI target 3
    8. Using diskpart on the VM, clear the readonly flag from the disk
    At this point, I was able to create a partition on the disk using new-partition with the -usemaximumsize flag, but I was unable to format it. It turns out the new partition size was 0 bytes. So I went back into diskpart and lo and behold, although the readonly
    flag is cleared, the "Current readonly status" on the disk is still yes.
    To test the issue, I offlined the disk in the VM, removed it from the virtual SCSI chain, removed it from cluster storage and then onlined it in the owner node. I was able to partition it, format it and create an empty folder, so it is not flagged readonly
    at the host or SAN.
    So I offlined it on the node and added it back to cluster available storage and then added it back to SCSI target 3 on the VM.
    Again, I removed the readonly flag from the disk and again it cleared but the disks "current" status remained "Yes" and I was unable to manipulate the disk.
    Stop/start vds did nothing and as this is a production server I could not restart it midday.
    So I offlined the disk in the VM and removed it from SCSI target 3, then added it to SCSI target 4. This time, when I online it in the VM and use diskpart to clear readonly, both readonly and "current" readonly clear just fine and now the pass-through
    disk is operating as expected alongside the other 2 pass-through disks on the server.
    Any ideas what went wrong in all this or how I can clear SCSI target 3 for another disk without having to restart the VM?

    Hi,
    If the disk that you want to add appears in Disk Management but does not appear after you click Add a disk, confirm that the disk is configured as a basic disk, not a dynamic
    disk. Only basic disks can be used in a failover cluster.
    The related KB:
    Add Storage to a Failover Cluster
    http://technet.microsoft.com/en-us/library/cc733046.aspx
    Adding a Pass-through Disk to a Highly Available Virtual Machine
    https://blogs.technet.com/b/askcore/archive/2009/02/20/adding-a-pass-through-disk-to-a-highly-available-virtual-machine.aspx
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Install Active Directory Domain Controller on Windows server 2008 enterprise, dont login on Sql Server 2008 R2

    I install Active Directory Domain Controller on Windows server 2008 enterprise and dont login on Sql Server 2008 R2. Before install ADDC, I have logon SQL Server 2008r2 Success, After when i install ADDC is don't logon on SQL Server 2008r2 -->not success.
    I have uninstalled ADDC but i still can't login on SQL server 2008r2.
    please help me. it  is very very disaster!
    I think is loss account SQL server 2008r2!

    Hello,
    I stronly recommend you post the detail error message to us while you try to connect to SQL Server instance, it's useful for us to do further investigation.
    Microsoft recommends that you do not install SQL Server 2008 R2 on a domain controller, there are some limitations:
    You cannot run SQL Server services on a domain controller under a local service account or a network service account.
    After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.
    After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.
    SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.
    SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.
    On Windows Server 2003, SQL Server services can run under a domain account or a local system account.
    So, I would suggest you try to open up Windows Services list and changed the account for SQL Server service.
    Regards,
    Elvis Long
    TechNet Community Support

  • Error while configuring ADC (Additional Domain Controller)

    Hello Experts,
    I am configuring ADC (Additional Domain controller) in a member server which is in workgroup. while configuring ADC on that server, I got a window saying "additional information for this domain controller", where there were three options, i.e.
    DNS server, Global Catalog, RODC (Read only Domain controller) and bydefault first two options(DNS & Global Catalog) were checked. I kept that setting and clicked on next. Now this is showing I need to give a static IP to my adapter, but I have already
    given a static IP. when I unchecked the DNS button from that window it was not giving such error. Now my question is if I continue without checking the DNS, will it give me trouble in future. Please suggest. I am using MS2008 R2.
    Swaprakash..

    Ensure that you don't have another NIC in your server that is set to obtain IP address from DHCP. However, even if you proceed with this warning, you will probably not have any errors later, as long as you're sure that you have static IP assigned to your
    internal NIC.
    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Damir

  • DirectAccess Server 2012 Configuration cannot be retrieved from domain controller

    Hi everyone,
    We are using DirectAccess over Server 2012. There is just one server, no load balancing.
    Everything works fine, all clients can connect successfully and operations status page shows all in green. Nevertheless on the dashboard page in the configuration status section it say “Configuration for server [servername] cannot be retrieved
    from the domain controller.”
    I found a few hints what could cause this problem:
    In my case, the RAConfigTask, a scheduled task, was not enabled on the affected WS2012 server (DA entry point in a multisite deployment). After just enabling it, the errors has gone."
    http://blog.gocloud-security.ch/2013/01/11/ws2012-directaccess-and-the-configuration-for-server-server-name-retrieved-from-the-domain-controller-cannot-be-applied-error/
    Group Policy was filtering out my DA server from the GPO object for some reason. To fix, I opened up Group Policy Management on the domain controller and made sure that my DA server was a part of the group."http://www.joedissmeyer.com/2012/12/more-issues-and-solutions-for.html
    Server has no connectivity to the domain in order to update the policies. Run “gpupdate /force” on the server to force policy update. GPO replication might be required in order to retrieve the updated configuration.
     This could be because there is no writable domain controller in the Active Directory site of the Remote Access server. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56fedb17-1274-4e1a-b2d0-fea809f0bc45
    I checked everything. Task is enabled and completed successfully, GPO is not filtered out, run gpupdate without any errors, could connect to domain controller, no errors on domain controller, domain controller is writable.
    So, I have no idea what could cause this error. Any ideas or hints?
    Thanks
    Regards
    Sebastian

    i have the exact same problem i figured out that there was a problem with the logon as a service
    secpol.msc --> Local Policies --> User Rights Assignement, Logon as a service i have NT Service\All Services
    i can acces the group policy via the cpnsole just fine i have not connectivity issues what so ever.
    i decided to open a call with microsoft, their suggestion .... we dont know reinstall so i did and here we are same problem and no solution. it is getting frustrating...

  • Internal parameter - The report parameter is read-only and cannot be modified.

    Hello,
    We have an SSRS report that has an Internal parameter for the user that is logged in (gets the Report.User!UserID in custom code and assigns to parameter called Login).  We would like it to remain internal as it is for security purposes - we filter
    data depending on whether or not the user has access.  We would not like it to be accessible from the URL.  The report has drill-through functionality where the user can click a link and the report is filtered on certain criteria.  This seems
    to work fine in SSRS 2005, but since i have upgraded the report to SSRS 2012, I am getting the error on the drill-through:
    The report parameter 'Login' is read-only and cannot be modified. (rsReadOnlyReportParameter) 
    The properties in Report Manager have the "Hide" option selected.  Any help would be appreciated.  Thanks.
     

    Hi Hhewson,
    In Reporting Services, if you create a hidden parameter, you can set values for it on a report URL or in a subscription definition. If you set a parameter to Internal, it is not exposed in any way except in the report definition. An internal parameter must
    have a default value, which can be null if the Allow null value option has been selected. Internal Parameters are not configurable by the end-user at run-time.
    In your scenario, I suggest you changing internal parameter to hidden parameter to check whether the issue persists.
    Reference:
    In SSRS, how does an “Internal” parameter differ from a “hidden” parameter?
    Hope this helps.
    Regards,
    Heidi Duan
    Heidi Duan
    TechNet Community Support

  • Forest trust unable to find Active Directory Domain Controller

    I have two domains with a two-way forest trust. We'll call them ForestA and ForestB. They're on seperate subnets. ForestA's DCs are in one physical location. ForestB's DCs are in two locations, one of which is shared with A.
    I'm unable to route traffic directly from the remote DC in ForestB to the subnet ForestA is on, so I created a new DC in ForestA that sits on the subnet ForestB uses (basically, I can't route between subnets via the wireless bridge between locations, but
    can within the same location).
    I found this: http://www.neomagick.net/zen/2008/11/30/using-dns-to-force-a-domain-trust-through-a-specific-domain-controller-dc/
    I followed the instructions to set the new DC in forest A to be the only one the remote DC in forest B was aware of.
    Nslookup ForestA.com resolves correctly to this DC, but I'm unable to validate the trust relationship, getting the error:
    "Windows cannot find an Active Directory Domain Controller for the ForestA.com domain. Verify that an AD DC is available and then try again."
    I'd appreciate any help.

    In the event viewer, have you found any event id's that corrospond with this error? Have you ensured all ports required are open? Windows firewall is correctly setup? NIC is properly configured?
    Statement below taken from: http://technet.microsoft.com/en-us/library/cc961803.aspx
    If you receive the following error, ERROR_NO_LOGON_SERVERS while using the Nltest tool to query the secure channel, this is usually indicative of the inability to find a domain controller for that domain. Run nltest /dsgetdc: < DomainName > : to verify
    whether you can locate a domain controller. If you are unable to find a domain controller examine DNS registrations and network connectivity.
    ADDS Ports:
    http://msdn.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

  • Questions About Adding First 2012 R2 domain controller to an existing 2008 Domain

    Our current domain controllers are all running Server 2008 and are VMs in our local office.  We plan to add a new domain controller and also create a new AD site.  This new domain controller will be the only domain controller in the new remote
    site.  It will also be a VM on a new 2012 R2 Hyper-V server at the new remote site.
    There is currently only one site (the default first site).
    The steps planned are to create a new site to represent the remote location in AD configured with the subnets that apply to the remote site.  (Computers in our local office should continue to use the domain controllers in our office and remote PCs should
    start using the new domain controller.)
    Then build the new domain controller VM, join to the domain as a member server and then promote it to domain controller of the new site.
    Are any steps missing?
    Do we need to do anything special with time sync settings on Hyper-V or will both the Hyper-V host and the domain controller guest just automatically sync time with the PDC domain controller across a WAN connection at the main site?
    Is there a way to prepare the domain/schema for the new 2012 R2 domain controller in advance so that the new domain controller can be installed later without needing Schema Admin or Enterprise admin permissions during the installation?

    > Where can I find what is correct for 2012 R2 domain controllers running
    > on Hyper-V 2012 R2 hosts?
    There's no "one fits all" advice on this topic, but I agree with Ahmed:
    Within a domain, the DCs provide a hierarchical time source, and since
    clients are required to be in sync with DCs, this is a "must be".
    If your HV hosts are member of the domain they are hosting, things can
    easily go crazy if you do not disable host time sync.
    Greetings/Grüße,
    Martin
    Mal ein
    gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me -
    coke bottle design refreshment (-:

  • WCS/WLC read-only access

    We use WCS and AAA in our wireless environment. Reading through the WCS user guide (http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2manag.html#wp1089936) , authorization seems awfully course grained. Is there a way to provide a security group with login and read-only rights to all aspects of all wireless components (or at least to WCS and all WLC)? Ideally, the security group would be able to login to any WLC at any time and verify settings, etc.

    Hi,
    We need to follow following document to ensure that user with which we are logging in has the appropriate attributes assigned,
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
    What different roles means, please go through following document,
    http://www.cisco.com/en/US/docs/wireless/controller/4.1/configuration/guide/c41sol.html#wp1208657
    HTH
    Regards,
    JK
    Plz rate helpful posts-

Maybe you are looking for