Damaged AD but unable to locate errors

[andy smart]

We have errors showing up for our active directory, we have services we
can't start and we cannot access gpos effectively.

We booted into AD restore mode and ran Integrity and then Semantic
Checker - neither of which showed anything marked as 'error'. The start
of the log file was

________________________________________________________
Property Metadata vector missing for 2($ROOT_OBJECT$)
INFO: UpToDate vector found for NC head 1461(lizard)
INFO: UpToDate vector found for NC head 1462(Configuration)
WARNING: Deleted object 1474 has timestamp[12/29/9999] later than now
WARNING: Deleted object 1480 has timestamp[12/29/9999] later than now
INFO: UpToDate vector found for NC head 1483(Schema)
Warning SE_DACL_PROTECTED for 1690(VolumeTable)
Warning SE_DACL_PROTECTED for 1696({31B2F340-016D-11D2-945F-00C04FB984F9})
Warning SE_DACL_PROTECTED for 1699({6AC1786C-016F-11D2-945F-00C04fB984F9})
Warning SE_DACL_PROTECTED for 1746(AdminSDHolder)

___________________________________________
then a lot of the SE_DACL_PROTECTED lines and two more of the deleted
object timestamps - ending with
_____________________________________

Warning SE_DACL_PROTECTED for 7093({8A5D7503-BF68-44D5-A18E-35453B64CE14})
6757 total records walked.
Summary:
Active Objects 5214
Phantoms 4
Deleted 1539
Security descriptor summary:
SD count: 416
Total SD size before single-instancing: 7776 Kb
Total SD size after single-instancing: 526 Kb

______________________________________

does this mean that our problems are not actually connected to a faulty
AD but to something else? Or are we just too in-experienced to see the
errors it is showing us?

tia
andy

 

[ptwilliams]

What are the errors that you are seeing? 9 times out of 10 the problems
will lie with DNS.

I would run dcdiag /c /e /v and netdiag /v to see what's going on, and check
the event log.

Post back the errors your seeing during normal running operations.


Paul.
_______________________________

 

[andy smart]

What are the errors that you are seeing? 9 times out of 10 the problems
will lie with DNS.

I would run dcdiag /c /e /v and netdiag /v to see what's going on, and check
the event log.

Post back the errors your seeing during normal running operations.


Paul.
_______________________________

We have errors showing up for our active directory, we have services we
can't start and we cannot access gpos effectively.

We booted into AD restore mode and ran Integrity and then Semantic
Checker - neither of which showed anything marked as 'error'. The start
of the log file was

________________________________________________________
Property Metadata vector missing for 2($ROOT_OBJECT$)
INFO: UpToDate vector found for NC head 1461(lizard)
INFO: UpToDate vector found for NC head 1462(Configuration)
WARNING: Deleted object 1474 has timestamp[12/29/9999] later than now
WARNING: Deleted object 1480 has timestamp[12/29/9999] later than now
INFO: UpToDate vector found for NC head 1483(Schema)
Warning SE_DACL_PROTECTED for 1690(VolumeTable)
Warning SE_DACL_PROTECTED for 1696({31B2F340-016D-11D2-945F-00C04FB984F9})
Warning SE_DACL_PROTECTED for 1699({6AC1786C-016F-11D2-945F-00C04fB984F9})
Warning SE_DACL_PROTECTED for 1746(AdminSDHolder)

___________________________________________
then a lot of the SE_DACL_PROTECTED lines and two more of the deleted
object timestamps - ending with
_____________________________________

Warning SE_DACL_PROTECTED for 7093({8A5D7503-BF68-44D5-A18E-35453B64CE14})
6757 total records walked.
Summary:
Active Objects 5214
Phantoms 4
Deleted 1539
Security descriptor summary:
SD count: 416
Total SD size before single-instancing: 7776 Kb
Total SD size after single-instancing: 526 Kb

______________________________________

does this mean that our problems are not actually connected to a faulty
AD but to something else? Or are we just too in-experienced to see the
errors it is showing us?

tia
andy

Hi Paul

We have now defined the scope of the problem

We ran dcdiag and our server passed the tests, with the exception of the
services test where it objected to DNSCACHE service being stopped. We do
have a number of services which do not start due to 'Access denied err
5', these are:
TCP/IP net helper/Remote registry/DNS client/Distributed transaction
coordinator/DHCP client/(and Sophos AV). It does spot that it is unable
to start a DCOM server.

Intermittently, when logging in, there is a winlogon.exe error.

It is not possible to log into the server using remote desktop connection.

As regards GPO, on the 'main' server where we have problems when we try
to edit a policy object it says it cannot open it as 'you may not have
appropriate rights' and 'the network path was not found'. On our other
server this can be accessed.

dcdiag said that replication test was passed, which to me implies that
AD is therefore the same on both servers.

My technician did make some changes to access rights on the day when
these issues first began to become apparent, is it possible that some
critical permissions have been altered?

tia and best wishes
andy

 

[andy smart]

What are the errors that you are seeing? 9 times out of 10 the problems
will lie with DNS.

I would run dcdiag /c /e /v and netdiag /v to see what's going on, and
check
the event log.

Post back the errors your seeing during normal running operations.


Paul.
_______________________________

We have errors showing up for our active directory, we have services we
can't start and we cannot access gpos effectively.

We booted into AD restore mode and ran Integrity and then Semantic
Checker - neither of which showed anything marked as 'error'. The start
of the log file was

________________________________________________________
Property Metadata vector missing for 2($ROOT_OBJECT$)
INFO: UpToDate vector found for NC head 1461(lizard)
INFO: UpToDate vector found for NC head 1462(Configuration)
WARNING: Deleted object 1474 has timestamp[12/29/9999] later than now
WARNING: Deleted object 1480 has timestamp[12/29/9999] later than now
INFO: UpToDate vector found for NC head 1483(Schema)
Warning SE_DACL_PROTECTED for 1690(VolumeTable)
Warning SE_DACL_PROTECTED for
1696({31B2F340-016D-11D2-945F-00C04FB984F9})
Warning SE_DACL_PROTECTED for
1699({6AC1786C-016F-11D2-945F-00C04fB984F9})
Warning SE_DACL_PROTECTED for 1746(AdminSDHolder)

___________________________________________
then a lot of the SE_DACL_PROTECTED lines and two more of the deleted
object timestamps - ending with
_____________________________________

Warning SE_DACL_PROTECTED for
7093({8A5D7503-BF68-44D5-A18E-35453B64CE14})
6757 total records walked.
Summary:
Active Objects 5214
Phantoms 4
Deleted 1539
Security descriptor summary:
SD count: 416
Total SD size before single-instancing: 7776 Kb
Total SD size after single-instancing: 526 Kb

______________________________________

does this mean that our problems are not actually connected to a faulty
AD but to something else? Or are we just too in-experienced to see the
errors it is showing us?

tia
andy

Hi Paul

We have now defined the scope of the problem

We ran dcdiag and our server passed the tests, with the exception of the
services test where it objected to DNSCACHE service being stopped. We do
have a number of services which do not start due to 'Access denied err
5', these are:
TCP/IP net helper/Remote registry/DNS client/Distributed transaction
coordinator/DHCP client/(and Sophos AV). It does spot that it is unable
to start a DCOM server.

Intermittently, when logging in, there is a winlogon.exe error.

It is not possible to log into the server using remote desktop connection.

As regards GPO, on the 'main' server where we have problems when we try
to edit a policy object it says it cannot open it as 'you may not have
appropriate rights' and 'the network path was not found'. On our other
server this can be accessed.

dcdiag said that replication test was passed, which to me implies that
AD is therefore the same on both servers.

My technician did make some changes to access rights on the day when
these issues first began to become apparent, is it possible that some
critical permissions have been altered?

tia and best wishes
andy

Been checkign what was done to permissions - one of the things he did
was remove domain users from the C: drive permissions (on the grounds
that their user areas and so forth are on D Permissions as follows:
Server T (the problem one)
C:
Administrators FC
Creator Owners none ticked
Domain Admins FC
System FC
(he believes these propagate all the way down the tree)

Server B (the good one)
C:
Administrators FC
Creator Owners none ticked
Everyone none ticked
Domain Admins FC
System FC
Users Read and Execute/List folder contents/Read
C:\windows
Administrators FC
Authenticated users Read and Execute/List folder contents/read
Creator Owners none ticked
Domain Admins FC
System FC

 

[Enkidu]

Hi Paul

We have now defined the scope of the problem

We ran dcdiag and our server passed the tests, with the exception of the
services test where it objected to DNSCACHE service being stopped. We do
have a number of services which do not start due to 'Access denied err
5', these are:
TCP/IP net helper/Remote registry/DNS client/Distributed transaction
coordinator/DHCP client/(and Sophos AV). It does spot that it is unable
to start a DCOM server.

Intermittently, when logging in, there is a winlogon.exe error.

It is not possible to log into the server using remote desktop connection.

As regards GPO, on the 'main' server where we have problems when we try
to edit a policy object it says it cannot open it as 'you may not have
appropriate rights' and 'the network path was not found'. On our other
server this can be accessed.

dcdiag said that replication test was passed, which to me implies that
AD is therefore the same on both servers.

My technician did make some changes to access rights on the day when
these issues first began to become apparent, is it possible that some
critical permissions have been altered?

It definitely *possible*! Did the changes have anything to do with the
SYSTEM account? I'd check the properties of the services that you are
having trouble with and see what the account is that they are running
as. Has this account's details/password changed?

Cheers,

Cliff

 

[ptwilliams]

I'd change the permissions to that of the working server to start with.

And I also second Cliff - looks like an admin password has been changed.
I'll stake money on that's what's causing your Sophos and DCOM errors...

The other services should run under the system account - so, once you've
rejigged the permissions try starting those again.


Paul.
___________________________

 

[andy smart]

We have errors showing up for our active directory, we have services we
can't start and we cannot access gpos effectively.

We booted into AD restore mode and ran Integrity and then Semantic
Checker - neither of which showed anything marked as 'error'. The start
of the log file was

________________________________________________________
Property Metadata vector missing for 2($ROOT_OBJECT$)
INFO: UpToDate vector found for NC head 1461(lizard)
INFO: UpToDate vector found for NC head 1462(Configuration)
WARNING: Deleted object 1474 has timestamp[12/29/9999] later than now
WARNING: Deleted object 1480 has timestamp[12/29/9999] later than now
INFO: UpToDate vector found for NC head 1483(Schema)
Warning SE_DACL_PROTECTED for 1690(VolumeTable)
Warning SE_DACL_PROTECTED for 1696({31B2F340-016D-11D2-945F-00C04FB984F9})
Warning SE_DACL_PROTECTED for 1699({6AC1786C-016F-11D2-945F-00C04fB984F9})
Warning SE_DACL_PROTECTED for 1746(AdminSDHolder)

___________________________________________
then a lot of the SE_DACL_PROTECTED lines and two more of the deleted
object timestamps - ending with
_____________________________________

Warning SE_DACL_PROTECTED for 7093({8A5D7503-BF68-44D5-A18E-35453B64CE14})
6757 total records walked.
Summary:
Active Objects 5214
Phantoms 4
Deleted 1539
Security descriptor summary:
SD count: 416
Total SD size before single-instancing: 7776 Kb
Total SD size after single-instancing: 526 Kb

______________________________________

does this mean that our problems are not actually connected to a faulty
AD but to something else? Or are we just too in-experienced to see the
errors it is showing us?

tia
andy

Thanks Paul and Cliff

All now seems good and proper


andy

 

[Cary Shultz [A.D. MVP]]

Andy,

What did you do? Change the permissions as per one of your earlier posts?

Cary

We have errors showing up for our active directory, we have services we
can't start and we cannot access gpos effectively.

We booted into AD restore mode and ran Integrity and then Semantic
Checker - neither of which showed anything marked as 'error'. The start
of the log file was

________________________________________________________
Property Metadata vector missing for 2($ROOT_OBJECT$)
INFO: UpToDate vector found for NC head 1461(lizard)
INFO: UpToDate vector found for NC head 1462(Configuration)
WARNING: Deleted object 1474 has timestamp[12/29/9999] later than now
WARNING: Deleted object 1480 has timestamp[12/29/9999] later than now
INFO: UpToDate vector found for NC head 1483(Schema)
Warning SE_DACL_PROTECTED for 1690(VolumeTable)
Warning SE_DACL_PROTECTED for 1696({31B2F340-016D-11D2-945F-00C04FB984F9})
Warning SE_DACL_PROTECTED for 1699({6AC1786C-016F-11D2-945F-00C04fB984F9})
Warning SE_DACL_PROTECTED for 1746(AdminSDHolder)

___________________________________________
then a lot of the SE_DACL_PROTECTED lines and two more of the deleted
object timestamps - ending with
_____________________________________

Warning SE_DACL_PROTECTED for 7093({8A5D7503-BF68-44D5-A18E-35453B64CE14})
6757 total records walked.
Summary:
Active Objects 5214
Phantoms 4
Deleted 1539
Security descriptor summary:
SD count: 416
Total SD size before single-instancing: 7776 Kb
Total SD size after single-instancing: 526 Kb

______________________________________

does this mean that our problems are not actually connected to a faulty
AD but to something else? Or are we just too in-experienced to see the
errors it is showing us?

tia
andy

Thanks Paul and Cliff

All now seems good and proper


andy