Win2000 DC logon with domain admin account problem

[Fran Vázquez]

Hi,


We're actually running 2 DC in a Win2000 level active directory domain.

One is a Win2000 Std SP6, the other one is a Win2003 Sp1 Std.

Suddenly we're nto able to logon locally to the Win2000 DC, even with domain
administrator accounts. We were able to login to the Win2003 DC without any
problem.

Investigating we've found the following 'evidences':

both DCs are in the same OU
if we take out the win2000 from this OU, we're able to logon
we're able to logon with a specific user that is a server operator, but not
with a domain admin
investigating the policies, we've seen that in the policies of the win2000
server there are s'trange things'. There are the OU (domain level) policies,
but also there are policies that we dont know where do they come from. This
strange policies are not applied to the win2003 server, that is in the same
OU
Weve tried to reset the local policies in the win2000 DC, but the strange
policies are still there after resetting the local ones
The only strange thing that has happend with this server is that last night
the Win2003 DC was shutdown unexpectedly (this Win2003 server holds all the
AD roles) and the Win2000 server had to run without DNS nor his Master...

Any help?

 

[Mike Luo [MSFT]]

Hello,

Thank you for using newsgroup!

From your post, this problem is caused by an incorrect policy. I have the
following suggestions:

Suggestion 1: Check policies on Windows 2000 DC
=================================
1. Logon to Windows 2000 DC.
2. Run ADSIEdit.msc, Expand Domain
NC\DC=Domain,DC=com\CN=System\CN=Policies, compare these policies with
those on Active Directory Users and Computers, to see if there resided
incorrect policies.

Suggestion 2: Run Rsop on Windows Server 2003 DC
==================================
1. Open Active Directory Users and Computers.
2. Expand Domain Controllers, select Windows 2000 computer account in
result panel.
3. Right-click and select all tasks->Resultant Set Of Policies(Planning).
4. Based on the Wizard to finish, check if the Windows 2000 will apply the
strange policies.

Suggestion 3: Check policies on domain level and Domain Controllers OU
level.

Please update me with the results, I look forward to your reply.

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Fran Vázquez]

Hi Mike,


Thanks for your answer.

First of all, let me tell you that all that happened to our DCs is quite
strange. Everything began to function anormaly after the W2000 DC was alone
in the network, without DNS nor the Win2003 DC.

It seems that the DomainControllers policy got corrupted some way, and
therefore there were this strange policies applied to the Win2000 DC. Today
they were also applied to the Win2003 DC, and admins. couldnt shutdown the
win2003 server.

What we have done is to restore a backup we had from our DomainControllers
policy. Now everything seems to work OK.

After restarting all the DCs, now everything seems to work OK.

Anyway, it seems very strange to me that a policy could get corrupted by
letting a DC 'alone' in the network (specially because it didnt had any DNS
server available) (all by mistake of course)

Does this sound reasonable to you? Have heard about any other experience
like this one before?

Thanks.

 

[Mike Luo [MSFT]]

Appreciate your response. Glad to know that everyting is OK now.

I didn't encounter the problem like this. It seems very strange.

Regards,

Mike Luo

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.