domain controller was not validated because Access is denied
by chicagotech ? Fri Sep 19, 2008 3:12 pm
Q: I followed How to view and transfer FSMO roles in Windows Server 2003 to transfer FSMO from a windows 2000 DC to a windows 2008 DC. When I tried "In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
Click Change" in windows 2000 DC, I receive "The domain controller domainname was not validated because: Access is denied"
I can ping the Windows 2008 DC by name and I can Transfer the Schema Master Role without a problem Why?
A: Suggestion
=========
From my research, the symptom of the issue may indicate that the secure
channel between the two DCs is broken. The above tests will show if it is
caused by this reason. If it is, we can find the problematic DC according
to the results of the tests.
If error occurs when testing, we can perform the following steps for
troubleshooting:
1. Reboot the problematic DC.
2. Stopp KDC service and put it on manual.
3. Reset the secure channel by following command:
Netdom resetpwd /server:
/userD:\administrator /passwordD:
4. Restart the computer and start KDC by setting it back to automatic.
Networking, Internet, Routing, VPN Troubleshooting on
How to Setup Windows, Network, VPN & Remote Access on
chicagotech
Site Admin
Question B:
Client computers record Event ID 1030 and Event ID 1058 when DFS is not started on a Windows 2000-based domain controller
SYMPTOMS
Active Directory directory service clients may frequently record the following error messages in the event log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Description:
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
For more information, see Help and Support Center at .
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=com. The file must be present at the location <>. (The network path was not found. ). Group Policy processing aborted.
For more information, see Help and Support Center at .
If you try to access the domain\sysvol folder, you may receive "access denied" or "network path not found" messages, even though the permissions on the sysvol folder are correct.
Back to the top
CAUSE
These issues may occur when the Distributed File System (DFS) service is stopped on the domain controller.
Back to the top
RESOLUTION
To resolve this issue, make sure the DFS service is started on the domain controller, and set the Startup type to automatic. To do this, follow these steps:
1. Click Start, point to Programs, point to Administrative Tools, and then click Services.
2. In Services, double-click Distributed File System.
3. On the General tab, click Automatic next to Startup type.
4. Under Service Status, click Start if the service is not started.
5. Click OK, and then close the Services window.
Question A and B:Final solution
This is my solution and work fine1. |
Andrea Gallazzi posted on Monday, September 17, 2007 12:29 PM
|
This is my solution and work fine
1. Set the Startup type for the Kerberos Key Distribution Center service on
the Windows 2000 DC to Disabled. To do so:
a. Click Start->Run, type Services.msc and click OK
b. Double click the Kerberos Key Distribution Center service, select
Disabled for Startup type.
2. Restart the affected domain controller.
3. Log on to the domain controller, and then force the replication with its
replication partner by using the Active Directory Sites and Services
snap-in. To do so:
a. Click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Sites and Services.
b. Expand the site that contains the Windows 2000 DC.
c. Expand the Servers container, and then expand the Windows 2000 DC object
to display the NTDS Settings object.
d. Highlight the NTDS Settings object.
e. In the right pane, right click the connection object whose "From Server"
column is the SBS server, and click "Replicate Now".
4. Check the replication status by typing the following command line from a
command prompt:
repadmin /showreps
5. If replication is now successful, set Startup type for the Kerberos Key
Distribution Center service on the affected domain controller back to
Automatic.
6. Stop and then restart the Kerberos Key Distribution Center service. |
