My Root Domain Controller has failed and has the hard disk replaced. Windows has been reinstalled and promoted to a Domain Controller again. I now get the error in the Event Viewer 16650 and I cannot add any users or edit the Domain Security Policy. I have a full backup on tape but unfortunately not the system state. Is there any way I can restore it to what it was before, either with the tape or using the other Domain Controller on the network. Very, very URGENT, can anyone help please.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Root DC in forest failed
- Thread starter mike61
- Start date
Here is a start, I hope this DC was not also providing your FSMO roles. If that is the case you need to check Microsofts Knowledge base for how to bring this DC back into the Domain.
Replicating from New Domain Controller to Existing One Returns 'Access Denied'; Log Shows Error 16650 (Q285836)
--------------------------------------------------------------------------------
The information in this article applies to:
Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Advanced Server
Microsoft Windows 2000 , Datacenter Server
--------------------------------------------------------------------------------
SYMPTOMS
When you use Dcpromo.exe to create a new domain controller replica in a forest consisting of a single domain and one existing domain controller, you may receive an "Access Denied" error message when you use Dssite.msc to replicate from the new domain controller to the existing one. In addition, the new domain controller's Directory Service log may record Error 16650.
CAUSE
This behavior can occur when the existing domain controller was previously a Microsoft Windows NT Server 4.0-based primary domain controller (PDC) that was upgraded to be a Windows 2000-based domain controller. In this situation, the "Access this computer from the network" user right is granted only to the following groups:
Administrators
Backup Operators
Domain Users
However, it should also be granted to the Enterprise Admins group.
RESOLUTION
To resolve this behavior, grant the Enterprise Admins group the user right "Access this computer from the network", and then refresh the security policy. Follow these steps:
In Active Directory Users and Computers, click the Domain Controllers object.
Right-click the domain controller name, and then click Properties .
In the domain controller's Properties dialog box, click the Group Policy tab.
Click Default Domain Controllers Policy , and then click Edit .
Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policy\User Rights Assignment, and then double-click Access this computer from the network .
Add the Enterprise Admins group to the list of groups to be granted this user right.
To refresh the security policy, type the following at a command prompt and then press ENTER:
SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE
Replicating from New Domain Controller to Existing One Returns 'Access Denied'; Log Shows Error 16650 (Q285836)
--------------------------------------------------------------------------------
The information in this article applies to:
Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Advanced Server
Microsoft Windows 2000 , Datacenter Server
--------------------------------------------------------------------------------
SYMPTOMS
When you use Dcpromo.exe to create a new domain controller replica in a forest consisting of a single domain and one existing domain controller, you may receive an "Access Denied" error message when you use Dssite.msc to replicate from the new domain controller to the existing one. In addition, the new domain controller's Directory Service log may record Error 16650.
CAUSE
This behavior can occur when the existing domain controller was previously a Microsoft Windows NT Server 4.0-based primary domain controller (PDC) that was upgraded to be a Windows 2000-based domain controller. In this situation, the "Access this computer from the network" user right is granted only to the following groups:
Administrators
Backup Operators
Domain Users
However, it should also be granted to the Enterprise Admins group.
RESOLUTION
To resolve this behavior, grant the Enterprise Admins group the user right "Access this computer from the network", and then refresh the security policy. Follow these steps:
In Active Directory Users and Computers, click the Domain Controllers object.
Right-click the domain controller name, and then click Properties .
In the domain controller's Properties dialog box, click the Group Policy tab.
Click Default Domain Controllers Policy , and then click Edit .
Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policy\User Rights Assignment, and then double-click Access this computer from the network .
Add the Enterprise Admins group to the list of groups to be granted this user right.
To refresh the security policy, type the following at a command prompt and then press ENTER:
SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE
GlenJohnson
MIS
I had problems with a new server, and since it wasn't in production yet, I ran dcpromo and demoted it. Then I ran dcpromo a second time and the problems went away. Don't know why, but if the above fix doesn't help, you might try this. Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"It is never too late to learn what is always necessary to know."
Lucius Annaeus Seneca (4 BC - 65AD) Roman philosopher, statesman.
Microsoft Certified Professional
gjohn76351@msn.com
"It is never too late to learn what is always necessary to know."
Lucius Annaeus Seneca (4 BC - 65AD) Roman philosopher, statesman.
- Status
Similar threads
- Locked
- Question
- Locked
- Question