Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please help..SAM error and I'm new to 2000

Status
Not open for further replies.

Stacyk

MIS
Jan 14, 2003
24
US
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
I just promoted this server to a DC. I keep getting this message. Can anyone help. I think it's having problems synching with the other DCs on the domain.

Thanks for your help!!
Stacy
 
Thanks for the reply.
I have seen that article. My RID Master FSMO is running. I can ping it from all of my servers and the permission "Access this computer from the network" is enabled. Do you have any other ideas? I realy apprieciate the help!

Thanks!

Stacy
 
Is that the only error that appear in the event log?
Give us more details about network structure. How many DCs? How many domains? Who was RID Master before? How are the FMO roles assigned?
For a better debug of Active Directory service set the below key to 5 (maximum)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
 
okey dokey...I'll give it a shot.
There are 2 domains. Student and Admin. I'm working with all the computers on the Student domain. They do not need to share files or services with any of the Admin computers EXCEPT for the fact that the DNS I'm using is on the Admin domain. When I use NSlookup, my computers can see the DNS.
All my computers are Domain controllers. I have inherited this system from the former NT person...I don't think it ever worked correctly. We have been slowly migrating the NT 4 serves to 2000. We created a new domain for the 2000 computers. That is where the problem is. The computers in the NEw domain (2000 server) are not seeing each other right.
The RID master is AMH-tch-51-51. As far as I know, it has always been that computer.
It looks like the RID,PDC and Infrastructure master are all on the amh-tch-51-51 computer. After reading some posts here, I don't think that that is a good thing, but when I go to a different DC to give it control of the PDC, It says that the master can't be contacted.

I also keep getting the error &quot;the session setup to the Windows 2000 Domain controller <unknown> for the domain STUDENT failed because the Domain Controller does not have and Account for the computer BSE-TCH-51-51.&quot;
I get this on serveral different machines.

FYI I work for a school district. All the student servers are on their own subnets. That IP scheme is used for each school.
For example...BSE-TCH-51-51 = 10.118.51.51. The Classrooms within are 10.118.101.01. 02, 03,04..so on.
The IP for AMH-TCH-51-51 is 10.12.51.51. Classrooms are 10.12.101.01, 02 03...yadda yadda..

Ok, I'll let you digest all of this. Please let me know what other info you need to know..and thanks a million for all of the help!!




 
Ok, now let's clarifying a little.
You are having there:
- one NT4 domain: Student
- one NT4 domain: Admin
- and another Windows2k domain?
Where is the DNS? I supposed that is installed on one Win2k server. Right?
Are there trust relations between domains? Take care, relations between NT4 are not transitive.
What does it mean &quot;computers from Win2k domain are not seeing each other&quot;? Browsing the network? What computers are involved there? All DCs?

As about roles, don't worry, the only problem is when you are having more w2k domains in an AD tree. And then the restriction is that Global Catalog should not be on a computer that has Infrastructure Master role.

You are seeing about &quot;the session setup to the Windows 2000 Domain controller <unknown> for the domain STUDENT failed because the Domain Controller does not have and Account for the computer BSE-TCH-51-51.&quot;
Is that computer member of that Windows 2k domain? Is it memeber of an NT4 domain?

I know, a lot of questions again. But it seems that you have some problems in that network. Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
 
OK.. I actually have 4 domains.
SISD domain is NT4
SISDADM Domain is NT4
STUDENT domain is 2000
Admin domain is 2000
The one I'm having problems with is the Student domain on win 2000 server.
We have been slowly updating our computers to Win 2000 server. We created the 2000 domains in order to speed up the migration. By migrating I mean that I completly format the NT4 server, do a clean install of 2000 and make it a domain controller in STUDENT domain. Then I add the users(there are not that many), printers and file shares to the converted server.
My STUDENT computers do not need to be seen by the old NT4 servers, or the ADMIN Domain. Unless I need trust because the DNS is on the ADMIN domain(W2K).

The problem that I'm having is not the pinging, or seeing the other computers across the network, I can do that. It is the computers in the STUDENT (2000) domain, authenticating, and adding users and making changes to the DCs. The changes are not getting replicated to the rest of the DCs(in the STUDENT W2K domain) . All of the servers in the STUDENT (2000)domain are domain controllers.

I get this error &quot;the session setup to the Windows 2000 Domain controller <unknown> for the domain STUDENT failed because the Domain Controller does not have an Account for the computer BSE-TCH-51-51.&quot; on several machines.
OF course, each error has the name of the computer that I'm connected to. SO, the BSE-TCH-51-51 part of the message changes depending on which computer's event log I'm looking at. All the errors I'm dealing with right now are coming from computers on the STUDENT (W2K) Domain. I'm not dealing with NT4 errors at all. In fact the NT4 computers are synchronizing fine with each other.

I'm also getting this error &quot;The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is 943f875c-ee13-4b8a-a1ab-fbeb4f8aeabc._msdcs.student.sisd.net. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/943f875c-ee13-4b8a-a1ab-fbeb4f8aeabc/student.sisd.net@student.sisd.net.
Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.&quot;

This is becoming a total nightmare for me. I really apprieciate all of your help and patience.











 
First, in your student domain you only need 2 DC's, each DC needs to Active Directory Inegrated DNS installed on it. This is the simplest what to take care of the problem that i know of.

Make sure your PC's DNS points to the DC's once you have them configured. You also have to point the DC's to each other. Use the same configuration for both DC's.

Setup forewarders on your student dc's to point to your admin domain.

hopefully Gia will tell you if i missed anything about the domain trusts.

Good luck Doomhamur
Network Engineer

&quot;Certifications? we dont need no stinking certifiaction.&quot;
yahoo IM handle: greater_vortex
 
Ok, ok, I'm here. I saw the answer, but I reserved my evening for this problem. So, home I will continue it.

So far, the problem seems that is between the two Win2k domains. Question: those domains are part of the same AD tree, same forest?

And, I smell that the problem is in the KCC, site replication etc.
Eg: when you have those accounts errors, those could be also because your AD databases are not synchronized.

But first, I have to know if there are two trees or one tree with 2 domains. Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
 
All of my servers are on their own subnet. I have 1 server at each school. There are over 30 schools. Will the setup that was discussed above work in that environment?
 
1 forest called SISD.net
(2 domains within the forrest.)
1 Student.sisd.net
1 Admin.sisd.net
 
Wow. So you have more subnets. Are they separated by WAN links?
In this case you need to configure the links and the sites in Sites and Services mmc console.

Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
 
wait...I'm mistaken.

There are 2 seperate networks. We have VLANs set up to keep the servers seperate.
The STUDENT Domain and the ADMIN domain are not within the same forest at all. STUDENT is on it's own. It cannot see ADMIN and Vice versa. The DNS is on the ADMIN network
The reason we did this is because we want to keep the admin part of the school seperate from the student side.
Hope I have throughly confused you all. Sorry 'bout that.

I did take a look at the DNS on the Admin domain. IT was not setup to allow Dynamic updates. I changed it and the netlogon error went away. But I'm still getting:

&quot;The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is 943f875c-ee13-4b8a-a1ab-fbeb4f8aeabc._msdcs.student.sisd.net. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/943f875c-ee13-4b8a-a1ab-fbeb4f8aeabc/student.sisd.net@student.sisd.net.
Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.&quot;

Go ahead and curse at me... I know I deserve it.
This is really helping me though!
Thanks again!
 
Gia,
Just so you know, I lost connection to Yahoo...I think the Network guys are messing with the switches or something..sorry 'bout this
 
Stacy,

Finally I have a view on your network. At least I hope that is almost what you have there. The UNIX DNS and who is authoritative on zone is staill a quesion.(I had to do a Visio diagram too :)) ).
Indeed a very important part was to allow your Student DCs to update information in their domain from the DNS zone hosted on one of the servers from Admin domain. This should solve a lot of errors.
If they are not solved by that, then could be because you have more subnets (but, didn't understand this..).
Anyway, keep the updates for that DNS server to &quot;Yes&quot; (not secure ones, since you don't have trusts between domains).
Next step is to use some diagnosis tools to check the replication between the DCs from Student domain:
REPLMON.EXE, REPADMIN.EXE.
Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
 
gia, why not jsut setup DNS in the student domain on one of the DC's?

if you have 2 forrests, each should have its own DNS. Right?

Then the 2 dns domains can communicate Doomhamur
Network Engineer

&quot;Certifications? we dont need no stinking certifiaction.&quot;
yahoo IM handle: greater_vortex
 
okay. Let me give the REPLMON.EXE, REPADMIN.EXE a try.
I do think that the &quot;allow dynamic updates&quot; cleared up a few problems.

Thanks again for all the help.

Stacy
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top