R.B.5

I have now got two domain controllers on our domain. Both of them are windows 2k server and seem to be working fine. The only problem i have at the moment is that on the New server under event viewer an error code of 16650 keeps appearing which has something to do with the SAM database. I need help to sort this one out as i do not know enough about windows 2k server to sort it myself.

David do you think you could help me with this one??

Thx

Gav

[Edited by R.B.5 - 8/2/2002 12:40:06 PM]

R.B.5

We currently have a Windows NT4.0 Server running our network. I have recently bought a new one which is v nice and cost us 3 grand. I installed NT4.0 server onto the new one and installed as BDC. Added the new server (BDC) to the exsisting domain in the hope that the users/data could be replicated onto it. We found that the PDC (old current machine) had a corruption either with the SAM (user accounts database) or some other problem.

It kept saying SID error and replication errors. i forget the codes but had them and looked them up on technet. Turns out after i ring microsoft that we seem to have a corrupt SAM databse. Only way round it is to install the new server with windows 2k or the like and re-administer 1700 users.

I suddenly had this thought then that if i install windows 2k on the current PDC (via upgrade using cd) then i could re-install BDC or use dcpromo.exe and add that one to the PDC's domain, thus reducing the weeks ahead work. Will this work?? Its such a pain in the **** and im about ready to give up on it and call some company in to do it...but i dont normally let things beat me that easily. Is there any other way that this can be done? The required end result is to have the New server as PDC on the domain and the current PDC as BDC, with all the current users info/accounts/data left in place. (hope i havent lost anyone by now, it does make sense im sure )

/me untangles brain.

Thx in advance ppl

Gav

David_Wallis

you can promote / demote servers in nt server manager...

Ie build the new one as a bdc.. then promote it to pdc and rebuild other..

Wouldnt recommend upgrading..

Can you see any users if you run usrmgr on the pdc??

Oh and I can save you the weeks of work!

David

David_Wallis

PS 1700 users and no BDC HA HA HA

David

R.B.5

David...i have a bdc running but tend to leave that one alone for obvious reasons. The thing is that when we installed the new server as bdc to the domain and scopy'd data across under permissions/security tab it kept saying account unknown. Figure tha one out?? I could see the accounts under accounts manager and all seemed to be ok apart from the fact that the permissions werent working correctly as account unknown was coming up everytime we removed and re-added the user to thier own folder!!

shunty

R.B.5 - did you not see my last post to your other thread ??
I had exactly this problem 2 years ago, PDC wouldn't replicate same errors by the sounds of it.
I used netdom.exe & got a technet article on the LSA, it had a registry fix for this error....without seeing your event logs obviously I can't say exactly.....
Are you getting LSA errors in the event log ??

shunty

David_Wallis

you are 'supposed' to sync domain and then power a bdc off when doing things like this as a back out plan... not that it helps but I would suggest running netdom and do a search on repairing the sam, as if you can open usrmgr then it aint all bad.

Have you run chkdsk?

David

R.B.5

hopefully i got the problem sorted just working on it now! Upgraded the PDC to Windows 2k. The SAM was left untouched and sahres are still in place so all i need to do now is sync both 2k servers and copy registry key from one to the other for the files/folder permissions

David_Wallis

you cant just copy the registry key for the folder permissions... (your not using sharelevel permissions are you??)

Copy the data using robocopy, tell it to keep the ntfs permissions then export lanmanserver\parameters\shares or whatever the key is if you must....

David

R.B.5

i think you'll find you can, just export one machines and import on the other! Robocopy?? Whats that? Where do i get that from??

David_Wallis

I think youll find you cant... actually prove that you can export file and folder ntfs permissions and Ill eat my cv..

Robocopy is robust copy by microsoft...


----------------------------------------------------------------------
ROBOCOPY v 1.96 : Robust File Copy for Windows NT
----------------------------------------------------------------------

Started : Fri Aug 02 10:20:22 2002

Usage : ROBOCOPY source destination [file [file]...] [options]

source : Source Directory (drive:\path or \\server\share\path).
destination : Destination Dir (drive:\path or \\server\share\path).
file : File(s) to copy (names/wildcards: default is "*.*").

Copy options: /S : copy Subdirectories, but not empty ones.
/E : copy subdirectories, including Empty ones.
/LEV:n : only copy the top n LEVels of the source directory tree.

/Z : copy files in restartable mode.

/SEC : copy SECurity info (both source and dest must be NTFS).
/SECFIX : FIX SECurity info on existing files and dirs.
/TIMFIX : FIX TIMestamps on existing destination files.

/MOV : MOVe files (delete from source after copying).
/MOVE : MOVE files AND dirs (delete from source after copying).

/PURGE : delete dest files/dirs that no longer exist in source.
/MIR : MIRror a directory tree (equivalent to /E plus /PURGE).

/A+:[R][A][S][H] : add the given Attributes to copied files.
/A-:[R][A][S][H] : remove the given Attributes from copied files.

/CREATE : CREATE directory tree structure + zero-length files only.
/FAT : create destination files using 8.3 FAT file names only.

File Selection: /A : copy only files with the Archive attribute set
/M : like /A, but remove Archive attribute from source files.
/IA:[R][A][S][H] : Include only files with some of the given Attributes set.
/XA:[R][A][S][H] : eXclude files with any of the given Attributes set.

/XF file [file]... : eXclude Files matching given names/paths/wildcards.
/XD dirs [dirs]... : eXclude Directories matching given names/paths.

/XC | /XN | /XO : eXclude Changed | Newer | Older files.
/XX | /XL : eXclude eXtra | Lonely files and dirs.
/IS : Include Same files.

/MAX:n : MAXimum file size - exclude files bigger than n bytes.
/MIN:n : MINimum file size - exclude files smaller than n bytes.

/MAXAGE:n : MAXimum file AGE - exclude files older than n days/date.
/MINAGE:n : MINimum file AGE - exclude files newer than n days/date.
(If n < 1900 then n = n days, else n = YYYYMMDD date).

Retry Options: /R:n : number of Retries on failed copies: default is 1 million.
/W:n : Wait time between retries: default is 30 seconds.

/REG : Save /R:n and /W:n in the Registry as default settings.

/TBD : wait for sharenames To Be Defined (retry error 67).

Logging Options: /L : List only - don't copy, timestamp or delete any files.
/X : report all eXtra files, not just those selected.
/V : produce Verbose output, showing skipped files.

/NP : No Progress - don't display % copied.
/ETA : show Estimated Time of Arrival of copied files.

/LOG:file : output status to LOG file (overwrite existing log).
/LOG+:file : output status to LOG file (append to existing log).


David

David_Wallis

post the full msg that you get...

David

R.B.5

Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 16650
Date: 02/08/2002
Time: 12:42:46
User: N/A
Computer: PDC
Description:
The account-identifier allocator failed to initialize properly. The record data contains the NT error code that caused the failure. Windows 2000 will retry the initialization until it succeeds; until that time, account creation will be denied on this Domain Controller. Please look for other SAM event logs that may indicate the exact reason for the failure.
Data:

R.B.5

Even though i have copied the share Registry key on the old server under local machine, system,controlset001,services,lanmanshares it has shared the folders on my other drive and linked them with the SAM database. But when i open the properties tab and then security on any folder it comes up with administrator = full control and then followed by another account s-1-5-21-1177238915-83952.......

to say the least im a little confused as i expected this to work. I know you said robocopy is the way to do this but i dont have the application and have searched and cannot find it!

thx

gav

David_Wallis

yhm & http://support.microsoft.com/default...EN-US;Q248410&

R.B.5

Done this and when i remove the long number user account on the permissions tab and then re-add the correct user i.e myself click apply, and then reopen the permissions tab the old user (long number account) is still there and no sign of the user i just added!!! Work that one out cause i cant. I'm about to try robocopy to see if that works!

gav

David_Wallis

To be honest I would build a new nt4 pdc in a seperate domain (new) copy the data to the new server... create the shares by adding the shares reg key or whatever floats your boat, then use a script to export all users from the old server and then use another one to add them on the new server then set all permissions... run rdisk. Then flatten old box and rebuild as a bdc.

David