I've still got this problem. I've tried a bunch of things, and learned a lot... :-) I figured out how to use LDP to restore the computer account from the deleted objects OU, and now I see the object with the correct creation date. I'm still unable to reset the secure channel, though. I've tried cranking up logging for nltest, and came up with the following from the netlogon.log on the member server when running nltest /sc_reset:
08/26 10:40:57 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetServerAuthenticate3: 1761 (may be legitimate for 0xc0000022) 08/26 10:40:57 [CRITICAL] ECCAD: NlSessionSetup: Session setup: cannot I_NetServerAuthenticate 0xc0000022 08/26 10:40:57 [CRITICAL] ECCAD: NlSessionSetup: new password is bad. Old password is same as new password. 08/26 10:40:57 [MISC] Eventlog: 3210 (1) "ECCAD" "\\evldc02.ECCAD.COM" c0000022 "... 08/26 10:40:57 [MISC] Didn't log event since it was already logged. 08/26 10:40:57 [SESSION] ECCAD: NlSetStatusClientSession: Set connection status to c0000022 08/26 10:40:57 [SESSION] ECCAD: NlSetStatusClientSession: Unbind from server \\evldc02.ECCAD.COM (TCP) 0. 08/26 10:40:57 [SESSION] ECCAD: NlSessionSetup: Session setup Failed The nltest /sc_reset command itself gives this error: I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED The 022 appears to be access denied, which is kind of a catch-22 problem. I can log onto the machine with local credentials, but when I try to log in with domain credentials, I get "windows cannot log you on, either because the domain controller is down or otherwise unavailable, or because your computer account was not found..." I can map drives and do a runas, but only with the /netonly switch. Any ideas? Thanks! ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: Charlie Kaiser [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 26, 2004 6:09 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Deleted computer account > > Tried that; it still gives me an access denied error. If I > run netdom using > explicit credentials, as before, I get "the trust > relationship between this > workstation and the primary domain failed". > > ********************** > Charlie Kaiser > MCSE, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > > -----Original Message----- > > From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 25, 2004 5:20 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Deleted computer account > > > > How about on the CA just mapping the DC's C$ share with the > > domain admin account and then running netdom? > > > > Mike Thommes > > > > -----Original Message----- > > From: Charlie Kaiser [mailto:[EMAIL PROTECTED] > > Sent: Wed 8/25/2004 7:06 PM > > To: [EMAIL PROTECTED] > > Cc: > > Subject: [ActiveDir] Deleted computer account > > > > > > > > OK; I've got an ugly one. > > Got a VM that's running certificate services; it's the > > root CA for the > > domain. Without going into details, the computer > > account for the server was > > deleted from the domain. I can't get netdom or nltest > > to reset it; I get an > > access denied. Netdom/add was able to recreate the > > object, but that might > > have been a mistake. Still can't set the secure > > channel, can't log on with > > domain credentials. > > Since it's running cert services, I can't remove/rejoin > > it to the domain. > > Anyone got a slick trick to get this one back? I'd hate > > to rebuild my CA > > from scratch... > > The only thing I can think of is an authoritative > > restore from last Friday's > > backup. Haven't had to do one of those yet. > > Any good documentation or better tricks? > > Thanks! > > > > ********************** > > Charlie Kaiser > > MCSE, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ********************** > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
