none
Corrupt AD built-in Administrator account

    Question

  • After a power outage last week my domain controller booted with a blue screen. In Directory Services Repair Mode I managed to repair the corrupted database with "esetutl". After which the Domain Controller booted as usual.

    When trying to log in with the domain\Administrator account the RDP client returned an "invalid password" message. The entered password was definitely correct. Since there are other Admin accounts naturally I changed the password. Still no luck.

    When opening the user properties in ADUC and navigating to the "member of" tab an error message appears:

    The following Active Directory Domain Services error occurred: The directory service encountered an unknown failure.

    In powershell "get-aduser administrator" runs without hiccup, when I add -Properties MemberOf it returns an error message.

    The only group returning the same error message, where the Administrator user is a member is "Organization Management" (a security group for exchange).

    Unfortunately there is no backup of the database (the server used for that keeps dying on me with kernel panic) The DC and the Exchange are both Windows Server 2016, Migrated a few months back from 2008 R2. (there is only 1 DC) Domain function level is still 2008 R2.

    Everyday operation is not affected since there are other Admin users to manage user accounts. Nonetheless restoring the account functionality is necessary.

    Thank you in advance for any help you can provide.

    • Moved by nzpcmad1 Friday, April 28, 2017 12:16 AM From ADFS
    Thursday, April 27, 2017 1:52 PM

All replies

  • Does it help to remove the Administrator user from the group "Organization Management"?

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, April 27, 2017 2:01 PM
  • When the Administrator user "Member of" tab is opened, no groups are shown after the error message. Same goes for Organization Management members tab. Tried adding Administrator to the group and removing it again. Did not help either.
    Friday, April 28, 2017 7:42 AM
  • What happens if you boot the DC into DSRM and log in using the corrupted account? Were you able to see any difference by doing this?
    Friday, April 28, 2017 7:51 AM
  • Just a guess, but it seems the memberOf attribute of the user has a bad value, or one that ADUC cannot display. Maybe you can use a script to remove the user from the group. Using PowerShell, perhaps similar to below:

    $User = "Administrator"
    $Group = "Organization Management,cn=Users,dc=domain,dc=com"
    Remove-ADGroupMember -Identity $Group -Members $User


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, April 28, 2017 9:55 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.
    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 1, 2017 3:36 AM
    Moderator
  • Tried the following:

    $User = "Administrator"
    $Group = Get-ADGroup "Organization Management"
    Remove-ADGroupMember -Identity $Group -Members $User

    Script executed without warning, unfortunately no change in ADUC behavior.

    Tuesday, May 2, 2017 6:28 AM
  • Booting intro DSRM resulted in not being able to log in with domain accounts.

    "There are currently no logon servers available to service the logon request."

    Tuesday, May 2, 2017 6:35 AM
  • So seems to be there is some other issue also. Have you verified if the DNS is working as expected? Is this the same behavior with Safe Mode also? Do you see any error in dcidag /v output?
    Wednesday, May 3, 2017 9:06 AM
  • First of all thank you all for your replies.

    dcdiag /v returned all checks "passed".

    Safe mode returns the same "invalid password" error message.

    Wednesday, May 3, 2017 1:37 PM
  • Can you post the complete dcdiag output?

    Also, what do you see in Application,System, Security and DS event log when you get the error message while login?

    Friday, May 5, 2017 9:55 AM
  • In Security log there are "audit failure" entries with the following Failure Information:

    Failure Reason: Unknown user name or bad password
    Status. 0xC000006D
    Sub Status: 0xC0000064

    dcdiag:

    Directory Server Diagnosis
    
    
    Performing initial setup:
    
       Trying to find home server...
    
       * Verifying that the local machine dc, is a Directory Server. 
       Home Server = dc
    
       * Connecting to directory service on server dc.
    
       * Identified AD Forest. 
       Collecting AD specific global data 
       * Collecting site info.
    
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
       The previous call succeeded 
       Iterating through the sites 
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
       Getting ISTG and options for the site
       * Identifying all servers.
    
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers 
       Getting information for the server CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=DS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx 
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.
    
       * Found 2 DC(s). Testing 1 of them.
    
       Done gathering initial info.
    
    
    Doing initial required tests
    
       
       Testing server: Default-First-Site-Name\DC
    
          Starting test: Connectivity
    
             * Active Directory LDAP Services Check
             Determining IP4 connectivity 
             * Active Directory RPC Services Check
             ......................... DC passed test Connectivity
    
    
    
    Doing primary tests
    
       
       Testing server: Default-First-Site-Name\DC
    
          Starting test: Advertising
    
             The DC DC is advertising itself as a DC and having a DS.
             The DC DC is advertising as an LDAP server
             The DC DC is advertising as having a writeable directory
             The DC DC is advertising as a Key Distribution Center
             The DC DC is advertising as a time server
             The DS DC is advertising as a GC.
             ......................... DC passed test Advertising
    
          Test omitted by user request: CheckSecurityError
    
          Test omitted by user request: CutoffServers
    
          Starting test: FrsEvent
    
             * The File Replication Service Event log test 
             There are warning or error events within the last 24 hours after the
    
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
    
             Group Policy problems. 
             A warning event occurred.  EventID: 0x80003509
    
                Time Generated: 05/16/2017   15:40:43
    
                Event String:
    
                File Replication Service (FRS) is deprecated. To continue replicating the SYSVOL folder, you should migrate to DFS Replication by using the DFSRMIG command.  
    
                 
    
                If you continue to use FRS for SYSVOL replication in this domain, you might not be able  to add domain controllers running a future version of Windows Server. 
    
                
    
             ......................... DC passed test FrsEvent
    
          Starting test: DFSREvent
    
             The DFS Replication Event Log. 
             Skip the test because the server is running FRS.
    
             ......................... DC passed test DFSREvent
    
          Starting test: SysVolCheck
    
             * The File Replication Service SYSVOL ready test 
             File Replication Service's SYSVOL is ready 
             ......................... DC passed test SysVolCheck
    
          Starting test: KccEvent
    
             * The KCC Event log test
             Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
             ......................... DC passed test KccEvent
    
          Starting test: KnowsOfRoleHolders
    
             Role Schema Owner = CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
             Role Domain Owner = CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
             Role PDC Owner = CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
             Role Rid Owner = CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
             ......................... DC passed test KnowsOfRoleHolders
    
          Starting test: MachineAccount
    
             Checking machine account for DC DC on DC DC.
             * SPN found :LDAP/dc.xxxxxx.xxxxxxxx.xxx.xx.xx/xxxxxx.xxxxxxxx.xxx.xx.xx
             * SPN found :LDAP/dc.xxxxxx.xxxxxxxx.xxx.xx.xx
             * SPN found :LDAP/DC
             * SPN found :LDAP/dc.xxxxxx.xxxxxxxx.xxx.xx.xx/ADMIN
             * SPN found :LDAP/c291cede-f998-4c6c-b6b3-70804af3e3ae._msdcs.xxxxxx.xxxxxxxx.xxx.xx.xx
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/c291cede-f998-4c6c-b6b3-70804af3e3ae/xxxxxx.xxxxxxxx.xxx.xx.xx
             * SPN found :HOST/dc.xxxxxx.xxxxxxxx.xxx.xx.xx/xxxxxx.xxxxxxxx.xxx.xx.xx
             * SPN found :HOST/dc.xxxxxx.xxxxxxxx.xxx.xx.xx
             * SPN found :HOST/DC
             * SPN found :HOST/dc.xxxxxx.xxxxxxxx.xxx.xx.xx/ADMIN
             * SPN found :GC/dc.xxxxxx.xxxxxxxx.xxx.xx.xx/xxxxxx.xxxxxxxx.xxx.xx.xx
             ......................... DC passed test MachineAccount
    
          Starting test: NCSecDesc
    
             * Security Permissions check for all NC's on DC DC.
             * Security Permissions Check for
    
               DC=ForestDnsZones,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
                (NDNC,Version 3)
             * Security Permissions Check for
    
               DC=DomainDnsZones,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
                (NDNC,Version 3)
             * Security Permissions Check for
    
               CN=Schema,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
                (Schema,Version 3)
             * Security Permissions Check for
    
               CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
                (Configuration,Version 3)
             * Security Permissions Check for
    
               DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
                (Domain,Version 3)
             ......................... DC passed test NCSecDesc
    
          Starting test: NetLogons
    
             * Network Logons Privileges Check
             Verified share \\DC\netlogon
             Verified share \\DC\sysvol
             [DC] User credentials does not have permission to perform this
    
             operation.
    
             The account used for this test must have network logon privileges
    
             for this machine's domain.
    
             ......................... DC failed test NetLogons
    
          Starting test: ObjectsReplicated
    
             DC is in domain DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
             Checking for CN=DC,OU=Domain Controllers,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx in domain DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx in domain CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx on 1 servers
                Object is up-to-date on all servers.
             ......................... DC passed test ObjectsReplicated
    
          Test omitted by user request: OutboundSecureChannels
    
          Starting test: Replications
    
             * Replications Check
             [Replications Check,DC] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
    
             error 0x2105 "Replication access was denied."
    
             ......................... DC failed test Replications
    
          Starting test: RidManager
    
             * Available RID Pool for the Domain is 18600 to 1073741823
             * dc.xxxxxx.xxxxxxxx.xxx.xx.xx is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 18100 to 18599
             * rIDPreviousAllocationPool is 18100 to 18599
             * rIDNextRID: 18137
             ......................... DC passed test RidManager
    
          Starting test: Services
    
             * Checking Service: EventSystem
             * Checking Service: RpcSs
             * Checking Service: NTDS
                Could not open NTDS Service on DC, error 0x5 "Access is denied."
    
             * Checking Service: DnsCache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... DC failed test Services
    
          Starting test: SystemLog
    
             * The System Event log test
             An error event occurred.  EventID: 0x00002720
    
                Time Generated: 05/17/2017   14:46:13
    
                Event String:
    
                The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
    
                {8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
    
                 and APPID 
    
                {F72671A9-012C-4725-9D2F-2A4D32D65169}
    
                 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
    
             ......................... DC failed test SystemLog
    
          Test omitted by user request: Topology
    
          Test omitted by user request: VerifyEnterpriseReferences
    
          Starting test: VerifyReferences
    
             The system object reference (serverReference)
    
             CN=DC,OU=Domain Controllers,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
    
             and backlink on
    
             CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
    
             are correct. 
             The system object reference (serverReferenceBL)
    
             CN=DC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
    
             and backlink on
    
             CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
    
             are correct. 
             The system object reference (frsComputerReferenceBL)
    
             CN=DC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
    
             and backlink on
    
             CN=DC,OU=Domain Controllers,DC=xxxxxxx,DC=xxxxxxxx,DC=xxxh,DC=xx,DC=xx
    
             are correct. 
             ......................... DC passed test VerifyReferences
    
          Test omitted by user request: VerifyReplicas
    
       
          Test omitted by user request: DNS
    
          Test omitted by user request: DNS
    
       
       Running partition tests on : ForestDnsZones
    
          Starting test: CheckSDRefDom
    
             ......................... ForestDnsZones passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... ForestDnsZones passed test
    
             CrossRefValidation
    
       
       Running partition tests on : DomainDnsZones
    
          Starting test: CheckSDRefDom
    
             ......................... DomainDnsZones passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... DomainDnsZones passed test
    
             CrossRefValidation
    
       
       Running partition tests on : Schema
    
          Starting test: CheckSDRefDom
    
             ......................... Schema passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... Schema passed test CrossRefValidation
    
       
       Running partition tests on : Configuration
    
          Starting test: CheckSDRefDom
    
             ......................... Configuration passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... Configuration passed test CrossRefValidation
    
       
       Running partition tests on : admin
    
          Starting test: CheckSDRefDom
    
             ......................... admin passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... admin passed test CrossRefValidation
    
       
       Running enterprise tests on : xxxxxx.xxxxxxxx.xxx.xx.xx
    
          Test omitted by user request: DNS
    
          Test omitted by user request: DNS
    
          Starting test: LocatorCheck
    
             GC Name: \\dc.xxxxxx.xxxxxxxx.xxx.xx.xx
    
             Locator Flags: 0xe001f1fd
             PDC Name: \\dc.xxxxxx.xxxxxxxx.xxx.xx.xx
             Locator Flags: 0xe001f1fd
             Time Server Name: \\dc.xxxxxx.xxxxxxxx.xxx.xx.xx
             Locator Flags: 0xe001f1fd
             Preferred Time Server Name: \\dc.xxxxxx.xxxxxxxx.xxx.xx.xx
             Locator Flags: 0xe001f1fd
             KDC Name: \\dc.xxxxxx.xxxxxxxx.xxx.xx.xx
             Locator Flags: 0xe001f1fd
             ......................... xxxxxx.xxxxxxxx.xxx.xx.xx passed test
    
             LocatorCheck
    
          Starting test: Intersite
    
             Skipping site Default-First-Site-Name, this site is outside the scope
    
             provided by the command line arguments provided. 
             ......................... xxxxxx.xxxxxxxx.xxx.xx.xx passed test
    
             Intersite
    
    

    Wednesday, May 17, 2017 1:06 PM
  • What account did you used to run the dcdiag? And did you run this command in the normal mode or in DSRM?

    I strongly feel that the AD Database in this DC is in corrupted state.

    Can you follow the registry fix mentioned in this forum and let us know the result?

    https://social.msdn.microsoft.com/Forums/en-US/08cc77ad-6ba5-496a-8bd8-45ed05129b42/authentication-logon-failure-0xc000006d?forum=sqlreportingservices

    The error code is similar to what we get here. 

    make sure you take both system state and registry backup before proceeding with the change.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. 

    Thursday, May 18, 2017 5:51 AM