AD 2003 Adv Server- Access Denied Problem-Please Help

By FiremonkeyNV ·
Thanks for helping me out with this problem. I work for a small company that hired me as IS Manager. They recently implemented a new version of their AD server. I was hired to manage their IIS servers and I am not as familiar with AD. The original AD server (2000) also served as the main Domain Controller without problems for several years. Like I said I am more familiar with IIS than AD.

The original server was running Win2000 Adv Server for several years as an Active Directory/Domain Controller. Decided to rebuild the computer using Win 2003 Ent Server. Hard drives were all reformatted. The server runs raid 5. After the server was rebuilt I replicated the DNS server lookup zones manually first. Then I Implemented Active Directory. Following are the steps I took to implement AD.

1. After implementing AD on the new server I embedded all the network machines (all containing their own IP number-not NAT numbers).

2. I noticed that the tab that displays the computer operating system in AD were all blank where they were all displayed under the old Win2000 server.

3. Another forum user told me to re-assign the SIDs by clicking on the Network Identification button on each computer. This caused AD to recognize the machine on the network.

4. Each computer logs into the network with the administrator account. Each computer already had a "Documents & Settings" account labeled Administrator.CFSAC. However, after logging in using the new AD, each computer created a new "Doc & Settings" account labeled, "Administrator.CFSAC.000.

5. After these steps were taken the website files on the Web server could not be modified through such programs as Dreamweaver CS3 throwing the error message: "Access Denied

6. I went directly onto the Web server and made sure the "Administrator" had "full" permissions on the files and folders.

7. This did not work. The administrator still had no permissions to modify the files.

8. I can access the files through "My Network Places" and can create a network share but just to "read" only access. I cannot even create a new folder.

9. I then began to deduce that the computers were logging into the network using the "Administrator.CFSC.000" rather than the old "Administrator.CFSAC" account. So I implemented the following procedure:

a. I logged into the computer as the computer's administrator account.

b. I copied the entire "Administrator.CFSAC" files, deleted both the "Administrator.CFSAC" and "Administrator.CFSAC.000" accounts.

c. Then I demoted the computer to "Workgroup."

d. I then logged into the computer and joined it to the domain. The network user name/password window opened and I entered the user name "administrator" and password. This generated a "Welcome to CFSAC.COM domain. Success.

e. Then I re-logged into the network using the network's Administrator account. Which created an account in "Docs & Settings" labelled "Administrator.CFSAC."

f. I then logged out of the computer, re-logged in as the computer's "administrator" account.

f. I then copied all the old "Administrator.CFSAC" account files into the new "Administrator.CFSAC" account. However, this did not work.

Since I had completely re-programmed each individual computer without result I am assuming the problem stems from Active Directory. Since AD is so complex I am not sure where to turn next. Does the problem stem from Group Policies or is there an AD database that could have become corrupt due to so many changes on the network computers? Could the problem be a combination of these along with a SIDs problem I am just not sure. The problem of "no file modification rights" seems to have begun right after I implemented the "Network Identification" applet on each computer so that AD could recognize the computer.

At this stage I don't want to start digging around in AD until I know what I am doing. I could make the problem worse than it is. I joined several AD forums online, but most of the advice I have gotten from them is sketchy and I don't have a lot of faith in what I am being told.

Thanks in advance, my name is Rick

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

You shouldn't have

by cmiller5400 In reply to AD 2003 Adv Server- Acces ...

Just smoked the old domain like that without expecting HUGE issues

All the problems you describe stem from the fact that you simply wiped the domain from existence. You did start off right by rejoining each PC to the new domain.

To regain control of files, you will need to login to the workstation as the local administrator and "take ownership" ( ) of the files. If they were encrypted, say bye, bye to them unless you have a backup of the private key for the user that encrypted them.

the documents and settings issues are normal. The workstations local machine will have an account called Administrator or Administrator.MachineName, the Domain admin account could be called Administrator or Administrator.DomainName (this depends on whether the domain admin logged in before the local admin. Which ever comes first gets the "Administrator" account name, the other is stuck using the administrator.blah)

AD can be complex but it looks like you don't have a general knowledge of it, so I suggest that you read the series for the MSCA to gain a better knowledge (the first book will go miles to help you understand basic account management).

Next time don't be so quick to jump the gun on wiping a domain. Upgrading may make more sense...

Edit: Users should <span style="color:#FF0000;">NEVER</span> use the Domain Admin account nor have knowledge of it's password.

Collapse -

to: cmiller5400

by FiremonkeyNV In reply to You shouldn't have

Your are correct. I do not have a good knowledge of AD. But I have no choice I have to figure it out. You asked: "You did start off right by rejoining each PC to the new domain?" Yes, I did. However, that did not work either. The original system was rebuilt from Win2000 AD server that got a virus. The company (before I was hired) rebuilt the server using Win2003 and the outgoing person set up AD and DNS then left. Everything else works except file modification rights. Now I am left to figure out what is wrong. Should I demote the server and simply start over? Any other advice you have would be most helpful. -Rick

P.S. From what I can ascertain the former employee elected to rebuild the server due to a virus that they could not get rid of. Win 2000 Adv server was open to the virus whereas 2003 was not. I assume that was their reasoning. All servers files are backed up nightly. So, if, even after the new server AD and DNS were loaded what "should" have taken place next--w/regard to the computers on the network?

Collapse -

{shakes head}

by cmiller5400 In reply to to: cmiller5400

Isn't it always the case that you get left with a big pile of you know what to clean up

Have you tried taking ownership of the files then re-applying the correct security?

PS: I didn't mean to insult with stating you didn't have a knowledge of it, just trying to point out a good book. My wording can be slightly off sometimes. Sorry if any offense was taken. I edited my post to clarify...

Collapse -

No offense taken...answer to your question...

by FiremonkeyNV In reply to {shakes head}

Yes, I did attempt to take ownership. I have been consulting several books I bought to try and solve the problem, one of which is OReily
"Windows Server 2003 2nd Ed. However, these publications don't go into detail with regard to troubleshooting--more like what to do to set up an AD/DC server.

What it I completely start over and rebuild the AD/DC server? What would I need to do with regard to the computers already joined to the domain?

Related Discussions

Related Forums