General discussion

Locked

Not able to logon

By Rabbit_Runner ·
Here is our setup

Windows 2000 AD domain - 2 Domain controllers
A. 1 forest - 1 domain
B. Domain in 'mixed mode' with 3-NT4 BDC's
C. 350 workstations - NT4 and Win 2000 Pro
D. Problem - most (but not all) of our NT4 workstations can logonto the
domain
This has been an on-going issue for several weeks with very few
workstations. To resolve this issue, we used the LMHOSTS file to point the
workstation to the PDC emulator. However, now there is a major problem and
the LMHOSTS file will not resolve the issue.
E. Error at logon...."System cannot log you on to the domain because the
systems computer account in its primary domain is missing or the password on
that account is incorrect."
F. We have removed the workstations from the domain multiple times, and then
rejoined. There is no problem to join the domain and upon reboot and logon,
we receive the exact same message.
G. all domain controllers are synchronized

Additional information on the workstations..... For the following, we have tried multiple combination of settings.
1. LMHOSTS file which points to the PDC
2. HOSTS file pointing to the domain
3. WINS is correct
4. WINS database has correct entries

Error logs and test results
5. At netlogon receive event log error
EVENT I 3210 <Failed to authenticat with \\PDC, a windows NT
domain controller for domain <domain>
(have tried KB article 259736 and setting is already there)

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Not able to logon

by Rabbit_Runner In reply to Not able to logon

6. tried the NETDOM utility.
computer was successfully rejoined to the domain
Then tested the connection with a query and received.....
NETDOM Query \\<computername>
Querying domain information in computer <computername>
Computer \\<computername> is a member of the <domain>
Found PDC <PDC>
Connecting to \\<PDC>
access is denied
7. Used the NLTEST tool
NLTEST /SC_QUERY:<DOMAIN>
Flags 0
Connection Status = 5 0x5 ERROR_ACCESS_DENIED
Trusted DC Name
Trusted DC connection status = 5 0x5 ERROR_ACCESS_DENIED
8. Another event log entry for the security of the workstation.
Event I 537
An unexpected error occured during logon
username administrator
domain <domain>
Logon type 2
Logon Process User32
Authentication package = MS_AUTH_PACK_V1_0

We have major work-stoppage. Any help will be appreciated

Michael R.

Collapse -

Not able to logon

by Joseph Moore In reply to Not able to logon

Well, there's also Technet article 249828, which says to just export the entire HKEY_LOCAL_MACHINE\Software\Microsoft\RPC branch from the REgistry on a working NT machine, and import the whole thing into one of your non-working machines. So, give that a shot. Here is the URL for the article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;249828
(please remove any spaces)

Now, I do have to ask, are you absolutely certain that all of your NT BDCs are synchronizing with the Win2K ADPDC Enulator correctly?
Because I fear that what is happening is the password that each domain member has (a hidden password that is maintained by the systems themselves) is getting out of synch between all of your BDCs.
So, if the Registry fix does not do it, try this. Shut down ALL of the BDCs. Then, remove the domain machine account for one of your broken NT workstations.
Then, add the workstation back into the domain.
THEN, see if the workstation can log into the domain.


THEN turn on the BDCs one at at time, and synchronize the domain.
Continue until all BDCs are on and synchronizing is (hopefully) working correctly.
Keep rebooting the workstation and have it log in after each BDC is on and synchronized. See if it ever loses log in ability.
If it does, then you will know which BDC is having a problem.

hope this helps

Collapse -

Not able to logon

by Rabbit_Runner In reply to Not able to logon

We know that the BDC's are being synchronized because in the event logs we see the entries that information is updated to the SAM. Also we did not try your final suggestion because of our pressing need to find the solution. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

Collapse -

Not able to logon

by col1n In reply to Not able to logon

I am guessing you have just increased the amount of users and the problem is not the same workstations but only the last ones to log on in any session (Suck Eggs) but do you have enough licences set just a shot in the dark maybee

Collapse -

Not able to logon

by Rabbit_Runner In reply to Not able to logon

Licenses is not the problem. We have ample licenses. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

Collapse -

Not able to logon

by NetTek In reply to Not able to logon

Have you tried the following kb articles?
162797
263108
293127
259736
250877
175024

Collapse -

Not able to logon

by Rabbit_Runner In reply to Not able to logon

None of these articles were any help. Those that were not implemented, we tried and had no success. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

Collapse -

Not able to logon

by Curious_George In reply to Not able to logon

When you remove an NT4 workstation from a domain, you must put it into a workgroup and reboot.

After the reboot you add it back to the domain, and reboot again.

Without both reboots you are not actually adding it to the domain properly, because the workstation account password does not sync.

Collapse -

Not able to logon

by Rabbit_Runner In reply to Not able to logon

This is not the answer to our problem. We have repeatedly removed the workstations from the domain into a workgroup. then shut them down. brought them back up and added to the domain, then did a reboot. (many many times). All of this did not work. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

Collapse -

Not able to logon

by Rabbit_Runner In reply to Not able to logon

Here is the answer to this problem. We were really under pressure and out Administration gave us permissions to call Microsoft. This we did and spent about 3+ hours on the phone with two of their technicians. Here is the solution.

This is an undocumented (undocumented) problem. We were told that this is the second time that they have seen this issue. The netlogon.chg file (the spelling is correct) was corrupt on both of our domain controller servers. Thus far, there is not any Knowledge Base article to give the answer that we needed. This file is used by the netlogon service to validate user and computer logons. If it is corrupt, then 'logons' will likely be refused. I was given these two articles for replacing the file. 173882 and 275221

Thanks for your help

Back to Windows Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums