General discussion

  • Creator
    Topic
  • #2309882

    Not able to logon

    Locked

    by rabbit_runner ·

    Here is our setup

    Windows 2000 AD domain – 2 Domain controllers
    A. 1 forest – 1 domain
    B. Domain in ‘mixed mode’ with 3-NT4 BDC’s
    C. 350 workstations – NT4 and Win 2000 Pro
    D. Problem – most (but not all) of our NT4 workstations can logonto the
    domain
    This has been an on-going issue for several weeks with very few
    workstations. To resolve this issue, we used the LMHOSTS file to point the
    workstation to the PDC emulator. However, now there is a major problem and
    the LMHOSTS file will not resolve the issue.
    E. Error at logon….”System cannot log you on to the domain because the
    systems computer account in its primary domain is missing or the password on
    that account is incorrect.”
    F. We have removed the workstations from the domain multiple times, and then
    rejoined. There is no problem to join the domain and upon reboot and logon,
    we receive the exact same message.
    G. all domain controllers are synchronized

    Additional information on the workstations….. For the following, we have tried multiple combination of settings.
    1. LMHOSTS file which points to the PDC
    2. HOSTS file pointing to the domain
    3. WINS is correct
    4. WINS database has correct entries

    Error logs and test results
    5. At netlogon receive event log error
    EVENT ID: 3210
    (have tried KB article 259736 and setting is already there)

All Comments

  • Author
    Replies
    • #3467922

      Not able to logon

      by rabbit_runner ·

      In reply to Not able to logon

      6. tried the NETDOM utility.
      computer was successfully rejoined to the domain
      Then tested the connection with a query and received…..
      NETDOM Query \\
      Querying domain information in computer

      Computer \\
      is a member of the
      Found PDC Connecting to \\ access is denied
      7. Used the NLTEST tool
      NLTEST /SC_QUERY:
      Flags 0
      Connection Status = 5 0x5 ERROR_ACCESS_DENIED
      Trusted DC Name
      Trusted DC connection status = 5 0x5 ERROR_ACCESS_DENIED
      8. Another event log entry for the security of the workstation.
      Event ID: 537
      An unexpected error occured during logon
      username administrator
      domain

      Logon type 2
      Logon Process User32
      Authentication package = MS_AUTH_PACK_V1_0

      We have major work-stoppage. Any help will be appreciated

      Michael R.

    • #3467893

      Not able to logon

      by joseph moore ·

      In reply to Not able to logon

      Well, there’s also Technet article 249828, which says to just export the entire HKEY_LOCAL_MACHINE\Software\Microsoft\RPC branch from the REgistry on a working NT machine, and import the whole thing into one of your non-working machines. So, give that a shot. Here is the URL for the article:
      http://support.microsoft.com/default.aspx?scid=kb;en-us;249828
      (please remove any spaces)

      Now, I do have to ask, are you absolutely certain that all of your NT BDCs are synchronizing with the Win2K ADPDC Enulator correctly?
      Because I fear that what is happening is the password that each domain member has (a hidden password that is maintained by the systems themselves) is getting out of synch between all of your BDCs.
      So, if the Registry fix does not do it, try this. Shut down ALL of the BDCs. Then, remove the domain machine account for one of your broken NT workstations.
      Then, add the workstation back into the domain.
      THEN, see if the workstation can log into the domain.

      THEN turn on the BDCs one at at time, and synchronize the domain.
      Continue until all BDCs are on and synchronizing is (hopefully) working correctly.
      Keep rebooting the workstation and have it log in after each BDC is on and synchronized. See if it ever loses log in ability.
      If it does, then you will know which BDC is having a problem.

      hope this helps

      • #3451956

        Not able to logon

        by rabbit_runner ·

        In reply to Not able to logon

        We know that the BDC’s are being synchronized because in the event logs we see the entries that information is updated to the SAM. Also we did not try your final suggestion because of our pressing need to find the solution. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

    • #3452069

      Not able to logon

      by col1n ·

      In reply to Not able to logon

      I am guessing you have just increased the amount of users and the problem is not the same workstations but only the last ones to log on in any session (Suck Eggs) but do you have enough licences set just a shot in the dark maybee

      • #3451957

        Not able to logon

        by rabbit_runner ·

        In reply to Not able to logon

        Licenses is not the problem. We have ample licenses. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

    • #3452042

      Not able to logon

      by nettek ·

      In reply to Not able to logon

      Have you tried the following kb articles?
      162797
      263108
      293127
      259736
      250877
      175024

      • #3451958

        Not able to logon

        by rabbit_runner ·

        In reply to Not able to logon

        None of these articles were any help. Those that were not implemented, we tried and had no success. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

    • #3451991

      Not able to logon

      by curious_george ·

      In reply to Not able to logon

      When you remove an NT4 workstation from a domain, you must put it into a workgroup and reboot.

      After the reboot you add it back to the domain, and reboot again.

      Without both reboots you are not actually adding it to the domain properly, because the workstation account password does not sync.

      • #3451959

        Not able to logon

        by rabbit_runner ·

        In reply to Not able to logon

        This is not the answer to our problem. We have repeatedly removed the workstations from the domain into a workgroup. then shut them down. brought them back up and added to the domain, then did a reboot. (many many times). All of this did not work. See the notes above for the final answer to this problem. According to Microsoft, it is an undocumented problem.

    • #3451961

      Not able to logon

      by rabbit_runner ·

      In reply to Not able to logon

      Here is the answer to this problem. We were really under pressure and out Administration gave us permissions to call Microsoft. This we did and spent about 3+ hours on the phone with two of their technicians. Here is the solution.

      This is an undocumented (undocumented) problem. We were told that this is the second time that they have seen this issue. The netlogon.chg file (the spelling is correct) was corrupt on both of our domain controller servers. Thus far, there is not any Knowledge Base article to give the answer that we needed. This file is used by the netlogon service to validate user and computer logons. If it is corrupt, then ‘logons’ will likely be refused. I was given these two articles for replacing the file. 173882 and 275221

      Thanks for your help

    • #3451955

      Not able to logon

      by rabbit_runner ·

      In reply to Not able to logon

      This question was closed by the author

Viewing 6 reply threads