With the increasing size of modern LANs and WANs, it is not uncommon for a Windows NT network to have multiple domains. These groupings help maintain network security and make administration easier in large networks. Within this configuration, a trust relationship is usually established between domains. This allows users to log on once and then access resources from all domains. However, this is not always possible, and some NT workstations may be forced to log on again between domains. Workstations need to have a domain account, so that with each logon, the user can choose which domain to access. Unfortunately, I have found that this operation does not always work so smoothly.
My former employer’s network consists of Windows NT 4.0 servers running Service Pack 5 (SP5), and over 3,500 workstations running either Window 95 or NT 4.0, also with SP5. They have one domain for all of their offices in Kentucky, Texas, and California. Most users will access only this domain, but occasionally, some employees will access domains outside the network. This usually happens with contractors, who use the same machines to work both from their employer’s network and this one.
Typically, the contractor will log on to this network first, log off, and then log on to his company’s network. Everything works fine until the contractors with NT machines try to rejoin this primary domain. When they try to log on, these users find that their computer will not join the domain. They’ll get an error message stating that their account cannot be found or is invalid. This happens because when a workstation joins a domain, a specific identifier (SID) is generated and stored in the Domain Security Accounts Manager (Domain SAM). If the computer leaves the domain, it will not be able to rejoin unless the computer account is removed and re-added. This is an NT security feature and prevents a workstation from impersonating another account with the same computer name.
To get around this, the problem computer’s account must be removed and then re-added to the domain. This is easily done from the Windows NT Server Manager and takes only a few moments. The troublesome workstation should now be able to rejoin the domain and will have a new, unique SID generated and stored in the Domain SAM. I have heard other NT administrators refer to this process as “resetting the account.” This workaround is the quickest solution I have found. A better alternative when working with multiple domains is to establish a trust relationship between them. However, with networks from two separate companies this is often difficult, if not impossible.
Bill Detwiler joined the editorial ranks of TechRepublic as the Support Republic community editor in July 2000. Bill has a B.S. in the administration of justice and is working toward a master’s degree in this field.
If you’d like to share your opinion, please post a comment or send the editor an e-mail.