• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 334
  • Last Modified:

New DC....Win98 logon errors begin...

After adding a new DC, I get the message "The domain password you supplied
is not correct, or access to your logon server has been denied." on Win98
pc's. I can successfully login with Win98 boxes provided the "new" Win2K
server isn't connected to the network. All XP boxes login with no problems
regardless of whether the "new" server is attached or not. This is the 4th
server in my domain. It has been successfully added to the domain, and I
also have the AD running there as well. Could this be a WINS or DNS problem?
Where/what would I log or test to find problem? I've checked and re-checked
the password....and also read several microcrap tech note pages......we all
know those are worthless....any help would be great!!!!  Thanks

-Rob
0
rchace
Asked:
rchace
  • 9
  • 9
  • 3
  • +5
1 Solution
 
Sebastien_BCommented:
Hi rchace,

Could you take a look at your DC Security Eventlog (Start / Run / eventvwr.exe), and see what's the detailled informations for this behavior ?

Do you have the same issue if you try to logon from the Win98 with an Admin account ? (maybe a licence number related issue)

I'd leave the DNS/WINS aside of this (the name resolutions sounds good, else you would have "no dc was avail...")

Hope it can be one of the way to solve your issue,

Seb
0
 
rchaceAuthor Commented:
Hi Seb,

I check it out....the user i have tried loging in with include regular users and administrator users(myself & Admin) Both fail to login....same error....i check the event viewer but not sure what your looking for....could you explain a little better plz. Thanks

-Rob
0
 
rchaceAuthor Commented:
here is the only event log that was relatedto my new server......it was located in the event viewer of the main server(the one with all the control).

The master browser has received a server announcement from the computer ONYX that believes that it is the master browser for the domain on transport NetBT_Tcpip_{25467D1E-02E7-48ED-A1FA. The master browser is stopping or an election is being forced.

Onxy is the name of the new server.  Maybe it will help :)

-Rob
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
wyliecoyoteukCommented:
Trouble is, win98 boxes are not secure, and win2k hates that.

Check domain synchronisation, you may need to do it via a command line, as win2k and NT do not necessarily synchronise automatically. Are all your DCs win2k?
Make sure that your win98 boxes are set to obtain user info from a domain.

Also, win2k and xp use dns by default, whereas win98 uses netbios.
Is your domain a dns domain, or a netbios domain?
A short term fix might be to make the win98 clients part of a workgroup, with the same name as the domain, as win98 clients cannot function as domain members under win2k.
 
last idea: do you use a logon script? some win98 and nt logon scripts fail under win2k.

If you want to check the exchange between client and server, ( and scare yourself when you realise how much info is easily trapped !)
download Ethereal from www.ethereal.com, and run capture on it on your new DC while a win98 machine is logging on.
good luck
0
 
Sebastien_BCommented:
Did you try to log onto your domain with an Admin account from the Win98 too ? (what's the result)
0
 
Sebastien_BCommented:
Here's my opinion :

- Win98 unsecure ? Just have to know how to secure it, and you can do some crazy things...

- login script cause : script comes AFTER the domain validation...

- DNS/netbios domain : as it run OK with the 3 other Win2K DC (AD activated)... it cannot be the cause.

Let's brain storm us again :)))
0
 
MCSE-2002Commented:
check the dns settings on the client. They should point to Backup DC or DC.

This has always been the problem every time I have seen that message.

Luck,
0
 
Sebastien_BCommented:
MCSE-2002 : Warning, the DNS are not always running on DCs :)
0
 
rchaceAuthor Commented:
ok guys.... :)   I have tried logging in with both an admin and regular user.....neither one works....dns i think is fine...logon scripts have nothing to do with it....that comes after validation like seb said.....and if i unplug the patch cable from the new dc everything works instantly....plug it back in.....98 boxes dont work.....xp still works fine.......i posted the error log above seb if it helps.......let me know if im not being clear......and the guy that ask if all dc's were running win2kserver your answer is yes. Thanks

-Rob
0
 
Sebastien_BCommented:
The eventlog you wrote down was not helpful, there should be a better one to rise.

You should :
- unplug the server
- cleanup the 3 EventLogs on your server
- replug
- try to log ...

There should be less to sort :)

Seb
0
 
rchaceAuthor Commented:
We'll clean up the logs....bounce the box....and catch the good stuff....ill get back to you tomarrow and let you know what i have found....thanks Seb.  I think we'll get somewhere.... :)

-Rob
0
 
maehdrosCommented:
Check out this article:
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsbi/dsbi_add_afsl.asp

Basically, Unlike 2000/XP, 98 clients don't use DNS to locate DCs, they use NetBIOS.

Make sure that the 98 clients specify your old server running WINS.

Also, Browse list problems can cause 98 clients to get confused. You may want to disable Browsemaster ability on the new server. Check out:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappi.asp

Which instructs, edit the key:
\HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Browser \Parameters
Set the variable MaintainServerList to No.

Cheers
0
 
Sebastien_BCommented:
Morning Rob,

I also found this article (http://www.jsiinc.com/SUBG/TIP3100/rh3182.htm)

Here are the 1st main extract of it :
- are you using only TCP/IP on win9x ?

You can also try to get inspired by (http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20090721.html#1)

- changing the server(i guess) ip

Other try, Microsoft KB (http://support.microsoft.com/?kbid=272594)
And the last, but I think NOT THE LEAST :

(http://support.microsoft.com/default.aspx?scid=kb;en-us;152741) I think it can really be your problem

Let us now if it solves,

Seb
0
 
rchaceAuthor Commented:
Thanks guys,
I'll read on this stuff and try somethings.   Seb, that last artical you pasted and said you think might be it.....I have read and done that...but...when I did it... one of my pcs started working.....then out of the blue a few minutes later quit.  But thanks all for your input.  I'll check these out like I said. Thanks!

-Rob
0
 
wyliecoyoteukCommented:
SebastienB
Nope, whatever you do , you cannot make windows 98 secure :)
Even Microsoft admit that.

My assistant and I often come across "locked down" networks in the field, and it is surprising how easy to crack they are, especially if they have a windows9x client anywhere on them....

Have you got netbios over tcp/ip enabled on the new DC?

The last symptom,(machine works, then fails) sounds like policies being refreshed. I`d  check out the policies on the new DC, and compare them to the policies on the others.
As far as I remember, windows 9x uses a different policy manager to Winnt or 2k, and you must set up policies for win9x machines seperately.
Maybe copying the policies to the new dc will solve it.

The browse master issue is probably not relevant, although I had a similar problem with a Samba2 server that won elections, which upset XP clients.
Switching off browse master priority cured it.

Failing that ,I would really suggest you try ethereal, it is a very good tool, and will give you the info you need.


0
 
Sebastien_BCommented:
wylie:

- Take a Win98 (by default there's no admin shares i.e. :) so good point for it)

- Apply the appropriate Policies to it (for example : deny access to windows without domain validation)

- Disable the floppy drive access (of course lock the box, to prevent HDD moves :))

- Disable the Win98 bootmenu...

Then... What will you do if you're not allowed to ? :)

For policies :
- Win9x clients should be named CONFIG.POL and Created from the Win98 version of Poledit (mandatory!)
- WinNT based clients should be named NTCONFIG.POL and of course, has to be created by an NT version of poledit.
0
 
wyliecoyoteukCommented:
Sebastien_B
Depends on how determined you are, I once thought policies were enough....

Whatever you do... win9x is extremely vulnerable (so is any version of windoze, but I digress).

Once you get a command line(8-10 different methods, apparently,( and only 2 require a floppy disk)), forget your security. All you need is a .pwl or a local cache file and you are in.

I know this from bitter experience, which is why, 2 yrs ago, I moved most of my home network servers to Linux and Samba, and my clients to NT(although I now regret that, in some ways).

You obviously believe in windoze security.

just run a packet sniffer  (e.g. ethereal) on a laptop connected to any hub or switch node, and wake up to how weak the security is.

I run networks for my company, but we also install network print/scanner/scanrouter/emailrouting/faxrouting/fax solutions for customers.
I try to keep a straight face when installing on existing windoze networks, and I always ask for an admin to log me in:)
 
Your network is as safe as your best firewall rules , and as vulnerable as your weakest user:( Plus there are many  hacker tools out there that will give you an admin password.)

I once was as sure as you about my security, but I learned the hard way, by having someone (an ex-employee) attack my databases.

I now run everything inhouse on secure server platforms (i.e.  no microsoft)

0
 
rchaceAuthor Commented:
i know about that......but noone in my server is that smart...... ;0

-Rob
0
 
Sebastien_BCommented:
Willy:

.pwl are really the 1st thing a good Admin should have disabled :)


Rob:

Did the check for Everyone in the Access from Network right change anything ?
0
 
rchaceAuthor Commented:
well here it is.....reloaded the box with a flat version of 2kserver.....problem still existed....turned off all the services.......it works......havnt bothered to check which one it is.....
0
 
Sebastien_BCommented:
Hi rchace,

I found that using QOS services without any implemented QOS policy on your network is often causing network connection troubles.
0
 
rchaceAuthor Commented:
Seb,

Thanks....but no thanks man......thats not the problem... I'll keep trying and let you know.......got any more ideas??? Thanks

-Rob
0
 
rchaceAuthor Commented:
well guys here it is.....its was the main dc asigning wins server........when the new 2k server was attached....the problem has been fixed.

-Rob
0
 
CleanupPingCommented:
rchace:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
juliancrawfordCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ with points refunded

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0
 
Computer101Commented:
PAQed, with points refunded (75)

Computer101
E-E Admin
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 9
  • 9
  • 3
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now