?
Solved

New DC....Win98 logon errors begin...

Posted on 2003-03-26
26
Medium Priority
?
330 Views
Last Modified: 2010-03-19
After adding a new DC, I get the message "The domain password you supplied
is not correct, or access to your logon server has been denied." on Win98
pc's. I can successfully login with Win98 boxes provided the "new" Win2K
server isn't connected to the network. All XP boxes login with no problems
regardless of whether the "new" server is attached or not. This is the 4th
server in my domain. It has been successfully added to the domain, and I
also have the AD running there as well. Could this be a WINS or DNS problem?
Where/what would I log or test to find problem? I've checked and re-checked
the password....and also read several microcrap tech note pages......we all
know those are worthless....any help would be great!!!!  Thanks

-Rob
0
Comment
Question by:rchace
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
  • 3
  • +5
26 Comments
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8213859
Hi rchace,

Could you take a look at your DC Security Eventlog (Start / Run / eventvwr.exe), and see what's the detailled informations for this behavior ?

Do you have the same issue if you try to logon from the Win98 with an Admin account ? (maybe a licence number related issue)

I'd leave the DNS/WINS aside of this (the name resolutions sounds good, else you would have "no dc was avail...")

Hope it can be one of the way to solve your issue,

Seb
0
 

Author Comment

by:rchace
ID: 8213987
Hi Seb,

I check it out....the user i have tried loging in with include regular users and administrator users(myself & Admin) Both fail to login....same error....i check the event viewer but not sure what your looking for....could you explain a little better plz. Thanks

-Rob
0
 

Author Comment

by:rchace
ID: 8214033
here is the only event log that was relatedto my new server......it was located in the event viewer of the main server(the one with all the control).

The master browser has received a server announcement from the computer ONYX that believes that it is the master browser for the domain on transport NetBT_Tcpip_{25467D1E-02E7-48ED-A1FA. The master browser is stopping or an election is being forced.

Onxy is the name of the new server.  Maybe it will help :)

-Rob
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 21

Expert Comment

by:wyliecoyoteuk
ID: 8214061
Trouble is, win98 boxes are not secure, and win2k hates that.

Check domain synchronisation, you may need to do it via a command line, as win2k and NT do not necessarily synchronise automatically. Are all your DCs win2k?
Make sure that your win98 boxes are set to obtain user info from a domain.

Also, win2k and xp use dns by default, whereas win98 uses netbios.
Is your domain a dns domain, or a netbios domain?
A short term fix might be to make the win98 clients part of a workgroup, with the same name as the domain, as win98 clients cannot function as domain members under win2k.
 
last idea: do you use a logon script? some win98 and nt logon scripts fail under win2k.

If you want to check the exchange between client and server, ( and scare yourself when you realise how much info is easily trapped !)
download Ethereal from www.ethereal.com, and run capture on it on your new DC while a win98 machine is logging on.
good luck
0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8214069
Did you try to log onto your domain with an Admin account from the Win98 too ? (what's the result)
0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8214101
Here's my opinion :

- Win98 unsecure ? Just have to know how to secure it, and you can do some crazy things...

- login script cause : script comes AFTER the domain validation...

- DNS/netbios domain : as it run OK with the 3 other Win2K DC (AD activated)... it cannot be the cause.

Let's brain storm us again :)))
0
 
LVL 2

Expert Comment

by:MCSE-2002
ID: 8214218
check the dns settings on the client. They should point to Backup DC or DC.

This has always been the problem every time I have seen that message.

Luck,
0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8214241
MCSE-2002 : Warning, the DNS are not always running on DCs :)
0
 

Author Comment

by:rchace
ID: 8214333
ok guys.... :)   I have tried logging in with both an admin and regular user.....neither one works....dns i think is fine...logon scripts have nothing to do with it....that comes after validation like seb said.....and if i unplug the patch cable from the new dc everything works instantly....plug it back in.....98 boxes dont work.....xp still works fine.......i posted the error log above seb if it helps.......let me know if im not being clear......and the guy that ask if all dc's were running win2kserver your answer is yes. Thanks

-Rob
0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8214402
The eventlog you wrote down was not helpful, there should be a better one to rise.

You should :
- unplug the server
- cleanup the 3 EventLogs on your server
- replug
- try to log ...

There should be less to sort :)

Seb
0
 

Author Comment

by:rchace
ID: 8214732
We'll clean up the logs....bounce the box....and catch the good stuff....ill get back to you tomarrow and let you know what i have found....thanks Seb.  I think we'll get somewhere.... :)

-Rob
0
 
LVL 2

Expert Comment

by:maehdros
ID: 8215777
Check out this article:
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsbi/dsbi_add_afsl.asp

Basically, Unlike 2000/XP, 98 clients don't use DNS to locate DCs, they use NetBIOS.

Make sure that the 98 clients specify your old server running WINS.

Also, Browse list problems can cause 98 clients to get confused. You may want to disable Browsemaster ability on the new server. Check out:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappi.asp

Which instructs, edit the key:
\HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Browser \Parameters
Set the variable MaintainServerList to No.

Cheers
0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8216074
Morning Rob,

I also found this article (http://www.jsiinc.com/SUBG/TIP3100/rh3182.htm)

Here are the 1st main extract of it :
- are you using only TCP/IP on win9x ?

You can also try to get inspired by (http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20090721.html#1)

- changing the server(i guess) ip

Other try, Microsoft KB (http://support.microsoft.com/?kbid=272594)
And the last, but I think NOT THE LEAST :

(http://support.microsoft.com/default.aspx?scid=kb;en-us;152741) I think it can really be your problem

Let us now if it solves,

Seb
0
 

Author Comment

by:rchace
ID: 8218007
Thanks guys,
I'll read on this stuff and try somethings.   Seb, that last artical you pasted and said you think might be it.....I have read and done that...but...when I did it... one of my pcs started working.....then out of the blue a few minutes later quit.  But thanks all for your input.  I'll check these out like I said. Thanks!

-Rob
0
 
LVL 21

Expert Comment

by:wyliecoyoteuk
ID: 8220746
SebastienB
Nope, whatever you do , you cannot make windows 98 secure :)
Even Microsoft admit that.

My assistant and I often come across "locked down" networks in the field, and it is surprising how easy to crack they are, especially if they have a windows9x client anywhere on them....

Have you got netbios over tcp/ip enabled on the new DC?

The last symptom,(machine works, then fails) sounds like policies being refreshed. I`d  check out the policies on the new DC, and compare them to the policies on the others.
As far as I remember, windows 9x uses a different policy manager to Winnt or 2k, and you must set up policies for win9x machines seperately.
Maybe copying the policies to the new dc will solve it.

The browse master issue is probably not relevant, although I had a similar problem with a Samba2 server that won elections, which upset XP clients.
Switching off browse master priority cured it.

Failing that ,I would really suggest you try ethereal, it is a very good tool, and will give you the info you need.


0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8221073
wylie:

- Take a Win98 (by default there's no admin shares i.e. :) so good point for it)

- Apply the appropriate Policies to it (for example : deny access to windows without domain validation)

- Disable the floppy drive access (of course lock the box, to prevent HDD moves :))

- Disable the Win98 bootmenu...

Then... What will you do if you're not allowed to ? :)

For policies :
- Win9x clients should be named CONFIG.POL and Created from the Win98 version of Poledit (mandatory!)
- WinNT based clients should be named NTCONFIG.POL and of course, has to be created by an NT version of poledit.
0
 
LVL 21

Expert Comment

by:wyliecoyoteuk
ID: 8228396
Sebastien_B
Depends on how determined you are, I once thought policies were enough....

Whatever you do... win9x is extremely vulnerable (so is any version of windoze, but I digress).

Once you get a command line(8-10 different methods, apparently,( and only 2 require a floppy disk)), forget your security. All you need is a .pwl or a local cache file and you are in.

I know this from bitter experience, which is why, 2 yrs ago, I moved most of my home network servers to Linux and Samba, and my clients to NT(although I now regret that, in some ways).

You obviously believe in windoze security.

just run a packet sniffer  (e.g. ethereal) on a laptop connected to any hub or switch node, and wake up to how weak the security is.

I run networks for my company, but we also install network print/scanner/scanrouter/emailrouting/faxrouting/fax solutions for customers.
I try to keep a straight face when installing on existing windoze networks, and I always ask for an admin to log me in:)
 
Your network is as safe as your best firewall rules , and as vulnerable as your weakest user:( Plus there are many  hacker tools out there that will give you an admin password.)

I once was as sure as you about my security, but I learned the hard way, by having someone (an ex-employee) attack my databases.

I now run everything inhouse on secure server platforms (i.e.  no microsoft)

0
 

Author Comment

by:rchace
ID: 8229307
i know about that......but noone in my server is that smart...... ;0

-Rob
0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8229950
Willy:

.pwl are really the 1st thing a good Admin should have disabled :)


Rob:

Did the check for Everyone in the Access from Network right change anything ?
0
 

Author Comment

by:rchace
ID: 8236863
well here it is.....reloaded the box with a flat version of 2kserver.....problem still existed....turned off all the services.......it works......havnt bothered to check which one it is.....
0
 
LVL 1

Expert Comment

by:Sebastien_B
ID: 8236891
Hi rchace,

I found that using QOS services without any implemented QOS policy on your network is often causing network connection troubles.
0
 

Author Comment

by:rchace
ID: 8241516
Seb,

Thanks....but no thanks man......thats not the problem... I'll keep trying and let you know.......got any more ideas??? Thanks

-Rob
0
 

Author Comment

by:rchace
ID: 8279877
well guys here it is.....its was the main dc asigning wins server........when the new 2k server was attached....the problem has been fixed.

-Rob
0
 

Expert Comment

by:CleanupPing
ID: 9152874
rchace:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 10088676
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

PAQ with points refunded

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 10140752
PAQed, with points refunded (75)

Computer101
E-E Admin
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question