cplhades
asked on
Windows NT/2000 Domain Computer Account problems. Secure channels?
Hi all,
I have a Windows 2000 server which was running fine until a UPS problem this morning caused it to cut out. When it finished booting back up 5-10 minutes later, ALL of my Windows NT workstations started giving the error "The system could not log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect" when anyone tries to log on. The WinXP stations are fine.
I have tried..
Restoring the C drive plus system state from backups (I tried both last night's and a two week old backup. Though before it died, the server hadn't been rebooted in 3 months so who knows what setting might have changed that didn't take effect until today's reboot).
Making a workstation leave the domain, reboot, rejoin the domain, reboot again. Same error.
netdom query /domain:[domain] /reset /workstation - Goes through each station reporting "The trust relationship between this workstation and the primary domain failed." That's the Win2000 version on the server
netdom member [workstation] /joindomain - This is the NT4 netdom. On the Win2k server it reports that the RPC server in unavailable on the workstation. When tried on the workstation, it appears to work but after rebooting the machine, I get the same "system's computer account missing/password incorrect" message.
Based on what I've read, I really don't understand why all NT machines would fail at the same time. Has anybody got any ideas? I really don't want to have to go around 100+ NT machines installing XP on them.
Thanks in advance
I have a Windows 2000 server which was running fine until a UPS problem this morning caused it to cut out. When it finished booting back up 5-10 minutes later, ALL of my Windows NT workstations started giving the error "The system could not log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect" when anyone tries to log on. The WinXP stations are fine.
I have tried..
Restoring the C drive plus system state from backups (I tried both last night's and a two week old backup. Though before it died, the server hadn't been rebooted in 3 months so who knows what setting might have changed that didn't take effect until today's reboot).
Making a workstation leave the domain, reboot, rejoin the domain, reboot again. Same error.
netdom query /domain:[domain] /reset /workstation - Goes through each station reporting "The trust relationship between this workstation and the primary domain failed." That's the Win2000 version on the server
netdom member [workstation] /joindomain - This is the NT4 netdom. On the Win2k server it reports that the RPC server in unavailable on the workstation. When tried on the workstation, it appears to work but after rebooting the machine, I get the same "system's computer account missing/password incorrect" message.
Based on what I've read, I really don't understand why all NT machines would fail at the same time. Has anybody got any ideas? I really don't want to have to go around 100+ NT machines installing XP on them.
Thanks in advance
ASKER
Hi,
Yes, I've checked that.. that registry setting is in place.
Yes, I've checked that.. that registry setting is in place.
Is the PDC emulator running? The WINNT domain account being referenced probably points to an emulated NT4 domain.
cheers
cheers
ASKER
I only have one domain controller which appears to be running fine. Is there anything specific I should check?
hmm, your problem is a challenge.
can your windows nt workstationsws logon to the domain using cached logon information?
i know you have tried NETDOM command with either QUERY and MEMBER options, but when you did it, did you have connect to other server/workstations with its administrator's rights?
can your windows nt workstationsws logon to the domain using cached logon information?
i know you have tried NETDOM command with either QUERY and MEMBER options, but when you did it, did you have connect to other server/workstations with its administrator's rights?
ASKER
I'm fairly sure the NT machines are set not to cache logon information, so I can't try that. I tried netdom with administrator rights on both machines.
Upon closer inspection of the XP machines, they aren't totally happy either.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Description:
The Security System detected an attempted downgrade attack for server cifs/server1.bellemoor.sou
(0xc000005e)".
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Description:
The Security System could not establish a secured connection with the server cifs/server1.bellemoor.sou
Upon closer inspection of the XP machines, they aren't totally happy either.
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Description:
The Security System detected an attempted downgrade attack for server cifs/server1.bellemoor.sou
(0xc000005e)".
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Description:
The Security System could not establish a secured connection with the server cifs/server1.bellemoor.sou
ASKER
Okay, I'm gonna have to give up. Format and reinstall time.
o? i just found a lot of links about this problems...
but, i have to say, all of them are raw materials, have not been analysized well...
cplhades, please close this question: accept the helpful comments OR ask EE moderator to delete it and get refund. thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Im too facing the exact problem, could not figure it.
Please show some light on this.
Senthil
Please show some light on this.
Senthil
Hi' All
I'm pretty sure the problem is related to name resolution..
I'm pretty sure the problem is related to name resolution..
I resolved this issue after a week but pardon me for not sending the mail.
we removed all existing computer names from domain controller and changed the all NT system names to another one and joined it into the domain. It Works !!!.
Now its going smooth but in different name. Dont ask me what was the problem, cos im too in confusion in MS products.
Hope this would work for all who have this issue still.
we removed all existing computer names from domain controller and changed the all NT system names to another one and joined it into the domain. It Works !!!.
Now its going smooth but in different name. Dont ask me what was the problem, cos im too in confusion in MS products.
Hope this would work for all who have this issue still.
seems it is a labor intensive solution, hehe. anyway, you should be awarded because of your continuous effort. :)
just want to know if you have read the following MSKB article?
Partial RPC Entries May Cause Netlogon Error Messages
http://support.microsoft.com/?id=kb;en-us;259736
hope it helps,
bbao