Windows NT/2000 Domain Computer Account problems. Secure channels?

Hi all,
I have a Windows 2000 server which was running fine until a UPS problem this morning caused it to cut out. When it finished booting back up 5-10 minutes later, ALL of my Windows NT workstations started giving the error "The system could not log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect" when anyone tries to log on. The WinXP stations are fine.

I have tried..

Restoring the C drive plus system state from backups (I tried both last night's and a two week old backup. Though before it died, the server hadn't been rebooted in 3 months so who knows what setting might have changed that didn't take effect until today's reboot).

Making a workstation leave the domain, reboot, rejoin the domain, reboot again. Same error.

netdom query /domain:[domain] /reset /workstation - Goes through each station reporting "The trust relationship between this workstation and the primary domain failed." That's the Win2000 version on the server

netdom member [workstation] /joindomain - This is the NT4 netdom. On the Win2k server it reports that the RPC server in unavailable on the workstation. When tried on the workstation, it appears to work but after rebooting the machine, I get the same "system's computer account missing/password incorrect" message.

Based on what I've read, I really don't understand why all NT machines would fail at the same time. Has anybody got any ideas? I really don't want to have to go around 100+ NT machines installing XP on them.

Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
hi  cplhades,

just want to know if you have read the following MSKB article?

Partial RPC Entries May Cause Netlogon Error Messages;en-us;259736

hope it helps,
cplhadesAuthor Commented:
Yes, I've checked that.. that registry setting is in place.
Is the PDC emulator running?  The WINNT domain account being referenced probably points to an emulated NT4 domain.

OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

cplhadesAuthor Commented:
I only have one domain controller which appears to be running fine. Is there anything specific I should check?
bbaoIT ConsultantCommented:
hmm, your problem is a challenge.

can your windows nt workstationsws logon to the domain using cached logon information?

i know you have tried NETDOM command with either QUERY and MEMBER options, but when you did it, did you have connect to other server/workstations with its administrator's rights?
cplhadesAuthor Commented:
I'm fairly sure the NT machines are set not to cache logon information, so I can't try that. I tried netdom with administrator rights on both machines.

Upon closer inspection of the XP machines, they aren't totally happy either.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
The Security System detected an attempted downgrade attack for server cifs/  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
The Security System could not establish a secured connection with the server cifs/  No authentication protocol was available.
cplhadesAuthor Commented:
Okay, I'm gonna have to give up. Format and reinstall time.
bbaoIT ConsultantCommented:
o? i just found a lot of links about this problems...
bbaoIT ConsultantCommented:
but, i have to say, all of them are raw materials, have not been analysized well...
bbaoIT ConsultantCommented:
cplhades, please close this question: accept the helpful comments OR ask EE moderator to delete it and get refund. thanks.
PAQed, with points refunded (500)

E-E Admin

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Im too facing the exact problem, could not figure it.

Please show some light on this.

beamexIT ConsultantCommented:
Hi' All

I'm pretty sure the problem is related to name resolution..

I resolved this issue after a week but pardon me for not sending the mail.

we removed all existing computer names from domain controller and changed the all NT system names to another one and joined it into the domain. It Works !!!.

Now its going smooth but in different name. Dont ask me what was the problem, cos im too in confusion in MS products.

Hope this would work for all who have this issue still.
bbaoIT ConsultantCommented:
seems it is a labor intensive solution, hehe. anyway, you should be awarded because of your continuous effort. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.