Windows 2003 Logon problem

    My company had two DC’s – one crashed and was removed from AD.  Near as I can tell all FSMO roles have been moved.  Ever since this time when we create new users in AD they are unable to logon.  The error is the generic “Systems could not log you on . . . check your user name and password” message.
Who is Participating?
Make sure that CISMS04 is a Global Catalog server.  AD allways queries a GC when logging on users.  Previous users are possibly using cached credentials.  To do this:

1. Click Start , point to Programs , point to Administrative Tools , and then click Active
Directory Sites and Services .
2. Double-click Sites to expand it, expand Servers.
3. Double-click the domain controller to expand the server contents.
4. Right-click the NTDS Settings object that is listed below the server, and then click
Properties .
5. On the General tab, click to select the Global Catalog check box to add the global catalog
function to the domain controller, and then click OK to apply the changes.

Also, when you remove a crashed DC, it's best to do a metadata cleanup.  That will completely remove all references to the old DC.  There could also be some entries in DNS for the old DC.  Here is a link that show how to remove a DC.
First thing I would do is check that all the roles have been transfered correctly.

Install the support tools from the Windows server CD on to a domain controller.
Then run the following command in a command prompt:

netdom query fsmo

This will show what server has the key roles.
You will need to seize the ones that are still with the old server.

Have you introduced a replacement domain controller since the first one died? Is replication between those servers working correctly?
Any errors in the event logs of the domain controllers regarding replication or other AD related issues?

BRSageAuthor Commented:
Here are the results of the query:

Schema owner      

Domain role owner 

PDC role          

RID pool manager  

Infrastructure owner

The command completed successfully.

No replacment has been introduced.  The event logs show no errors what so ever.  Any other thoughts?
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

BRSageAuthor Commented:
Also . . . CISMS04 is the correct name for DC
the clients are win 2000 or nt, win 98 ...?
BRSageAuthor Commented:
Clients are Windows 2000 and XP - this is only a problem when new users are created, existing users are working just fine

CISMS04 is a Global Catalog server and I have performed the metadata cleanup

Other ideas?
do you have any failed logon messages in event viewer -> security?
you can also check the dns records from the DNS server ( you should delete the old records)
Are the new users logging on to new PCs?  If so, I would try logging them onto PC that an old user logs on to.  Just making sure that the machine account is not an issue as well.
BRSageAuthor Commented:
No failed logon messgaes in the event viewer
All DNS referances have been removed
New user accouants are logging on to existing machines

Any other thoughts?
I was interested about your problem.
Can you explain how did cfairley's answer helped you?
you said your DC was a GC
BRSageAuthor Commented:
The part that was the most help was " it's best to do a metadata cleanup.  That will completely remove all references to the old DC"  After cleaning up the metadatabase everything worked much better!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.