Solved

Windows 2003 Logon problem

Posted on 2004-10-31
172 Views
Last Modified: 2010-05-18
    My company had two DC’s – one crashed and was removed from AD.  Near as I can tell all FSMO roles have been moved.  Ever since this time when we create new users in AD they are unable to logon.  The error is the generic “Systems could not log you on . . . check your user name and password” message.
0
Question by:BRSage
    12 Comments
     
    LVL 104

    Expert Comment

    by:Sembee
    First thing I would do is check that all the roles have been transfered correctly.

    Install the support tools from the Windows server CD on to a domain controller.
    Then run the following command in a command prompt:

    netdom query fsmo

    This will show what server has the key roles.
    You will need to seize the ones that are still with the old server.

    Have you introduced a replacement domain controller since the first one died? Is replication between those servers working correctly?
    Any errors in the event logs of the domain controllers regarding replication or other AD related issues?

    Simon.
    0
     

    Author Comment

    by:BRSage
    Here are the results of the query:

    Schema owner                cisms04.cisinsgroup.com

    Domain role owner           cisms04.cisinsgroup.com

    PDC role                    cisms04.cisinsgroup.com

    RID pool manager            cisms04.cisinsgroup.com

    Infrastructure owner        cisms04.cisinsgroup.com

    The command completed successfully.

    No replacment has been introduced.  The event logs show no errors what so ever.  Any other thoughts?
    0
     

    Author Comment

    by:BRSage
    Also . . . CISMS04 is the correct name for DC
    0
     
    LVL 5

    Expert Comment

    by:map000
    the clients are win 2000 or nt, win 98 ...?
    0
     
    LVL 11

    Accepted Solution

    by:
    Make sure that CISMS04 is a Global Catalog server.  AD allways queries a GC when logging on users.  Previous users are possibly using cached credentials.  To do this:

    1. Click Start , point to Programs , point to Administrative Tools , and then click Active
    Directory Sites and Services .
    2. Double-click Sites to expand it, expand Servers.
    3. Double-click the domain controller to expand the server contents.
    4. Right-click the NTDS Settings object that is listed below the server, and then click
    Properties .
    5. On the General tab, click to select the Global Catalog check box to add the global catalog
    function to the domain controller, and then click OK to apply the changes.

    Also, when you remove a crashed DC, it's best to do a metadata cleanup.  That will completely remove all references to the old DC.  There could also be some entries in DNS for the old DC.  Here is a link that show how to remove a DC.

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B216498
    0
     

    Author Comment

    by:BRSage
    Clients are Windows 2000 and XP - this is only a problem when new users are created, existing users are working just fine

    CISMS04 is a Global Catalog server and I have performed the metadata cleanup

    Other ideas?
    0
     
    LVL 5

    Expert Comment

    by:map000
    do you have any failed logon messages in event viewer -> security?
    0
     
    LVL 5

    Expert Comment

    by:map000
    you can also check the dns records from the DNS server ( you should delete the old records)
    0
     
    LVL 11

    Expert Comment

    by:cfairley
    Are the new users logging on to new PCs?  If so, I would try logging them onto PC that an old user logs on to.  Just making sure that the machine account is not an issue as well.
    0
     

    Author Comment

    by:BRSage
    No failed logon messgaes in the event viewer
    All DNS referances have been removed
    New user accouants are logging on to existing machines

    Any other thoughts?
    0
     
    LVL 5

    Expert Comment

    by:map000
    I was interested about your problem.
    Can you explain how did cfairley's answer helped you?
    you said your DC was a GC
    0
     

    Author Comment

    by:BRSage
    The part that was the most help was " it's best to do a metadata cleanup.  That will completely remove all references to the old DC"  After cleaning up the metadatabase everything worked much better!
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Product Review - Android Remix

    Come along for the ride with our Senior Product Manager, Brian Matis, as he reviews the Android Remix.

    When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon se…
    I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    856 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now