Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cannot Log onto Windows 2000 server domain

Posted on 2007-08-11
Medium Priority
Last Modified: 2013-12-05
I've changed my Windows 2000 (advanced) server to a domain controller. It also serves as a DNS server and an IIS server.

It has been working as a DNS and IIS server fine for months. When I used the dcpromo to create the domain server I did all my checks and adjustments and the DNS portion as far as I can tell works just fine. I should mention, this server is not serving an enterprise, just me and my one other computer so there is no danger in overloading by have ISS DNS and AD on the same machine.

I then went to the security options and set up the security in accordance with this article (just to have a starting point since I am a newbie):  http://www.securityfocus.com/infocus/1297

When I logged off of my client computer I could not log back onto the domain. I can log onto the computer locally.

The error message I get is the following: "windows cannot connect to the domain, either because domain controller is down or otherwise unavailable, or because your computer account was not found."

The steps I have taken so far to track this down are:

1. While logged onto the workstation locally, I changed the workstation name from capio4 to ws1. I saw it update in the AD so I know they are talking.

2. Checked the computer and my login are in the AD -- they have to be as I had been logging in previously but I checked anyway.

3. Set all the security back to "undefined" as it was before I applied the security template.

4. executed the following commands:

secedit /ENFORCE
secedit ws1 /ENFORCE
secedit reg@capio.net /ENFORCE
secedit reg /ENFORCE

...and I still get the same error message.

My domain is capio.net. I've heard that something like capio.local would perhaps be better but I have the DNS lookup in my client going straight to my DNS server and then my DNS server forwards to my Internet Gateway and as far as I can tell it's fine that way since there has been no problems in the past with it that way.

Any help at this point greatly appreciated as I am all out of ideas.
Question by:RegProctor
  • 2
  • 2
LVL 26

Assisted Solution

by:Farhan Kazi
Farhan Kazi earned 1050 total points
ID: 19677798

Author Comment

ID: 19678101
I turned the requiresignorseal off and deleted then re-added the client computer to the domain as in the links. No change.

Is there a place where I can see the logon attempt in the logs and use that to get an idea of what's happening?

LVL 26

Accepted Solution

Farhan Kazi earned 1050 total points
ID: 19678568

Author Comment

ID: 19678717
I already had the logging on, just wasn't sure where to look for it as my first look through the logs I couldn't see anything.

Anyway, I deleted all the events in the logs, rebooted the server, tried to log on with the client still couldn't. I looked through the logs and found this:

"A certificate could not be found. Computer certificate. No L2TP protocol over IPSEC require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted."

So I did some looking around technet and it looks like I need some form of underlying authentication going on with Kerberos being the default. With things going wrong I followed conventional wisdom and turned off all security so it wouldn't be a factor. Now I just reenabled Kerberos and I can log on so I guess conventional wisdom wasn't appropriate in this case.


Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question