Cannot Log onto Windows 2000 server domain
I've changed my Windows 2000 (advanced) server to a domain controller. It also serves as a DNS server and an IIS server.
It has been working as a DNS and IIS server fine for months. When I used the dcpromo to create the domain server I did all my checks and adjustments and the DNS portion as far as I can tell works just fine. I should mention, this server is not serving an enterprise, just me and my one other computer so there is no danger in overloading by have ISS DNS and AD on the same machine.
I then went to the security options and set up the security in accordance with this article (just to have a starting point since I am a newbie): http://www.securityfocus.com/infocus/1297
When I logged off of my client computer I could not log back onto the domain. I can log onto the computer locally.
The error message I get is the following: "windows cannot connect to the domain, either because domain controller is down or otherwise unavailable, or because your computer account was not found."
The steps I have taken so far to track this down are:
1. While logged onto the workstation locally, I changed the workstation name from capio4 to ws1. I saw it update in the AD so I know they are talking.
2. Checked the computer and my login are in the AD -- they have to be as I had been logging in previously but I checked anyway.
3. Set all the security back to "undefined" as it was before I applied the security template.
4. executed the following commands:
secedit /ENFORCE
secedit ws1 /ENFORCE
secedit reg@capio.net /ENFORCE
secedit reg /ENFORCE
...and I still get the same error message.
My domain is capio.net. I've heard that something like capio.local would perhaps be better but I have the DNS lookup in my client going straight to my DNS server and then my DNS server forwards to my Internet Gateway and as far as I can tell it's fine that way since there has been no problems in the past with it that way.
Any help at this point greatly appreciated as I am all out of ideas.
-Reg
It has been working as a DNS and IIS server fine for months. When I used the dcpromo to create the domain server I did all my checks and adjustments and the DNS portion as far as I can tell works just fine. I should mention, this server is not serving an enterprise, just me and my one other computer so there is no danger in overloading by have ISS DNS and AD on the same machine.
I then went to the security options and set up the security in accordance with this article (just to have a starting point since I am a newbie): http://www.securityfocus.com/infocus/1297
When I logged off of my client computer I could not log back onto the domain. I can log onto the computer locally.
The error message I get is the following: "windows cannot connect to the domain, either because domain controller is down or otherwise unavailable, or because your computer account was not found."
The steps I have taken so far to track this down are:
1. While logged onto the workstation locally, I changed the workstation name from capio4 to ws1. I saw it update in the AD so I know they are talking.
2. Checked the computer and my login are in the AD -- they have to be as I had been logging in previously but I checked anyway.
3. Set all the security back to "undefined" as it was before I applied the security template.
4. executed the following commands:
secedit /ENFORCE
secedit ws1 /ENFORCE
secedit reg@capio.net /ENFORCE
secedit reg /ENFORCE
...and I still get the same error message.
My domain is capio.net. I've heard that something like capio.local would perhaps be better but I have the DNS lookup in my client going straight to my DNS server and then my DNS server forwards to my Internet Gateway and as far as I can tell it's fine that way since there has been no problems in the past with it that way.
Any help at this point greatly appreciated as I am all out of ideas.
-Reg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I already had the logging on, just wasn't sure where to look for it as my first look through the logs I couldn't see anything.
Anyway, I deleted all the events in the logs, rebooted the server, tried to log on with the client still couldn't. I looked through the logs and found this:
"A certificate could not be found. Computer certificate. No L2TP protocol over IPSEC require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted."
So I did some looking around technet and it looks like I need some form of underlying authentication going on with Kerberos being the default. With things going wrong I followed conventional wisdom and turned off all security so it wouldn't be a factor. Now I just reenabled Kerberos and I can log on so I guess conventional wisdom wasn't appropriate in this case.
Anyway, I deleted all the events in the logs, rebooted the server, tried to log on with the client still couldn't. I looked through the logs and found this:
"A certificate could not be found. Computer certificate. No L2TP protocol over IPSEC require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted."
So I did some looking around technet and it looks like I need some form of underlying authentication going on with Kerberos being the default. With things going wrong I followed conventional wisdom and turned off all security so it wouldn't be a factor. Now I just reenabled Kerberos and I can log on so I guess conventional wisdom wasn't appropriate in this case.
ASKER
Is there a place where I can see the logon attempt in the logs and use that to get an idea of what's happening?