Cannot Log onto Windows 2000 server domain

Posted on 2007-08-11
Last Modified: 2013-12-05
I've changed my Windows 2000 (advanced) server to a domain controller. It also serves as a DNS server and an IIS server.

It has been working as a DNS and IIS server fine for months. When I used the dcpromo to create the domain server I did all my checks and adjustments and the DNS portion as far as I can tell works just fine. I should mention, this server is not serving an enterprise, just me and my one other computer so there is no danger in overloading by have ISS DNS and AD on the same machine.

I then went to the security options and set up the security in accordance with this article (just to have a starting point since I am a newbie):

When I logged off of my client computer I could not log back onto the domain. I can log onto the computer locally.

The error message I get is the following: "windows cannot connect to the domain, either because domain controller is down or otherwise unavailable, or because your computer account was not found."

The steps I have taken so far to track this down are:

1. While logged onto the workstation locally, I changed the workstation name from capio4 to ws1. I saw it update in the AD so I know they are talking.

2. Checked the computer and my login are in the AD -- they have to be as I had been logging in previously but I checked anyway.

3. Set all the security back to "undefined" as it was before I applied the security template.

4. executed the following commands:

secedit /ENFORCE
secedit ws1 /ENFORCE
secedit /ENFORCE
secedit reg /ENFORCE

...and I still get the same error message.

My domain is I've heard that something like capio.local would perhaps be better but I have the DNS lookup in my client going straight to my DNS server and then my DNS server forwards to my Internet Gateway and as far as I can tell it's fine that way since there has been no problems in the past with it that way.

Any help at this point greatly appreciated as I am all out of ideas.
Question by:RegProctor
    LVL 26

    Assisted Solution

    LVL 1

    Author Comment

    I turned the requiresignorseal off and deleted then re-added the client computer to the domain as in the links. No change.

    Is there a place where I can see the logon attempt in the logs and use that to get an idea of what's happening?

    LVL 26

    Accepted Solution

    LVL 1

    Author Comment

    I already had the logging on, just wasn't sure where to look for it as my first look through the logs I couldn't see anything.

    Anyway, I deleted all the events in the logs, rebooted the server, tried to log on with the client still couldn't. I looked through the logs and found this:

    "A certificate could not be found. Computer certificate. No L2TP protocol over IPSEC require the installation of a machine certificate, also known as a computer certificate. No L2TP calls will be accepted."

    So I did some looking around technet and it looks like I need some form of underlying authentication going on with Kerberos being the default. With things going wrong I followed conventional wisdom and turned off all security so it wouldn't be a factor. Now I just reenabled Kerberos and I can log on so I guess conventional wisdom wasn't appropriate in this case.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now