Solved

Can't join a 2003 member server to a 2000 domain, error message = "Logon fsilure unknown user name or bad password"

Posted on 2007-11-15
31
695 Views
Last Modified: 2013-12-05
I have a 2000 DC (SP3, and it can't go higher due to a program on the server) and I can't join a 2003 memeber server to the domain.

I right click on "My Computer"
Click on "Computer Name"
Click on "Change"
click on "Domain"
type the domain name "SCADA"
type the user name "administrator" (admin account for the SCADA domain"
type the admin password "###########"

and get the following error

"The following error occured while attempting to join the domin "SCADA" : Logon fsilure unknown user name or bad password"

I have tried using a static IP for the 2003 server and point the DNS to the 2000 DC.

Have also set the 2003 member server up for DHCP and let the 2000 DC (also the DHCP server) issue the IP address and DNS info.

Thanks
0
Comment
Question by:tjmustang
  • 14
  • 13
  • 4
31 Comments
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
This problem may occur if you had this 2003 server on the domain prior to brining trying to bring it up as a member server. You may have a cached password for the domain administrator on that 2003 member server.

Go to Control Pannel>>Users and Computers>>Advanced>>Passwords and remove all cached passwords.

If you have forgotten the domain administrator's password, let us know. We may be able to help you reset it.
0
 
LVL 21

Expert Comment

by:dan_blagut
Comment Utility
Hi
try to use domain\username instead of username.

Dan
0
 

Author Comment

by:tjmustang
Comment Utility
I don't have a Users and Computers under the control panel.
0
 
LVL 21

Expert Comment

by:dan_blagut
Comment Utility
No
When you try to add your computer in domain, it ask for an user name and password from the domain. There try with domain\username instead of username.
0
 

Author Comment

by:tjmustang
Comment Utility
Hi dan....I tried that before nad just tried it again.  Thanks for the suggestion.

My last post was in reply to ChiefIT
0
 
LVL 21

Expert Comment

by:dan_blagut
Comment Utility
Sorry... Anyway is any firewall enable on your server? You can also could try with an fresh user promoted to domain admin.

Dan
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
The followin is a quote from this KB article:
http://support.microsoft.com/kb/913485

"""Windows XP Professional and Windows Server 2003 include a Stored User Names and Passwords feature that also provides credential management functionality. Depending on the type of authentication, this feature can save user credentials so they can be reused later.

Credential Manager stores user credentials securely. These credentials include passwords and X.509 certificates. Credential Manager lets both roaming and nonroaming users provide credentials only one time. For example, the first time that a user runs a program on a company's network, authentication is required. Therefore, the user is prompted to supply credentials.
--And here is the importatn part:--
**After the user provides these credentials, they continue to be associated with the program. """

I am not setting at my Domain, so I can't tell you where to remove credential manager cached credentials on a 2003 server. But, I have see it before with changing a domain password and all of a sudden you are not able to authenticate.

There are other things you may wish to look at. Your service applets of Netlogon and anything having to do with LSA services should be started?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
credential manager might be an MMC snapin or under admisitrative tools
0
 

Author Comment

by:tjmustang
Comment Utility
Still no luck joining the server to the domain.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Try this.

First add the computer in active directory manually. Create a GUI in active directory under the Computers "CN". Then, try to join the domain.

Can you ping the domain controller by IP address and computer name? Maybe the 2003 server doesn't recognize your DC as the DC of the domain and is trying to go elsewhere for AD authentication.
0
 

Author Comment

by:tjmustang
Comment Utility
Hi CheifIT
I already created a computer in AD for the member server.  I can ping the DC by name or IP.  I have tried static IP &DNS addresses and also switched to DHCP.  FYI the DC is also the DHCP server.  The member server gets all the proper IP info when setup for DHCP.

Thanks

TJ
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
This is just thinking out loud:

You have a stand alone server you wish to join the domain. Upon trying to join the domain, you are getting a unkown username or password. You are getting DHCP from that AD server you are trying to replicate with.

So, it sounds like the AD server you are trying to join the domain on has an old password or a typographical error on the administrator username.  

Some people disable the administrator account because it is a generic account username. Then they create an account for individuals to be an administrator. I am sure you check active directory on your AD server for the following:

The administrator user account exists
The administrator user account is a member of the Domain Administrators group
The administrator user account is a member of AD adminins group.
The administrator uiser account doesn't have a type-o in it
You reset the administrator password on a number of occassions.

We already covered domain cached passwords.

So, I am beginning to think there is a problem with a 2003 server as a stand alone server on a 2000 domain. Maybe a mixed domain problem. It shouldn't be, though.

In event viewer you should have events that error for trying to join the domain. Could you supply the events for that error? Maybe a little research on these events will provide a solution.

0
 

Author Comment

by:tjmustang
Comment Utility
FYI......


I have a windows 2000 memeber server next to the problem 2003 member server.  I joined the window 2000 domain without a problem with the 2000 member server.  All three servers are on the same switch.  All three servers have the same admin user name and password.

Nothing in the Event viewer after attempting to join the 2003 member server to the 2000 domain.

I now get the following error "The following error occured attempting to join the domain "SCADA": The account is not authorized to log in from this station"
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Try this:

Go to Administrative Tools or on the MMC snapin
click on the lcoal policy for the local machine
double click Security Options
Find Send Unencrypted Password to Connect to third Party SMB Server
right click and Select Enabled
Click OK
Close all open windows
Restart your computer.

Also make sure "digitally sign client communications" is enabled.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 21

Expert Comment

by:dan_blagut
Comment Utility
Well check your account in AD to see if you don't have a list of computer where you can logon. If you have, add the new server on that list. (AD user and computers - Your User properties- Account LogonTo button)

Dan

0
 

Author Comment

by:tjmustang
Comment Utility
Hi ChiefIT

I tried both suggestions and still no go.  The interesting thing is I can open shares on the Windows 2000 domain controller buy name (hidden shares as well) from the 2003 member server.
0
 

Author Comment

by:tjmustang
Comment Utility
Hi Dan,

I checked and Logonto was set to all.  I changed it to allow just the 2003 member server but still no luck.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
do you have a HP server
0
 

Author Comment

by:tjmustang
Comment Utility
Hi ChiefIT,

The 2000 Domain COntroller is a Dell PowerEdge server.

The 2003 memberserver is an IBM rack server.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
There has to be some sort of cached passwords or reminance of AD on this 2003 server. What role do  you want this to play as a member server?

To check on cached passwords, I think you will have to right click on my computer icon>>select manage>>select local for that server go to users and hit the advanced tab and delete all saved passwords or logons.

I am also beginning to think the differences in SMB may be a problem. Or the netlogon service isn't started.

Can you check on this?
0
 

Author Comment

by:tjmustang
Comment Utility
Hi ChiefIT,

I will check on those items next time on site.

FYI.....this was a fresh load of 2003 (I think it is 2003 standard server)

The role of theis server will be member server only and it will host DDE server software that other member & PDC servers will access the DDE infomation from.

Happy Holidays
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Another thing you could try is to reset the server's password. When you join a domain with a computer, the computer is given its own password. If you go into active directory>>computers CN and right click on it. you should be able to reset the 2003 server's password. If still not working, I am leaning more towards the SMB differences.

0
 

Author Comment

by:tjmustang
Comment Utility
Update.........

I was able to joining the new 2003 member server to a new 2003 DC with no problem.  Using the same user name and password as with the 2000 DC.  The problem is definitely in the 2000 DC.  I am able to join Vista clients, XP clients, and 2000 pro clients to the 2000 DC.  I cannot join the new 2003 member server to the 2000 DC.

Any thoughts???????
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Yes, I do have some thoughts.

Have you ever heard of a mixed domain. This is what you have. 2003 and 2000 don't always mix. This is why most run ADprep utility. AD prep utility makes the SMB compatible with mixed domains. Let me look this up and get back with you. There are command prompt commands that can change your domain from native mode, (meaning 2003 server only), to mixed mode, (meaning 2003, 2000 and NT4). Yes, here is an example:

http://technet2.microsoft.com/windowsserver/en/library/c5dcbad2-9ca2-408e-b2c2-618c668f6b291033.mspx?mfr=true
0
 

Author Comment

by:tjmustang
Comment Utility
Thanks for all your suggestions.........I gave up on joining the 2003 std server to a 2000 domain controller.  I was able to joing the same 2003 Std sevrer to a 2003 domain controler using the same admin acocunt.  I think there was an issue with the 2000 DC as the 2003 Std server had not problem joining the 2003 domain.

Tom C.
0
 

Author Comment

by:tjmustang
Comment Utility
Please close this question out.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
There is a problem with a mixed domain. Before you close out the question, let's look into the mixed domain problem.
0
 

Author Comment

by:tjmustang
Comment Utility
I wish I could look into it with you but the servers are now in a production environment and the 2000 DC was taken offline as I pressed a spare 2003 SBS DC into service.  All clients have been migrated to the new 2003 domain and the old 2000 DC is being loaded with 2003 Std server.

Thanks,

Tom C.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
OK tom:

Do you know how to request a points refund?
0
 

Accepted Solution

by:
tjmustang earned 0 total points
Comment Utility
No I don't........I have no problem giving points out for your efforts but did not want to accept it as a solution and have others bring it up in a search thinking that we found the problem.

Thanks,

Tom C
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now