Abi_003
asked on
Logon rejected for Domain User / Windows cannot determine the user or computer name
I am getting the following error white I was Remote Desktop to a server using the domain credentials but I can login locally:
*Logon rejected for DomainName\User. Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.
**Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*** This computer was not able to set up a secure session with a domain controller in domain DOMAIN NAME due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***
More information:
I can ping my domain controller with ip address and with the name without any problem and i can do the same thing with DC .. i can ping this problematic server..
When I go to My Network Places from the problematic server ->Entire Network->Microsoft Windows Network-> i can see / browse other servers/computers on the domain/network
I was trying to assign local administrative privilege to a Domain user so i went to computer management -> local users and group -> groups -> administrators . all i see is the local machine i am not seeing my domain, just one local machine listed there..
Please help me out as users are started to panic !!!
*Logon rejected for DomainName\User. Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.
**Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
*** This computer was not able to set up a secure session with a domain controller in domain DOMAIN NAME due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***
More information:
I can ping my domain controller with ip address and with the name without any problem and i can do the same thing with DC .. i can ping this problematic server..
When I go to My Network Places from the problematic server ->Entire Network->Microsoft Windows Network-> i can see / browse other servers/computers on the domain/network
I was trying to assign local administrative privilege to a Domain user so i went to computer management -> local users and group -> groups -> administrators . all i see is the local machine i am not seeing my domain, just one local machine listed there..
Please help me out as users are started to panic !!!
Reset the computer account (TS Machine) into Users And Computers
maybe have invalid sync password with kerberos.
maybe have invalid sync password with kerberos.
ASKER
The Terminal Server was working fine for last two years.. this issue started to happen last night - nothing got changed... I can login to the both Domain controllers without any problem... also i can login to other servers which are on the same network with out any issues.. this thing is happining for this specific server..
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1219
Date: 2/17/2009
Time: 11:18:05 AM
User: N/A
Computer: PRODDB
Description:
Logon rejected for Doamin\user. Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 4b 05 00 00 K...
__________________________
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 2/17/2009
Time: 11:11:17 AM
User: N/A
Computer: PRODDB
Description:
This computer was not able to set up a secure session with a domain controller in domain DOAMINNAME due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À
Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1219
Date: 2/17/2009
Time: 11:18:05 AM
User: N/A
Computer: PRODDB
Description:
Logon rejected for Doamin\user. Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 4b 05 00 00 K...
__________________________
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5719
Date: 2/17/2009
Time: 11:11:17 AM
User: N/A
Computer: PRODDB
Description:
This computer was not able to set up a secure session with a domain controller in domain DOAMINNAME due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0 ^..À
The error is only for one user?
you are try with others users?
you are try with others users?
ASKER
No - For all of our Domain Users ...
and have msg´s into domain controler?
may be have an error from kerberos or other...
see and paste.
may be have an error from kerberos or other...
see and paste.
ASKER
no.. no errors on DC..
let me understand this:
You have a problematic server
This problematic server cannot rdp to any other server?
Other server cannot rdp to this problematic server?
You tried to add a domain user with admin right to this problematic server but only see this server and no domain?
If the above are true, you need to double check on the time and make sure it's the same time and time zone as your domain controller. If it's the same, what else is in production on this box, can it be disjoint and rejoint to the domain quickly?
You have a problematic server
This problematic server cannot rdp to any other server?
Other server cannot rdp to this problematic server?
You tried to add a domain user with admin right to this problematic server but only see this server and no domain?
If the above are true, you need to double check on the time and make sure it's the same time and time zone as your domain controller. If it's the same, what else is in production on this box, can it be disjoint and rejoint to the domain quickly?
ASKER
You have a problematic server - yes
This problematic server cannot rdp to any other server? no, other clients cannot rdp to this problematic server
Other server cannot rdp to this problematic server? Yes
You tried to add a domain user with admin right to this problematic server but only see this server and no domain? thats is correct..
Also i found this event entry on my DC. .. any idea to fix this
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 50
Date: 2/17/2009
Time: 1:03:33 AM
User: N/A
Computer: PDC
Description:
The time service detected a time difference of greater than 128 milliseconds for 90 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
This problematic server cannot rdp to any other server? no, other clients cannot rdp to this problematic server
Other server cannot rdp to this problematic server? Yes
You tried to add a domain user with admin right to this problematic server but only see this server and no domain? thats is correct..
Also i found this event entry on my DC. .. any idea to fix this
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 50
Date: 2/17/2009
Time: 1:03:33 AM
User: N/A
Computer: PDC
Description:
The time service detected a time difference of greater than 128 milliseconds for 90 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
Please see the screen shot for the error msg. thx..
error.bmp
error.bmp
Reset the machine Account:
At AD Users and Computers -> search the machine -> right click -> Reset Account
At AD Users and Computers -> search the machine -> right click -> Reset Account
Important:
sync the clock:
w32tm /resync
sync the clock:
w32tm /resync
OR:
net time /set /y
if no find domain controller:
net time \\domain_controller /set /y
net time /set /y
if no find domain controller:
net time \\domain_controller /set /y
ASKER
what does this command do: net time \\domain_controller /set /y
net time /set /y
if no find domain controller:
net time \\domain_controller /set /y
(you remplace \\domain_controller with the name of the domain controller)
Set the machine clock, sync from Domain Controller.
if no find domain controller:
net time \\domain_controller /set /y
(you remplace \\domain_controller with the name of the domain controller)
Set the machine clock, sync from Domain Controller.
ASKER
Was this comment helpful? Yes No matiasojeda:net time /set /y
if no find domain controller:
net time \\domain_controller /set /y
(you remplace \\domain_controller with the name of the domain controller)
Set the machine clock, sync from Domain Controller.
=====
it will set my DC's time?
That command was to configure your server to sync with the domain controller in your server registry.
Since you have Windows Sever 2003 domain and that problematic server is a member server, it is by default synchronize with your domain controller. If you don't see any time different more or less than 5 minutes when compared with your domain controller time, then you don't have a time problem.
Also, before you reset the computer accout, you should double check on the firewall of your problematic server, just in case it is not turned on. If that's not it, resetting the computer account password is the next step. Unfortunately, resetting the computer account via the ADUC does not work well but since it's a member server and not a domain controller, you can just simply disjoin and rejoin to the domain. As long as your problematic computer is not a CA, you should be fine doing so.
Since you have Windows Sever 2003 domain and that problematic server is a member server, it is by default synchronize with your domain controller. If you don't see any time different more or less than 5 minutes when compared with your domain controller time, then you don't have a time problem.
Also, before you reset the computer accout, you should double check on the firewall of your problematic server, just in case it is not turned on. If that's not it, resetting the computer account password is the next step. Unfortunately, resetting the computer account via the ADUC does not work well but since it's a member server and not a domain controller, you can just simply disjoin and rejoin to the domain. As long as your problematic computer is not a CA, you should be fine doing so.
cri cri
so?
so?
ASKER
the time on both DC and problematic servers are same but still cant rdc to the server..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Okay, I rechecked the W32Time messages in Event Viewer. Most (but not all) of the Winlogon 1219 and Netlogon 5719 errors have W32Time 29 errors occuring around the same time - occassionally before, occassionally after. There are also the W32Time information messages saying that the syncronization occurred successfully bracketing those errors. I don't think two computers would get out of sync by 5 minutes in 15 minutes so I would wager that the W32Time failures to synchronize aren't the cause of the Winlogon and Netlogon errors but are caused by the same connection issue. Interestingly, there are no W32Time 29 errors during that same 6/18 to 8/03 time period - there are plenty of warning and information messages during that period.
you can logon local to domain?
see Event Viewer and paste.