Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Logon rejected for Domain User / Windows cannot determine the user or computer name

Posted on 2009-02-17
21
Medium Priority
?
1,997 Views
Last Modified: 2012-05-06
I am getting the following error white I was Remote Desktop to a server using the domain credentials  but I can login locally:

*Logon rejected for DomainName\User. Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.

**Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*** This computer was not able to set up a secure session with a domain controller in domain DOMAIN NAME due to the following:
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***


More information:

I can ping my domain controller with ip address and with the name without any problem and i can do the same thing with DC .. i can ping this problematic server..

When I go to My Network Places from the problematic server  ->Entire Network->Microsoft Windows Network-> i can see / browse other servers/computers on the domain/network

I was trying to assign local administrative privilege to a Domain user so i went to computer management -> local users and group -> groups -> administrators  . all i see is the local machine i am not seeing my domain,  just one local machine listed there..

Please help me out as users are started to panic !!!
0
Comment
Question by:Abi_003
  • 9
  • 8
  • 3
  • +1
21 Comments
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23661499
the TS have correct configurated the DNS AD server´s ?
you can logon local to domain?

see Event Viewer and paste.
0
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23661522
Reset the computer account (TS Machine) into Users And Computers
maybe have invalid sync password with kerberos.
0
 

Author Comment

by:Abi_003
ID: 23661630
The Terminal Server was working fine for last two years.. this issue started to happen last night - nothing got changed... I can login to the both Domain controllers without any problem... also i can login to other servers which are on the same network with out any issues.. this thing is happining for this specific server..  

Event Type:      Error
Event Source:      Winlogon
Event Category:      None
Event ID:      1219
Date:            2/17/2009
Time:            11:18:05 AM
User:            N/A
Computer:      PRODDB
Description:
Logon rejected for Doamin\user. Unable to obtain Terminal Server User Configuration. Error: The specified domain either does not exist or could not be contacted.
 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 4b 05 00 00               K...    


_________________________________________________________________________________________________________
Event Type:      Error
Event Source:      NETLOGON
Event Category:      None
Event ID:      5719
Date:            2/17/2009
Time:            11:11:17 AM
User:            N/A
Computer:      PRODDB
Description:
This computer was not able to set up a secure session with a domain controller in domain DOAMINNAME due to the following:
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À    
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Expert Comment

by:matiasojeda
ID: 23661662
The error is only for one user?
you are try with others users?
0
 

Author Comment

by:Abi_003
ID: 23661753
No - For all of our Domain Users ...
0
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23661889
and have msg´s into domain controler?
may be have an error from kerberos or other...
see and paste.
0
 

Author Comment

by:Abi_003
ID: 23662316
no.. no errors on DC..
0
 
LVL 18

Expert Comment

by:Americom
ID: 23662485
let me understand this:
You have a problematic server
This problematic server cannot rdp to any other server?
Other server cannot rdp to this problematic server?
You tried to add a domain user with admin right to this problematic server but only see this server and no domain?

If the above are true, you need to double check on the time and make sure it's the same time and time zone as your domain controller. If it's the same, what else is in production on this box, can it be disjoint and rejoint to the domain quickly?
0
 

Author Comment

by:Abi_003
ID: 23662671
You have a problematic server  - yes
This problematic server cannot rdp to any other server? no, other clients cannot rdp to this problematic server
Other server cannot rdp to this problematic server? Yes
You tried to add a domain user with admin right to this problematic server but only see this server and no domain? thats is correct..

Also i found this event entry on my DC. .. any idea to fix this

Event Type:      Warning
Event Source:      W32Time
Event Category:      None
Event ID:      50
Date:            2/17/2009
Time:            1:03:33 AM
User:            N/A
Computer:      PDC
Description:
The time service detected a time difference of greater than 128 milliseconds  for 90 seconds. The time difference might be caused by synchronization with  low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update  the system clock. When a valid time stamp is received from a time service  provider, the time service will correct itself.  

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:Abi_003
ID: 23663254
Please see the screen shot for the error msg. thx..
error.bmp
0
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23663332
Reset the machine Account:
At AD Users and Computers ->  search the machine -> right click -> Reset Account
0
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23663356
Important:
sync the clock:

w32tm /resync
0
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23663380
OR:

net time /set /y
if no find domain controller:
net time \\domain_controller /set /y
0
 

Author Comment

by:Abi_003
ID: 23663897
what does this command do:  net time \\domain_controller /set /y
0
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23663996
net time /set /y
if no find domain controller:
net time \\domain_controller /set /y
(you remplace \\domain_controller with the name of the domain controller)
Set the machine clock, sync from Domain Controller.
0
 

Author Comment

by:Abi_003
ID: 23664018

Was this comment helpful? Yes No matiasojeda:net time /set /y
if no find domain controller:
net time \\domain_controller /set /y
(you remplace \\domain_controller with the name of the domain controller)
Set the machine clock, sync from Domain Controller.

=====
it will set my DC's time?
0
 
LVL 18

Expert Comment

by:Americom
ID: 23664072
That command was to configure your server to sync with the domain controller in your server registry.
Since you have Windows Sever 2003 domain and that problematic server is a member server, it is by default synchronize with your domain controller. If you don't see any time different more or less than 5 minutes when compared with your domain controller time, then you don't have a time problem.

Also, before you reset the computer accout, you should double check on the firewall of your problematic server, just in case it is not turned on. If that's not it, resetting the computer account password is the next step. Unfortunately, resetting the computer account via the ADUC does not work well but since it's a member server and not a domain controller, you can just simply disjoin and rejoin to the domain. As long as your problematic computer is not a CA, you should be fine doing so.
0
 
LVL 1

Expert Comment

by:matiasojeda
ID: 23665338
cri cri

so?
0
 

Author Comment

by:Abi_003
ID: 23670732
the time on both DC and problematic  servers are same but still cant rdc to the server..
0
 
LVL 18

Accepted Solution

by:
Americom earned 750 total points
ID: 23671306
as long as the time between DC/servers/machine are the same(within 5minutes or less) then even you have a time sync problem it shouldn't prevent you from communicate from each other.

Also, you said you have no problem logging on locally but via RDP to it. Can you RDP to it and but provide the local Administrator account of the problematic server and be sure to select the domain name to logon as the computer name? this way you can bypass the domain and verify if your problematic server is misconfigured on the terminal services or it just cannot see the domain info.

It has to be one of these possible root cause:
1. Misconfigured terminal services--unlikely but can be verified by rdp and provide local admin account to logo to computer(server itself)
2. Firewall is turn on--verify this first and make sure it is off
3. Not truely a member server--like computer account got expired or someone deleted the computer account from AD and just recreated it back instead of restore from backup. disjoin and rejoint to the domain will fix this problem.

0
 
LVL 1

Expert Comment

by:YMartin
ID: 25251379
Okay, I rechecked the W32Time messages in Event Viewer. Most (but not all)  of the Winlogon 1219 and Netlogon 5719 errors have W32Time 29 errors occuring around the same time - occassionally before, occassionally after. There are also the W32Time information messages saying that the syncronization occurred successfully bracketing those errors. I don't think two computers would get out of sync by 5 minutes in 15 minutes so I would wager that the W32Time failures to synchronize aren't the cause of the Winlogon and Netlogon errors but are caused by the same connection issue.          Interestingly, there are no  W32Time 29 errors during that same 6/18 to 8/03 time period - there are plenty of warning and information messages during that period.                              
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question