Solved

XP Workstation cannot logon to Domain

Posted on 2009-04-09
30
2,071 Views
Last Modified: 2012-05-06
Hi All,

I am having a weird problem.
I have setup a new Domain in the organisation.
I have started to move workstations from one domain to another.
If I just change the workstation to the new domain in the System - Computer Name tab, I run into problems. I'll explain the problems next.
But if I first move the workstation to a workgroup,  reboot and then add the computer to the new domain it works fine.

This is the problem I have:
The computer joins the domain successfully.
But when I attempt to logon to the domain I get the message "The domain is unavailable".
But if I logon to the local machine, and access a share in the domain using appropriate credentials, logout, I can then login as a domain user.
If I reboot the machine I can still login as the previous domain user, but if I attempt to login as a new domain user I get "Domain is unavailable".

All workstations use DHCP to get I P/ DNS and WINS.

I see various messages in the workstation Event Log:
Firstly:
#######
Event ID: 4321
The name "DOMAIN      :1d" could not be registered on the Interface with IP address 10.10.251.102. The machine with the IP address 10.10.251.103 did not allow the name to be claimed by this machine.
########
The IP 10.10.251.103 is a workstation on the domain that is operating as expected.

At about the same time:
######
Event ID: 11163
The system failed to register host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {70FF4EF4-E8CC-4C98-A3DD-1FD18360DE52}
   Host Name : vtulppc5
   Primary Domain Suffix : domain.com
   DNS server list :
           10.10.250.5
   Sent update to server : 10.1.1.1
######
I have no idea where the IP 10.1.1.1 is coming from, machine is 10.10.251.102/24

#####
Event ID: 40960
The Security System detected an attempted downgrade attack for server DNS/vtulpps2.domain.com.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
#####

#####
Event ID: 40961
The Security System could not establish a secured connection with the server DNS/vtulpps2.domain.com.  No authentication protocol was available.
#####

#####
Event ID: 5729
No Domain Controller is available for domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request. .
Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
###


Any help would be greatly appreciated.

Many thanks,
Shane
0
Comment
Question by:shakel_ie
  • 11
  • 6
  • 6
  • +3
30 Comments
 
LVL 11

Expert Comment

by:kyodai
ID: 24105911
Try to join a workgroup and then the domain again. Usually if a workstation joins a domain it writes the domain config in the registry and suses these for logon. Try re-joining the domain so these information get written again.
0
 

Author Comment

by:shakel_ie
ID: 24106012
Hi kyodai,

I have tried that already and I tried it again now.
No change.

I still see similar events in the logs but no new
Event ID: 4321
The name "DOMAIN      :1d" could not be registered on the Interface with IP address 10.10.251.102. The machine with the IP address 10.10.251.103 did not allow the name to be claimed by this machine.

I have a feeling that may be the problem.
Is there someway to force this registration?

Many thanks,
Shane
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24106434
In your DNS zone, delete the record for 10.10.251.102 then try it again.
0
 

Author Comment

by:shakel_ie
ID: 24107580
Hi,

Thanks for the suggestion.
Still the same issue.

2 points to note:
1. The DNS entry was not recreated for the workstation.
2. The workstation sits "building domain list" for a few mins at first logon.

Any other ideas?

Thanks,
Shane
0
 

Author Comment

by:shakel_ie
ID: 24156329
Hi All,

Still no progress on this issue, anybody got any ideas?

Many thanks,
Shane
0
 
LVL 51

Expert Comment

by:Netman66
ID: 24215855
Before you change the Domain name in My Computer to the new one, check the NIC settings for TCP/IP to determine what DNS server the workstation is pointing to.

Because you have 2 domains, each will have it's own DNS server.  When you change domains, it will first go to the original domain to remove itself from AD then look for the new domain to join.  It requires that the account you're using has Domain Admin rights to at least the original domain - you should be prompted for new credentials when joining the new domain.  Since the old DNS server that the client is likely using knows nothing about the new domain, then this needs to be addressed.

So what I think you could try, is setting up a Delegation record or using Conditional Forwarding on the old DNS server to point to the new DNS server for the new domain.  After that, the DHCP Scope Options need to be changed to hand out the new DNS info to the client - but this should be done AFTER all clients are migrated.  Just be sure to get the original DNS forwarding new domain requests to the new DNS server before moving forward.

0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 24216206
I would use New SID

http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

Delete the computer out of ADUC and use NEW SID as per above and go to command prompt and do

ipconfig /flushdns

then join to the new domain ( ensuring that the clients computer system time / clock is within 5 minutes of the domain controllers time ) and you should be able to re join it assuming you have the microsoft client for networking added onto the network card
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 24216232
once re joined go to command prompt and do

ipconfig /registerdns

pressing enter after each command in the command prompt
0
 

Author Comment

by:shakel_ie
ID: 24216600
Hi Guys,

Many thanks for your responses.
I have tried what you both suggested but problem still remains.
This is what I did:

1. Logged in as Admin on local PC remove PC from Domain and add to TEST Workgroup
2. Run ipconfig /flush DNS
3. Verify that PC is using NEW domain DNS settings
4. Remove PC from AD
5. Reboot
6. Logged in as Admin on local PC and run NewSID
7.Reboot
8. Logged in as Admin on local PC add PC to Domain
9. Verify that DNS entry is created correctly for PC
10. Reboot
11. Attempt to login to Domain using user account "Message - Domain is not available"

The only errors I get in the event logs are Event 15 and 1054.
Event 15:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event 1054:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

But DNS and everything look ok.
I can do \\servername etc...

I suspect this is still going back to the error:
#######
Event ID: 4321
The name "DOMAIN      :1d" could not be registered on the Interface with IP address 10.10.251.102. The machine with the IP address 10.10.251.103 did not allow the name to be claimed by this machine.
########

Many thanks,
Regards,
Shane
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 24216652
If you re image one of the machines and try again is it still the same ?

If so then that points at DNS or something else as apposed to the client machines.
0
 

Author Comment

by:shakel_ie
ID: 24216920
I haven't tried that yet, I was hoping to avoid that.
I will try using NewSID and change the hostname 1st.

If that does not work I will reinstall the machine.

Many thanks
Shane

0
 
LVL 51

Expert Comment

by:Netman66
ID: 24216954
If you do an IPCONFIG /ALL on that machine can you post the output?

0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 24217054
As per netman ( am guessing he wants to see the output to check to see if the computer is pointing to the correct DNS server.

At least thats what I think he is getting at and also to make sure its on the correct subnet ( subnet mask )
0
 

Author Comment

by:shakel_ie
ID: 24217160
AD Server:
Windows IP Configuration

   Host Name . . . . . . . . . . . . : vtulpps2
   Primary Dns Suffix  . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Ad
apter #2
   Physical Address. . . . . . . . . : 00-18-FE-FE-AC-F4
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.10.250.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.250.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1




Workstation:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : vtulppc50
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : domain.com
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
        Physical Address. . . . . . . . . : 00-19-DB-53-49-E4
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.10.251.102
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.251.1
        DHCP Server . . . . . . . . . . . : 10.10.250.5
        DNS Servers . . . . . . . . . . . : 10.10.250.5
        Primary WINS Server . . . . . . . : 10.10.250.5
        Lease Obtained. . . . . . . . . . : 23 April 2009 17:47:25
        Lease Expires . . . . . . . . . . : 26 April 2009 17:47:25

0
 
LVL 51

Expert Comment

by:Netman66
ID: 24217480
Your DHCP addresses are wrong.

They're on another subnet than the server.  You need to create a scope for the 10.10.250.0 network, then exclude the first 10 or 20 addresses (for the server and router and switches, etc) so that DHCP doesn't give them out.

Your Gateway is consequently incorrect also.

0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 24218134
@ Netman

how can you tell the DHCP servers and the gateway are wrong and what should they be ( as an example )

Obviously missing something
0
 
LVL 51

Expert Comment

by:Netman66
ID: 24221057
The server has a static address of 10.10.250.5 with a 24-bit mask.

The workstation posted above has an address of 10.10.251.102 with a 24-bit mask.

This means the workstation and server are on two different IP networks from each other - which would normally not be an issue except the gateway is obviously a device other than the server (a router maybe?).  

Hopefully, the domain.com above is simply a scrubbed domain name.  If not, this could be an issue because Domain.com is a real domain on the Internet.

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24221336
Keep in mind, there could be a router in place passing the 251.x traffic to the 250.x subnet.....

I dont think it is a connectivity problem, as he could authenticate as a Domain User here.....

"But if I logon to the local machine, and access a share in the domain using appropriate credentials, logout, I can then login as a domain user."

This caches the profile, so even when another user didnt work, this one did as the credentials were cached....

Are you using the FQDN of the domain itself when attempting to join it?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24221343
@NetMan66

I have seen your skills around here for a long time.... I almost feel guilty to disagree with you....
0
 
LVL 23

Expert Comment

by:gecko_au2003
ID: 24222098
I am not going to agree or disagree with anyone as I would just like to see if we ( by we I mean most likely one of you ) can resolve the problem.

Just to clarify a few things

1. What is your domains FQDN ( Fully Qualified Domain Name ) ?

2. Does the client and server times synch ie are with in the 5 minute time limit and do you have an NTP server setup ?

3. Not sure if this will help but if you use something like delprof with the appropriate commands / switches or just manually delete the profiles along with the use hive profile cleanup service

Delprof can be found here

http://www.microsoft.com/downloads/details.aspx?familyid=901a9b95-6063-4462-8150-360394e98e1e&displaylang=en

hive profile clean up service can be found here

http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Then try and join the domain does that help with it not caching the old profiles ? ( Not sure if that will be an issue or not due to security ie permissions or anything else but just thought if you cleared the old profiles assuming its a computer you have shifted from one domain to another to see if that helps some what ? )

Also do you have routing between the 250.x and the 251.x subnets ?

Also Just out of personal curiousity how have you got the dhcp pools / reservations setup for the 250.x and the 251.x subnets ( assuming they are both coming from the same and only one dhcp server ) ?

Not sure if any of the above will help but would be nice to know
0
 

Author Comment

by:shakel_ie
ID: 24223454
Sorry Guys only back online now.
Thanks for all the comments.

First to address the DHCP issues, the workstation and servers are in different subnets.
I plan to install a firewall between them but at the moment I just have a router. 10.10.250.1 and 10.10.251.1 is the same router.
I have a dhcp relay on that router relaying DHCP requests from 251.x to the DHCP server 250.5
I do not use DHCP on 250.x, all servers with static IPs, I only have a DHCP pool for 251.x

My domain is validsoft.com which is a real domain name, but I had hoped to use split brain DNS to solve my DNS issues for internal and external addresses. Could this pose a problem? And if so why do most Workstations join the domain properly and operate normally when they have the same IP settings as the problem machines?

I am not using an NTP server currently but the times are pretty much in sync.

I will try those profile removers but one point to note, since I changed the SID and hostname the machine will not allow login with previuosly cached credentials so I doubt its a caching problem.

Is anybody familiar with WINS? Do I need it? I installed is as one of the Event IDs indicated that may be problem. But I'm not sure if it's required but I have a suspicion it may be something to do with my problem.
But the problem existed before I installed WINS.

Thanks guys,
Shane

0
 
LVL 51

Expert Comment

by:Netman66
ID: 24223719
I suspected you may have had a router in the mix between the two subnets - what make/model is it?  I'm thinking it's not a cheapo consumer model since you state that the two subnets are on the router which would mean two internal interfaces.

DNS is very likely the culprit here - I'm not certain that profiles have anything to do with it.

You should not need WINS at all.

If you have a Cisco router, make sure that you have an IP Helper address set for each internal interface - which it looks like you might.

0
 

Author Comment

by:shakel_ie
ID: 24223811
Not very expensive I'm afraid, doing the routing on a switch at the moment.
Hoping to get a firewall in so not spending on a router.
Its a 3com 4500 switch.

All traffic is routed from one network to another.
I am suspect of this being a DNS issue on the server.
If it is then why are other clients  operating normally if I go through the procedure where I remove them for the old domain by adding them to a Workgroup?
It only if I move them from on domain to another does the problem occur...

Cheers,
Shane

0
 
LVL 51

Expert Comment

by:Netman66
ID: 24224702
I thought I detailed that earlier.

When simply changing domains, the workstation needs to be able to contact both domains AND have Domain Admin rights in the original domain.

Re-read my post above and let me know if there is something I didn't explain properly.

0
 

Author Comment

by:shakel_ie
ID: 24225472
Hi Netman66,

Yes you did, thank you.
I have had forwarders going in both directions, from old DNS to new DNS for the new domain and from new DNS to old DNS for old domain.

Everything works ok if I move workstation from old domain to workgroup and then to new domain, rebooting where required and not making any IP changes.

But I get my problem when I just move from one domain directly to another.

Anyway I'm not that worried about that, I am happy to go old domain-workgroup-new domain.

I just want to solve this problem for the machines that now have it.

Regards,
Shane
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24230349
Im gonna step aside, and let you drive Netman66. This is not my specialty....

FYI, I only mentioned the profiles as to explain why the Runas/subsequent login worked, by creating a cached profile.
0
 

Author Comment

by:shakel_ie
ID: 24270088
Hi Guys,

I have reinstalled one of the XP workstations that was having this problem.
I reinstalled with Vista (needed to do this anyway sometime).
Same hostname and IP address and everything is fine, no problems.

This leads me to think this is a problem on the workstation, not on any server.
I have two more XP workstations that still have this problem which I cannot reinstall as easily.

Any ideas further ideas?

Thanks,
Shane

0
 

Accepted Solution

by:
shakel_ie earned 0 total points
ID: 24538464
Hi Guys,

I cannot find any solution so I am going to close the question.
The reinstall works but that is not a solution in this case.

Many thanks for all your help.

Shane
0

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now