Troubleshooting domain logon problem

Windows 2000 server SP4 as domain controller. Windows Xp pro SP3. New install of XP OS and programs onto several  Dell PCs. Windows update is current on both server and XP pro PC's.
Can join all three PC's to the domain, but then can not log onto domain at any of the three PC's  with domain administrator account, or other domain user account. PC says domain can not be reached. Can log in as local administrator and ping server IP and server DNS name. I don't see anything on the event viewer of the server that seems to apply to my failed log in. Not sure where to go next to resolve the problem. All help, questions and advice is much appreciated!!!
Who is Participating?
bluntTonyHead of ICTCommented:
I would agree that the new machines need to be moved out of the Computer container, but I doubt this would cause issues with users logging on, unless you had a domain-wide policy which caused problems, which seems unlikely. You can't apply policies directly to it as it is not an OU.
Do you have any machines which you can use to log in, or are these three all you have? Where is your Global Catalog - you need access to one to log in, but not necessarily to join a domain. It could be that either it's not available, or that the required SRV records are not in DNS.
Try running DCDIAG and NETDIAG tests on the DC and see if this yields anything. If this is a domain-wide problem, run the following, after making sure the DC points to itself for DNS:
ipconfig -flushdns
ipconfig -registerdns
net stop netlogon
net start netlogon
This should re-register DNS records for the DC.
Let us know how you get on...
This can be a routing problem. Is the servers and the PC in the same subnet?
Can you do a trace from the workstation to the AD server?
Are there any messages in the eventlog of the PC?
bluntTonyHead of ICTCommented:
When you say you've installed OS plus programs, how have you done this? Did you use an image? If you did, did you sysprep the machine before making the image? If you didn't, you've got duplicate SID and computer account problems.
It sounds like a trust link issue between the server and workstation. On an affected machine, log in locally, disjoin from the domain, delete the computer account out of AD, then re-join the machine. Then try and log in.
Let us know if this helps...
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Did you rename any of the workstations?  If you did, remember that you need to take it off the domain (to Workgroup) with the new name and reboot.  Then you can add it back to the domain.  Also, double check your WINS settings. That's usually where I make a mistake.
jwulf1092Author Commented:
rslangen, I will check the event viewer in the PC and let you know what I find.

blunttony, I was originally imaging it, but even with sysrep I was still getting SID warning, so I abandoned imaging, and did complete cleant installs on two of the three PC's (leaving the original that was used for cloning as it stood) (I am no longer getting SID errors, just domain login error)
On an affected PC I have disjoined the domain, deleted computer account from AD on server, rejoined the domain ok, but then can not log in as a domain administrator or user.

maraoneill, the only renaming to be done was during original sysprep and cloning processes. During this round of installs I named each machine as I built it, and did not rename it after.
Please advise about my wins settings. I did not do ANYTHING with wins???
When you re-add the machine into the Domain, it will default to the Computers OU in Active Directory. This may well have a restrictive policy preventing you from logging on.

You should be able to either move the computer object via ADUC or alternatively use the netdom commandline syntax to add the computer to the domain within a specific OU.

Hope this helps..
The network I use has WINS Servers, so the WINS IP must be entered as part of the NETBios settings.  I'm not a network expert, but I know if I accidently put a typo in the WINS settings I'll be able to ping, and get to the Internet, but will not be part of the domain.

If you don't have any WINS settings, you probably don't need them, so disregard that advice.

jwulf1092Author Commented:
Sorry for the log delay in responding, other issues have kept me occupied.

I am back to working on this issue for a day and here is the update. I have started one of my test workstations that I am trying to add to the domain. I left the doamin, and I am now trying to rejoin the domain and now I get this error message: Multiple connections to a shared resource by the same user, using more than one username, are not allowed. Disconnect...
This seems like a licensing or permissions issue with my administrator account, which I am using to authenticate to join the domain.

rslangen: Yes the PC and server are in the same subnet. Yes I can tracert using both netbios name and ip. It is one hop to get to the server from the PC.
The only relevent message I can find in the eventlog of the PC is in the application log. Error-autoenrollment-error ID is 15-automatic certificate enrollment for local system failed to contact the active directory (0x8007054b) the specified domain either does not exist or could not be contacted.

maraoneill: I set up the AD/DC server(only server on the domain) and I did not set up wins, so I am assuming that is not my issue. Thanks tons for the help though!!!!

bluntTony: I tried the flush and register DNS and stop and start net login. No success. One of my workstations, currently on the domain still is getting the same error: The system cannot log you on  now because the domain APEXTECHLV is not available.

Another note, On my server I noticed that I spelled the domainname with mixed case "ApexTechLV" and I also noticed that I did not give it a .local, or dot anything after the domain name. I don't think this is an issue, but I thought I would bring it up.

As I am still fighting this issue, I have iincreased the points, in the hopes that help will continue to be forthcomming :).
Thanks all.

jwulf1092Author Commented:
I posted the "multiple connections to a shared..." comment without even trying to resolve the problem. I quickly found that it was because of a mapped drive I had created on the local PC to the server. Once I removed that I was able to successfully join the domain. Then I decided to try and log into the domain as the administrator. IT WAS SUCCESSFULL???? WT(#*@($#)%#
Ok so I pushed my luck. I logged off an back onto the domain, it worked again.
Ok more luck pushing, I logged off as the administrator, and logged onto the domain as a domain user, that worked too! WOOHOO..... Ok so I moved over to another PC on the domain that I have the same prob with.
I logged into the local PC, disconnected the mapped drive and and then tried to log into the domain, no joy. So I left the domain and rejoined it. NOW I could log into the domain.
Sooo it appears that I have solved my own problem, and it may also be due in part to bluntTony's recomendations. I am going to Award bluntTony partial credit.
jwulf1092Author Commented:
I couldn't split the points between you and me, so I just gave um all to you. Thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.