?
Solved

Troubleshooting domain logon problem

Posted on 2009-04-20
10
Medium Priority
?
393 Views
Last Modified: 2013-12-05
Windows 2000 server SP4 as domain controller. Windows Xp pro SP3. New install of XP OS and programs onto several  Dell PCs. Windows update is current on both server and XP pro PC's.
Can join all three PC's to the domain, but then can not log onto domain at any of the three PC's  with domain administrator account, or other domain user account. PC says domain can not be reached. Can log in as local administrator and ping server IP and server DNS name. I don't see anything on the event viewer of the server that seems to apply to my failed log in. Not sure where to go next to resolve the problem. All help, questions and advice is much appreciated!!!
JW
0
Comment
Question by:jwulf1092
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 4

Expert Comment

by:rslangen
ID: 24183024
This can be a routing problem. Is the servers and the PC in the same subnet?
Can you do a trace from the workstation to the AD server?
Are there any messages in the eventlog of the PC?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24183842
When you say you've installed OS plus programs, how have you done this? Did you use an image? If you did, did you sysprep the machine before making the image? If you didn't, you've got duplicate SID and computer account problems.
It sounds like a trust link issue between the server and workstation. On an affected machine, log in locally, disjoin from the domain, delete the computer account out of AD, then re-join the machine. Then try and log in.
Let us know if this helps...
0
 

Expert Comment

by:maraoneill
ID: 24186306
Did you rename any of the workstations?  If you did, remember that you need to take it off the domain (to Workgroup) with the new name and reboot.  Then you can add it back to the domain.  Also, double check your WINS settings. That's usually where I make a mistake.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 1

Author Comment

by:jwulf1092
ID: 24187044
rslangen, I will check the event viewer in the PC and let you know what I find.

blunttony, I was originally imaging it, but even with sysrep I was still getting SID warning, so I abandoned imaging, and did complete cleant installs on two of the three PC's (leaving the original that was used for cloning as it stood) (I am no longer getting SID errors, just domain login error)
On an affected PC I have disjoined the domain, deleted computer account from AD on server, rejoined the domain ok, but then can not log in as a domain administrator or user.

maraoneill, the only renaming to be done was during original sysprep and cloning processes. During this round of installs I named each machine as I built it, and did not rename it after.
Please advise about my wins settings. I did not do ANYTHING with wins???
0
 

Expert Comment

by:AlJames
ID: 24187099
When you re-add the machine into the Domain, it will default to the Computers OU in Active Directory. This may well have a restrictive policy preventing you from logging on.

You should be able to either move the computer object via ADUC or alternatively use the netdom commandline syntax to add the computer to the domain within a specific OU.

Hope this helps..
0
 

Expert Comment

by:maraoneill
ID: 24187973
The network I use has WINS Servers, so the WINS IP must be entered as part of the NETBios settings.  I'm not a network expert, but I know if I accidently put a typo in the WINS settings I'll be able to ping, and get to the Internet, but will not be part of the domain.

If you don't have any WINS settings, you probably don't need them, so disregard that advice.

0
 
LVL 27

Accepted Solution

by:
bluntTony earned 1050 total points
ID: 24193785
I would agree that the new machines need to be moved out of the Computer container, but I doubt this would cause issues with users logging on, unless you had a domain-wide policy which caused problems, which seems unlikely. You can't apply policies directly to it as it is not an OU.
Do you have any machines which you can use to log in, or are these three all you have? Where is your Global Catalog - you need access to one to log in, but not necessarily to join a domain. It could be that either it's not available, or that the required SRV records are not in DNS.
Try running DCDIAG and NETDIAG tests on the DC and see if this yields anything. If this is a domain-wide problem, run the following, after making sure the DC points to itself for DNS:
ipconfig -flushdns
ipconfig -registerdns
net stop netlogon
net start netlogon
This should re-register DNS records for the DC.
Let us know how you get on...
0
 
LVL 1

Author Comment

by:jwulf1092
ID: 24292668
Sorry for the log delay in responding, other issues have kept me occupied.

I am back to working on this issue for a day and here is the update. I have started one of my test workstations that I am trying to add to the domain. I left the doamin, and I am now trying to rejoin the domain and now I get this error message: Multiple connections to a shared resource by the same user, using more than one username, are not allowed. Disconnect...
This seems like a licensing or permissions issue with my administrator account, which I am using to authenticate to join the domain.


rslangen: Yes the PC and server are in the same subnet. Yes I can tracert using both netbios name and ip. It is one hop to get to the server from the PC.
The only relevent message I can find in the eventlog of the PC is in the application log. Error-autoenrollment-error ID is 15-automatic certificate enrollment for local system failed to contact the active directory (0x8007054b) the specified domain either does not exist or could not be contacted.

maraoneill: I set up the AD/DC server(only server on the domain) and I did not set up wins, so I am assuming that is not my issue. Thanks tons for the help though!!!!

bluntTony: I tried the flush and register DNS and stop and start net login. No success. One of my workstations, currently on the domain still is getting the same error: The system cannot log you on  now because the domain APEXTECHLV is not available.

Another note, On my server I noticed that I spelled the domainname with mixed case "ApexTechLV" and I also noticed that I did not give it a .local, or dot anything after the domain name. I don't think this is an issue, but I thought I would bring it up.

As I am still fighting this issue, I have iincreased the points, in the hopes that help will continue to be forthcomming :).
Thanks all.
Sincerely,
JW



0
 
LVL 1

Author Comment

by:jwulf1092
ID: 24292938
UPDATE:
I posted the "multiple connections to a shared..." comment without even trying to resolve the problem. I quickly found that it was because of a mapped drive I had created on the local PC to the server. Once I removed that I was able to successfully join the domain. Then I decided to try and log into the domain as the administrator. IT WAS SUCCESSFULL???? WT(#*@($#)%#
Ok so I pushed my luck. I logged off an back onto the domain, it worked again.
Ok more luck pushing, I logged off as the administrator, and logged onto the domain as a domain user, that worked too! WOOHOO..... Ok so I moved over to another PC on the domain that I have the same prob with.
I logged into the local PC, disconnected the mapped drive and and then tried to log into the domain, no joy. So I left the domain and rejoined it. NOW I could log into the domain.
Sooo it appears that I have solved my own problem, and it may also be due in part to bluntTony's recomendations. I am going to Award bluntTony partial credit.
Sincerely,
JW
0
 
LVL 1

Author Closing Comment

by:jwulf1092
ID: 31572141
I couldn't split the points between you and me, so I just gave um all to you. Thanks
JW
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question