System cannot log you in because <domain> is not available
We are looking after a Server running SBS 2008 with 9 client PC's running XP pro and 7 users (plus an admin account). All of a sudden, we seem to have a problem getting users logged on. If the users have logged in using a client PC they have used before, they get an error that starts 'Windows cannot locate the server copy of your roaming profile and is attempting to log in with your local profile' and ends 'The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.'.
If users try to login using a client PC they have never used before, they get the error 'The system cannot log you in now because the domain <domain> is not available'.
I have tried creating a new user in SBS 2008, but get the same error (2nd error) when trying to login with any of the client PC's using the new user account. I have also turned removed the roaming profile link from each user account in the Server Manager but still get the first error when trying to login using any existing user on a PC they have previously used. It's as if the client PC's can no longer see the server. However, when you are logged in to any of the client PC's (using a local profile), you are able to browse the shared folders on the server and print to any shared printer attached to the server. Any ideas?
If users try to login using a client PC they have never used before, they get the error 'The system cannot log you in now because the domain <domain> is not available'.
I have tried creating a new user in SBS 2008, but get the same error (2nd error) when trying to login with any of the client PC's using the new user account. I have also turned removed the roaming profile link from each user account in the Server Manager but still get the first error when trying to login using any existing user on a PC they have previously used. It's as if the client PC's can no longer see the server. However, when you are logged in to any of the client PC's (using a local profile), you are able to browse the shared folders on the server and print to any shared printer attached to the server. Any ideas?
mds-cos
First thing to check is your DNS. If it is not working you will get these symptoms.
ASKER
Already checked, DNS address is pointing to the server, DNS suffix set to <domain>.
can you log on locally and ping the sever? are you using dhcp? have you tried removing and readding a machine to your network? your using sbs how many machines do you have on your network?
ASKER
Yep, server is ping-able. As stated in my original post, you can browse the folder shares on the server and print to a shared printer attached to the server when logged in locally. Using DHCP. I've added two new machines to the network, one went on fine but then displayed the same symptoms. The second wouldn't get past the reboot stage when using 'http://connect/', displaying an error when connecting to the network (although http://connect/ displayed the correct web page and it pulled all user accounts from the server?!). There are 9 machines attached to the network (10 if you include the server).
ASKER
Also, I should add that when logging in to a client PC using a user account that previously used that client PC (using the cached local profile as we get the first error), you can open Outlook and Exchange is working as normal.
But what about the DNS server itself. Go into the admin tools and into DNS. Does everything look right there? While you are in, run a simple and recursive test to be sure they both pass.
Do you have any software firewalls running? If so, turn them off.
Can we assume that you have 10 SBS client licenses?
Do you have any software firewalls running? If so, turn them off.
Can we assume that you have 10 SBS client licenses?
ASKER
Ok, DNS server itself looks ok, no errors in event viewer. Simple and recursive tests pass.
Was using Endpoint, but have no turned it off, still same problem.
Yes, we have 10 device licences and 8 user licences.
Was using Endpoint, but have no turned it off, still same problem.
Yes, we have 10 device licences and 8 user licences.
Sounds like it may be time to start running some test tools to find the underlying AD or network problems. I don't have much time right now, so am sending you to a link that will point to what test tools you should start running through.
This like does not give you the "how's" behind each tool...but just knowing the tool to use should get you off to a good start. A quick web search on any of the tools (like DCDiag) will come up with plenty of results.
http://technet.microsoft.com/en-us/library/cc961826.aspx
You said you are running SBS, so I am ignoring this...but probably should ask just in case. Are there any other domain controllers, or where there ever other domain controllers? If other domain controllers, be sure they are all OK. If a controller was removed, be sure it was actually decommissioned properly (manually clean up AD if not).
This like does not give you the "how's" behind each tool...but just knowing the tool to use should get you off to a good start. A quick web search on any of the tools (like DCDiag) will come up with plenty of results.
http://technet.microsoft.com/en-us/library/cc961826.aspx
You said you are running SBS, so I am ignoring this...but probably should ask just in case. Are there any other domain controllers, or where there ever other domain controllers? If other domain controllers, be sure they are all OK. If a controller was removed, be sure it was actually decommissioned properly (manually clean up AD if not).
ASKER
Thanks again for the info, I feel I'm now getting somewhere! Ok, I've run dcdiag /test:DNS and had lots of failures. Problem is, I don't really understand the results nor how to fix them. When looking at the DNS server itself in Server Manager, to me it seemed as if nothing was wrong but something obviously is!
Now, the Server, DNS and Domain Controller has been working fine and I don't really know what's changed. What I don't understand, is that http://companyweb and http://connect is working from the client PC's, so it appears that DNS name resolution is working OK. I cannot add a new PC using http://connect, although it goes through the motions and pulls down user accounts it ultimately fails with an error stating it cannot connect to the network.
Here are some of the errors from dcdiag:-
TEST: Basic (Basc)
Error: No LDAP connectivity
Warning: adapter [00000006] Broadcom NetXtreme Gigabit Ethernet has invalid DNS server: 192.168.15.1
(sbs2k8.<domain>.local.)
Error: all DNS servers are invalid
No host records (A or AAAA) were found for this DC
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server: a.root-servers.net. (2001:503:ba3e::2:30)
Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
Error: Root hints list has invalid root hint server: f.root-servers.net. (2001:500:2f::f)
Error: Root hints list has invalid root hint server: h.root-servers.net. (2001:500:1::803f:235)
Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record _dcdiag_test_record in zone <domain>.local
TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the network adapters
Now, the Server, DNS and Domain Controller has been working fine and I don't really know what's changed. What I don't understand, is that http://companyweb and http://connect is working from the client PC's, so it appears that DNS name resolution is working OK. I cannot add a new PC using http://connect, although it goes through the motions and pulls down user accounts it ultimately fails with an error stating it cannot connect to the network.
Here are some of the errors from dcdiag:-
TEST: Basic (Basc)
Error: No LDAP connectivity
Warning: adapter [00000006] Broadcom NetXtreme Gigabit Ethernet has invalid DNS server: 192.168.15.1
(sbs2k8.<domain>.local.)
Error: all DNS servers are invalid
No host records (A or AAAA) were found for this DC
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server: a.root-servers.net. (2001:503:ba3e::2:30)
Error: Root hints list has invalid root hint server: b.root-servers.net. (128.9.0.107)
Error: Root hints list has invalid root hint server: f.root-servers.net. (2001:500:2f::f)
Error: Root hints list has invalid root hint server: h.root-servers.net. (2001:500:1::803f:235)
Error: Root hints list has invalid root hint server: l.root-servers.net. (198.32.64.12)
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record _dcdiag_test_record in zone <domain>.local
TEST: Records registration (RReg)
Error: Record registrations cannot be found for all the network adapters
OK, so you have a DNS problem that we need to start with. When I've seen this it is because the systems are pointing to the wrong DNS server, or the DNS records got corrupted. So let's start with these basic checks.
1) From an architecture perspective, I need to verify that you have a single AD server on your network. The SBS server that is running both DNS and AD DC. The server has a single IP address configured as 192.168.15.1 -- and in the IP configuration of the server DNS is pointing to itself...and nowhere else (i.e. there should not be any secondary or tirshiary DNS servers specified).
2) If you go into the DNS administration console, do you see your domain in there? Open it up and verify that the server appears as a host record. You also should have a bunch of other stuff that defines the AD domain itself.
3) Microsoft being what it is, have you rebooted the server lately? If not, do a reboot just for kicks and giggles.
1) From an architecture perspective, I need to verify that you have a single AD server on your network. The SBS server that is running both DNS and AD DC. The server has a single IP address configured as 192.168.15.1 -- and in the IP configuration of the server DNS is pointing to itself...and nowhere else (i.e. there should not be any secondary or tirshiary DNS servers specified).
2) If you go into the DNS administration console, do you see your domain in there? Open it up and verify that the server appears as a host record. You also should have a bunch of other stuff that defines the AD domain itself.
3) Microsoft being what it is, have you rebooted the server lately? If not, do a reboot just for kicks and giggles.
ASKER
Thanks for your help so far, it is very much appreciated.
1. Yes, we have a single AD server on the network and it is the SBS server that is running both DNS and AD DC. The server does have a single IP address - 192.168.15.1 and the IP configuration has one DNS server specified and points to itself (192.168.15.1).
2. In the DNS admin console (start > admin tools > DNS), all I can see is the server name (SBS2K8). If I open that up, a few directories open but, to be honest, I'm lost from there. I don't see the domain listed anywhere in this console. If I'm looking in the wrong place, please forgive my ignorance and point me in the right direction!
3. The server has been rebooted several times. Twice today!
1. Yes, we have a single AD server on the network and it is the SBS server that is running both DNS and AD DC. The server does have a single IP address - 192.168.15.1 and the IP configuration has one DNS server specified and points to itself (192.168.15.1).
2. In the DNS admin console (start > admin tools > DNS), all I can see is the server name (SBS2K8). If I open that up, a few directories open but, to be honest, I'm lost from there. I don't see the domain listed anywhere in this console. If I'm looking in the wrong place, please forgive my ignorance and point me in the right direction!
3. The server has been rebooted several times. Twice today!
ASKER
Hi,
We're still suffering with this problem so if anyone can add anything else it'd be much appreciated.
We're still suffering with this problem so if anyone can add anything else it'd be much appreciated.
Sorry. I am in the middle of a project and time is getting squeezed. When you look in the DNS admin console, do the folders you see look something like the attached file (captured from Windows 2003 server)? Drill down into the folders, and you should find you SBS server as an entry in the "_tcp" folder for virtually all of your directories. And of course you should see a whole list of "host" records in the top folder -- which should be named the same as your domain.
AD-DNS.pdf
AD-DNS.pdf
ASKER
Hi, sorry it took so long to reply. We hired a Server expert to look at the Server and it turns out that half of the DNS structure was missing. Thanks for your help.
That makes sense, which is why I was trying to take you down the path of examining your DNS structure. This can get into fairly deep water though, so certainly faster to hire somebody who can look at your DNS and fix things right there. Any good Systems Engineer should be able to get your DNS back in shape fairly quickly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.