Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


windows log in disaster

Posted on 2011-03-16
Medium Priority
Last Modified: 2012-05-11
hi, i need some help.

at the beginning of the year i took a ghost image of the harddrive in a server because its started to get temperamental. at the beginning of the week, it finally decided to pack up.  

i've restored the image to a new hard disk, and the server now boots up, but the workstations cant log in using the accounts in Active Directory.  if someone tries to log in, they are prompted with the following message:

"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again. if this message continues, please contact your administrator."

i've tried logging in with several different admin accounts, and all fail, but logging into the server directly is fine.

another thing that strikes me as a bit odd, is that i can use domain credentials to access network resources.
for instance. i can log into the local account on the workstations.  and if i type in the ip address of the server in the run command box, im prompted with a log in box.  i enter my domain  credentials, and i can see and access all the resources ( as far as i can tel ).

has any one got any ideas as to why i cant use the domain credentials to log into the workstations?  im getting the impression its something to do with the domain name, but im completely lost?

thanks in advance
Question by:jack-lindsay
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Accepted Solution

Ernie Beek earned 400 total points
ID: 35148295
In AD you also have the computer objects. Are they still there? If so, try to remove one, add the workstation to a workgroup and add it back to the domain after that. Let's see if that helps.
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 200 total points
ID: 35148553
Erniebeek is on the right track, but by way of a more compkete description, here goes:

As you may know, windows networks use active directory to process logins, enforce policies via group policy, and perform a myriad of other things. When you first turn on a domain-joined computer, it must talk to a domain controller to get any updated group policies, for example.

For this to work, even when a user isn't logged in, the servers need some way of identifying legitimate access by computers. In AD, each computer has an account, just like each user does. And each account has a password.

When you first join a computer to the domain, part of the process behind tge scenes is that a random password for that computer account is generated and saved on the computer as well as in AD. Then, just like you can set password expiration polices for users requiring them to change their password every 30 days, the computers will changed their passwords regularly behind the scenes as well.

Usually this is all transparent, but it all falls apart when you try to use an old backup on a network that has only one domain controller. It us expected that your backup still has old passwords for users, would be missing users created since the last backup, and similar stale info. But what is commonly overlooked is that your backup also has old passwords for computers and the computers themselves changed their passwords since the backup, and are trying to talk to tge server using those new passwords.

Since the computers can't log on to the server with their passwords, they can't use the netlogon service to authenticate domain logins and you see the problems you are seeing.

By putting each computer in a workgroup, you are clearing the domain password it saved. Then by rejoining the computer to the domain, you are forcing the computer and server to generate a new password that they agree upon, and save it on the computer and in AD, thus fixing the problem.

This is the only way to fix stale computer accounts from an authoritative AD restore from an old backup.


Author Comment

ID: 35148983
someone will be trying this a little bit later ,as i'm now away from the office unfortunately, but that explanation actually makes a lot of sence.
I just logged into the server remotely and in AD U&C under the computers, when i right click on an entry i see an option to Reset Account.
any ideas what this does, just for my future reference?

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.


Assisted Solution

by:Alan Gunn
Alan Gunn earned 400 total points
ID: 35149222

I believe "reset account" is similar to removing the computer account and re-creating it withthe same name.

It leaves the computer account in the same state as one created in readiness for the connection of a computer (sometimes referred to as "pre-staged")

The computer would still have to be moved to a workgroup and then connected back to the domain.
Resetting the account or pre-staging it ensures that the machine account ends up in the correct OU.

LVL 59

Expert Comment

by:Cliff Galiher
ID: 35152124
Choosing "reset account" will reset the password on the server and attempt to sync that with the client. For the sync to work, an existing trust must exist. In this case, that trust is already broken so resetting will do no good.

Expert Comment

ID: 35163914

I would try reseting the computer account password using netdom reset. the only issue with removing the computer and rejoining it to the domain is that the computer name is maintained but the SID will be different.  

Author Closing Comment

ID: 35163941
sorted, thanks guys. useful to know how this process actually works

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question