windows log in disaster

Posted on 2011-03-16
Last Modified: 2012-05-11
hi, i need some help.

at the beginning of the year i took a ghost image of the harddrive in a server because its started to get temperamental. at the beginning of the week, it finally decided to pack up.  

i've restored the image to a new hard disk, and the server now boots up, but the workstations cant log in using the accounts in Active Directory.  if someone tries to log in, they are prompted with the following message:

"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again. if this message continues, please contact your administrator."

i've tried logging in with several different admin accounts, and all fail, but logging into the server directly is fine.

another thing that strikes me as a bit odd, is that i can use domain credentials to access network resources.
for instance. i can log into the local account on the workstations.  and if i type in the ip address of the server in the run command box, im prompted with a log in box.  i enter my domain  credentials, and i can see and access all the resources ( as far as i can tel ).

has any one got any ideas as to why i cant use the domain credentials to log into the workstations?  im getting the impression its something to do with the domain name, but im completely lost?

thanks in advance
Question by:jack-lindsay
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Accepted Solution

Ernie Beek earned 100 total points
ID: 35148295
In AD you also have the computer objects. Are they still there? If so, try to remove one, add the workstation to a workgroup and add it back to the domain after that. Let's see if that helps.
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 50 total points
ID: 35148553
Erniebeek is on the right track, but by way of a more compkete description, here goes:

As you may know, windows networks use active directory to process logins, enforce policies via group policy, and perform a myriad of other things. When you first turn on a domain-joined computer, it must talk to a domain controller to get any updated group policies, for example.

For this to work, even when a user isn't logged in, the servers need some way of identifying legitimate access by computers. In AD, each computer has an account, just like each user does. And each account has a password.

When you first join a computer to the domain, part of the process behind tge scenes is that a random password for that computer account is generated and saved on the computer as well as in AD. Then, just like you can set password expiration polices for users requiring them to change their password every 30 days, the computers will changed their passwords regularly behind the scenes as well.

Usually this is all transparent, but it all falls apart when you try to use an old backup on a network that has only one domain controller. It us expected that your backup still has old passwords for users, would be missing users created since the last backup, and similar stale info. But what is commonly overlooked is that your backup also has old passwords for computers and the computers themselves changed their passwords since the backup, and are trying to talk to tge server using those new passwords.

Since the computers can't log on to the server with their passwords, they can't use the netlogon service to authenticate domain logins and you see the problems you are seeing.

By putting each computer in a workgroup, you are clearing the domain password it saved. Then by rejoining the computer to the domain, you are forcing the computer and server to generate a new password that they agree upon, and save it on the computer and in AD, thus fixing the problem.

This is the only way to fix stale computer accounts from an authoritative AD restore from an old backup.


Author Comment

ID: 35148983
someone will be trying this a little bit later ,as i'm now away from the office unfortunately, but that explanation actually makes a lot of sence.
I just logged into the server remotely and in AD U&C under the computers, when i right click on an entry i see an option to Reset Account.
any ideas what this does, just for my future reference?

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.


Assisted Solution

by:Alan Gunn
Alan Gunn earned 100 total points
ID: 35149222

I believe "reset account" is similar to removing the computer account and re-creating it withthe same name.

It leaves the computer account in the same state as one created in readiness for the connection of a computer (sometimes referred to as "pre-staged")

The computer would still have to be moved to a workgroup and then connected back to the domain.
Resetting the account or pre-staging it ensures that the machine account ends up in the correct OU.

LVL 58

Expert Comment

by:Cliff Galiher
ID: 35152124
Choosing "reset account" will reset the password on the server and attempt to sync that with the client. For the sync to work, an existing trust must exist. In this case, that trust is already broken so resetting will do no good.

Expert Comment

ID: 35163914

I would try reseting the computer account password using netdom reset. the only issue with removing the computer and rejoining it to the domain is that the computer name is maintained but the SID will be different.  

Author Closing Comment

ID: 35163941
sorted, thanks guys. useful to know how this process actually works

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question