Solved

windows log in disaster

Posted on 2011-03-16
7
478 Views
Last Modified: 2012-05-11
hi, i need some help.

at the beginning of the year i took a ghost image of the harddrive in a server because its started to get temperamental. at the beginning of the week, it finally decided to pack up.  

i've restored the image to a new hard disk, and the server now boots up, but the workstations cant log in using the accounts in Active Directory.  if someone tries to log in, they are prompted with the following message:

"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again. if this message continues, please contact your administrator."

i've tried logging in with several different admin accounts, and all fail, but logging into the server directly is fine.

another thing that strikes me as a bit odd, is that i can use domain credentials to access network resources.
for instance. i can log into the local account on the workstations.  and if i type in the ip address of the server in the run command box, im prompted with a log in box.  i enter my domain  credentials, and i can see and access all the resources ( as far as i can tel ).

has any one got any ideas as to why i cant use the domain credentials to log into the workstations?  im getting the impression its something to do with the domain name, but im completely lost?

thanks in advance
jack
0
Comment
Question by:jack-lindsay
7 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 100 total points
Comment Utility
In AD you also have the computer objects. Are they still there? If so, try to remove one, add the workstation to a workgroup and add it back to the domain after that. Let's see if that helps.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 50 total points
Comment Utility
Erniebeek is on the right track, but by way of a more compkete description, here goes:

As you may know, windows networks use active directory to process logins, enforce policies via group policy, and perform a myriad of other things. When you first turn on a domain-joined computer, it must talk to a domain controller to get any updated group policies, for example.

For this to work, even when a user isn't logged in, the servers need some way of identifying legitimate access by computers. In AD, each computer has an account, just like each user does. And each account has a password.

When you first join a computer to the domain, part of the process behind tge scenes is that a random password for that computer account is generated and saved on the computer as well as in AD. Then, just like you can set password expiration polices for users requiring them to change their password every 30 days, the computers will changed their passwords regularly behind the scenes as well.

Usually this is all transparent, but it all falls apart when you try to use an old backup on a network that has only one domain controller. It us expected that your backup still has old passwords for users, would be missing users created since the last backup, and similar stale info. But what is commonly overlooked is that your backup also has old passwords for computers and the computers themselves changed their passwords since the backup, and are trying to talk to tge server using those new passwords.

Since the computers can't log on to the server with their passwords, they can't use the netlogon service to authenticate domain logins and you see the problems you are seeing.

By putting each computer in a workgroup, you are clearing the domain password it saved. Then by rejoining the computer to the domain, you are forcing the computer and server to generate a new password that they agree upon, and save it on the computer and in AD, thus fixing the problem.

This is the only way to fix stale computer accounts from an authoritative AD restore from an old backup.

-Cliff
0
 

Author Comment

by:jack-lindsay
Comment Utility
someone will be trying this a little bit later ,as i'm now away from the office unfortunately, but that explanation actually makes a lot of sence.
I just logged into the server remotely and in AD U&C under the computers, when i right click on an entry i see an option to Reset Account.
any ideas what this does, just for my future reference?

thanks
jack
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Assisted Solution

by:Alan Gunn
Alan Gunn earned 100 total points
Comment Utility
Hi!

I believe "reset account" is similar to removing the computer account and re-creating it withthe same name.

It leaves the computer account in the same state as one created in readiness for the connection of a computer (sometimes referred to as "pre-staged")

The computer would still have to be moved to a workgroup and then connected back to the domain.
Resetting the account or pre-staging it ensures that the machine account ends up in the correct OU.

TRM
0
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
Choosing "reset account" will reset the password on the server and attempt to sync that with the client. For the sync to work, an existing trust must exist. In this case, that trust is already broken so resetting will do no good.
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
Comment Utility

I would try reseting the computer account password using netdom reset. the only issue with removing the computer and rejoining it to the domain is that the computer name is maintained but the SID will be different.  
0
 

Author Closing Comment

by:jack-lindsay
Comment Utility
sorted, thanks guys. useful to know how this process actually works
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now