Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 486
  • Last Modified:

windows log in disaster

hi, i need some help.

at the beginning of the year i took a ghost image of the harddrive in a server because its started to get temperamental. at the beginning of the week, it finally decided to pack up.  

i've restored the image to a new hard disk, and the server now boots up, but the workstations cant log in using the accounts in Active Directory.  if someone tries to log in, they are prompted with the following message:

"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again. if this message continues, please contact your administrator."

i've tried logging in with several different admin accounts, and all fail, but logging into the server directly is fine.

another thing that strikes me as a bit odd, is that i can use domain credentials to access network resources.
for instance. i can log into the local account on the workstations.  and if i type in the ip address of the server in the run command box, im prompted with a log in box.  i enter my domain  credentials, and i can see and access all the resources ( as far as i can tel ).

has any one got any ideas as to why i cant use the domain credentials to log into the workstations?  im getting the impression its something to do with the domain name, but im completely lost?

thanks in advance
jack
0
jack-lindsay
Asked:
jack-lindsay
3 Solutions
 
Ernie BeekCommented:
In AD you also have the computer objects. Are they still there? If so, try to remove one, add the workstation to a workgroup and add it back to the domain after that. Let's see if that helps.
0
 
Cliff GaliherCommented:
Erniebeek is on the right track, but by way of a more compkete description, here goes:

As you may know, windows networks use active directory to process logins, enforce policies via group policy, and perform a myriad of other things. When you first turn on a domain-joined computer, it must talk to a domain controller to get any updated group policies, for example.

For this to work, even when a user isn't logged in, the servers need some way of identifying legitimate access by computers. In AD, each computer has an account, just like each user does. And each account has a password.

When you first join a computer to the domain, part of the process behind tge scenes is that a random password for that computer account is generated and saved on the computer as well as in AD. Then, just like you can set password expiration polices for users requiring them to change their password every 30 days, the computers will changed their passwords regularly behind the scenes as well.

Usually this is all transparent, but it all falls apart when you try to use an old backup on a network that has only one domain controller. It us expected that your backup still has old passwords for users, would be missing users created since the last backup, and similar stale info. But what is commonly overlooked is that your backup also has old passwords for computers and the computers themselves changed their passwords since the backup, and are trying to talk to tge server using those new passwords.

Since the computers can't log on to the server with their passwords, they can't use the netlogon service to authenticate domain logins and you see the problems you are seeing.

By putting each computer in a workgroup, you are clearing the domain password it saved. Then by rejoining the computer to the domain, you are forcing the computer and server to generate a new password that they agree upon, and save it on the computer and in AD, thus fixing the problem.

This is the only way to fix stale computer accounts from an authoritative AD restore from an old backup.

-Cliff
0
 
jack-lindsayAuthor Commented:
someone will be trying this a little bit later ,as i'm now away from the office unfortunately, but that explanation actually makes a lot of sence.
I just logged into the server remotely and in AD U&C under the computers, when i right click on an entry i see an option to Reset Account.
any ideas what this does, just for my future reference?

thanks
jack
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
Alan GunnCommented:
Hi!

I believe "reset account" is similar to removing the computer account and re-creating it withthe same name.

It leaves the computer account in the same state as one created in readiness for the connection of a computer (sometimes referred to as "pre-staged")

The computer would still have to be moved to a workgroup and then connected back to the domain.
Resetting the account or pre-staging it ensures that the machine account ends up in the correct OU.

TRM
0
 
Cliff GaliherCommented:
Choosing "reset account" will reset the password on the server and attempt to sync that with the client. For the sync to work, an existing trust must exist. In this case, that trust is already broken so resetting will do no good.
0
 
ActiveDirectorymanCommented:

I would try reseting the computer account password using netdom reset. the only issue with removing the computer and rejoining it to the domain is that the computer name is maintained but the SID will be different.  
0
 
jack-lindsayAuthor Commented:
sorted, thanks guys. useful to know how this process actually works
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now