Solved

windows log in disaster

Posted on 2011-03-16
7
480 Views
Last Modified: 2012-05-11
hi, i need some help.

at the beginning of the year i took a ghost image of the harddrive in a server because its started to get temperamental. at the beginning of the week, it finally decided to pack up.  

i've restored the image to a new hard disk, and the server now boots up, but the workstations cant log in using the accounts in Active Directory.  if someone tries to log in, they are prompted with the following message:

"Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again. if this message continues, please contact your administrator."

i've tried logging in with several different admin accounts, and all fail, but logging into the server directly is fine.

another thing that strikes me as a bit odd, is that i can use domain credentials to access network resources.
for instance. i can log into the local account on the workstations.  and if i type in the ip address of the server in the run command box, im prompted with a log in box.  i enter my domain  credentials, and i can see and access all the resources ( as far as i can tel ).

has any one got any ideas as to why i cant use the domain credentials to log into the workstations?  im getting the impression its something to do with the domain name, but im completely lost?

thanks in advance
jack
0
Comment
Question by:jack-lindsay
7 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 100 total points
ID: 35148295
In AD you also have the computer objects. Are they still there? If so, try to remove one, add the workstation to a workgroup and add it back to the domain after that. Let's see if that helps.
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 50 total points
ID: 35148553
Erniebeek is on the right track, but by way of a more compkete description, here goes:

As you may know, windows networks use active directory to process logins, enforce policies via group policy, and perform a myriad of other things. When you first turn on a domain-joined computer, it must talk to a domain controller to get any updated group policies, for example.

For this to work, even when a user isn't logged in, the servers need some way of identifying legitimate access by computers. In AD, each computer has an account, just like each user does. And each account has a password.

When you first join a computer to the domain, part of the process behind tge scenes is that a random password for that computer account is generated and saved on the computer as well as in AD. Then, just like you can set password expiration polices for users requiring them to change their password every 30 days, the computers will changed their passwords regularly behind the scenes as well.

Usually this is all transparent, but it all falls apart when you try to use an old backup on a network that has only one domain controller. It us expected that your backup still has old passwords for users, would be missing users created since the last backup, and similar stale info. But what is commonly overlooked is that your backup also has old passwords for computers and the computers themselves changed their passwords since the backup, and are trying to talk to tge server using those new passwords.

Since the computers can't log on to the server with their passwords, they can't use the netlogon service to authenticate domain logins and you see the problems you are seeing.

By putting each computer in a workgroup, you are clearing the domain password it saved. Then by rejoining the computer to the domain, you are forcing the computer and server to generate a new password that they agree upon, and save it on the computer and in AD, thus fixing the problem.

This is the only way to fix stale computer accounts from an authoritative AD restore from an old backup.

-Cliff
0
 

Author Comment

by:jack-lindsay
ID: 35148983
someone will be trying this a little bit later ,as i'm now away from the office unfortunately, but that explanation actually makes a lot of sence.
I just logged into the server remotely and in AD U&C under the computers, when i right click on an entry i see an option to Reset Account.
any ideas what this does, just for my future reference?

thanks
jack
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 6

Assisted Solution

by:Alan Gunn
Alan Gunn earned 100 total points
ID: 35149222
Hi!

I believe "reset account" is similar to removing the computer account and re-creating it withthe same name.

It leaves the computer account in the same state as one created in readiness for the connection of a computer (sometimes referred to as "pre-staged")

The computer would still have to be moved to a workgroup and then connected back to the domain.
Resetting the account or pre-staging it ensures that the machine account ends up in the correct OU.

TRM
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 35152124
Choosing "reset account" will reset the password on the server and attempt to sync that with the client. For the sync to work, an existing trust must exist. In this case, that trust is already broken so resetting will do no good.
0
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35163914

I would try reseting the computer account password using netdom reset. the only issue with removing the computer and rejoining it to the domain is that the computer name is maintained but the SID will be different.  
0
 

Author Closing Comment

by:jack-lindsay
ID: 35163941
sorted, thanks guys. useful to know how this process actually works
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now