We help IT Professionals succeed at work.

Windows 7 64 bit Pro as a client of a 2000 domain

afrend
afrend asked
on
We just added a Windows 7 Pro 64 bit system to the Windows 2000 domain. The Windows 2000 user is in the Local Administrator group on the Windows 7 machine. Each user of the domain has a small batch file that mounts a couple of shares:

@echo off
net use I: \\server\share
net use H:\\server\usershare$

When the user logs in, nothing but the sky blue background comes up, no task bar, no start menu, no desktop icons, just the mouse cursor. The machine has not crashed as it does respond to <control><alt><delete> to switch user and/or log off. Local admin profiles no longer come up either.

This is a brand new Z200 HP, so I'm pretty sure there is not a hardware issue. I was able to load all the needed software both on-line and from unc paths from the server shares. Everything behaved normally as it would with a similar machine running XP Pro, so I'm at a loss as to how to get this machine to behave on the network. I have tried removing the login script from the user account profile with no result. Any ideas?
Comment
Watch Question

Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Do the symptoms change if the machine is disconnected from the network?  What happens if you boot into Safe Mode?

Author

Commented:
I have not tried that yet. Wiil now. Safe mode with or without networking?

Author

Commented:
Same result. Domain User gives empty blue screen and local admin gives empty black screen. Switch to safe mode...

Author

Commented:
OK, I get a desktop back with the Local Admin account in Safe Mode. Will try with networking  next.

Author

Commented:
Safe Mode with Networking gets me a domain user desktop now. Will try and restart in normal mode and see what happens. Note: I can browse the network now. Login scripts have been removed.

Author

Commented:
and we are back to square one with the original problem. Is there a Windows Firewall setting preventing the profiles from mounting? So for review, I can access the domain only in Safe Mode with networking...
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
That it works in Safe Mode implies a driver issue (though it could also be something coming down from the domain that acts on hardware).  Very odd.

How about removing the machine from the domain via ADUC, remove the machine from the domain locally (in Safe Mode), reboot and try adding it back to the domain?  Maybe with a different name initially.

Author

Commented:
So the last thing I did today was removed the computer from the domain. Now the only entry to the machine is the Local admin account in Safe Mode with or without networking. Looking like a complete do over unless there are any further ideas here. Pretty horrible first Win 7 experience...Thanks.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
So you can't log in to the machine locally unless you're in Safe Mode?  There's almost certainly a driver issue somewhere - maybe the video subsystem, given the display issues you report.

FWIW, I've deployed several Win7 machines with no trouble at all and really enjoy working with it.  The one time I had a problem with Windows 7 on a boot error, it trapped the error, rebooted, fixed the problem itself (after an admittedly very long repair process) and hasn't had an issue since.  So I guess I encourage you to not give up.  Re-install if you think that's best (or your only option) and keep an eye on any patches it pulls down to make sure you don't have the problem again.

Author

Commented:
I did assign the computer a name with an underscore in it, but I would be very surprised if that would cause this failure. As it sits now, the machine can only boot to any desktop in safe mode. I'll try that (name change) tomorrow and give it a vanilla DNS friendly name. I also noticed in one of the many boots into safe mode that the time zone didn't match the domain (duh how did I miss that?) which can really PO Windows as I have learned from past experience, but still nada. Still the fact that I can't get anywhere now except in safe mode kind of points to hardware...

Author

Commented:
I ran the repair option in the Windows 7 recovery console and it found no errors.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Hmm.  I'm running out of ideas, but one more thing you can try would be to go into Device Manager and uninstall your display adapter, then reboot.  See if letting it re-install the driver helps.

Author

Commented:
Yes, I called HP support, and that's what we ran through. BSOD. Now they have me swapping out the drive from this machine to the other one I bought with it to determine if it's the video card. So far, that booted OK, so the first thing I will do is join the domain and see if that's the lynch pin. If so, then I guess Win 7 on our 2000 domain control just won't work. It should, and part of just thinks the Windows installation on the "bad" hard drive is corrupt.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Good luck!

Author

Commented:
Thanks for the help. I'll give you the points, but I want to leave this open until resolved in case others run into this problem too.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
I agree.  I want to see this through to the end.  

I'd be surprised if it's a true hardware error since everything seems to work in Safe Mode, but stranger things have happened.

Author

Commented:
Un-flipping believable! I put the hard drive from the sister machine in the questionable box and it took off as expected. I installed Windows Updates, rebooted, joined the domain, rebooted, logged in as the domain admin this time, no problem! Then I went into the Local Groups to add the CAD user, (single user and not a group), and removed domain users from the Users group. I have done this since back in the NT 4 server days here to allow only certain users to log on to certain machines, and due to legacy apps we run, local users must also be local admins.

I logged off as domain admin and logged back on as the CAD user. Sky blue screen, no icons, no taskbar. Logged off and logged back in as domain admin, no problem. Logged off and logged in as local admin. No icons, or taskbar, just a black desktop. Logged back in as domain admin, no problem. Rebooted and logged back in as domain admin, no problem. So now, the domain admin is the only normally working account on the machine.

I also notice that in Local Groups on the Windows 7 box, the added domain users are not identifiable by name as I am used to with Win 2K and XP. Instead, I get the unique S-1-5-21-xxxxx etc number. So now I am wondering if there is some security setting in Windows 7 causing this behavior. Note that after joining the domain, I did NOT have to add the domain admins to the Local User Group to be able to login as domain admin. I also tried loggin as another domain admin account with adding the user to the Local admin group, and that account too returns a sky blue screen, no icons, no taskbar. So as stated, only the first domain admin account works as expected now all local and other domain accounts produce the result of no icons or taskbar.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Hmm.  In my Win7 machines Domain Users show up as Domain Users - not SIDs.  Did you mean to remove Domain Users from all local groups or did you intend to add them back in as local administraotrs?

Joining the machine to the domain would have added Domain Admins to the local administrators group.

It may very well be there's some disfunction between a Windows 2000 domain and Windows 7.  Why it would express itself when you move user accounts around is unclear.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Here's someone who had a similar issue:
http://forums.anandtech.com/showthread.php?t=2039685
He seems to imply there's a DNS issue when trying to activate.   That doesn't make sense to me, but...

Author

Commented:
Well, I didn't/don't have an activation issue. I guess I'll have to pony up some money to M$ on this one...This reminds me of back when I had 9x machines running Office 2000 that where Office would only run on account that minstalled the Office upgrade. 6 hours later, the solution was an O/S upgrade. That can't happen here as the boss won't pony up for a server makeover. The further problem is that since 2000 Server is no longer "supported" product, they probably won't even entertain the question, or just take my money and 2 hours and 20 regedits later tell me the two platforms can't have a trust relationship.

I did remove the domain users SID and the the two NT Authority SIDs in the Local Users group. I've had to do that as when I didn't, many users just logged right into machines they should not with a generic house account. But even before I removed those from the Users group, any group or user associated with the domain came up with a SID and not a name. So it's definitely tied to the trust relationship, or lack thereof, between the 2000 DC and the Win 7 platform. It's kind of ridiculous if you ask me, kind of like saying you can't tow a 2011 trailer with 1999 truck, y'know?

Author

Commented:
Update: Working with HP on this one now, and they thought the problem was hardware at the video card level. They had me boot into safe mode, remove the driver, reinstall, then reboot. BSOD. Went to reload the O/S on the sister machine figuring it's not going to work with 2000 DC, so I'll just build it a la carte from the network and mount UNC shares by hand. Didn't get that far. Restore program on Box 1 would not load and Restore program on Box 2 BSOD immediately upon booting to the DVD media. So....2 indentical machines, factory image behaves the same way on the 2K domain, and neither will accept an image refresh from the Restore DVDs. Think I have me a couple of made on Friday iafter night shift lunch break made machines...love it when hardware trouble LOOKS like software/configuration issues!
Stay tuned.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
A manufacturing defect is possible.  If their serial numbers are similar, the video cards or motherboards may have come from the same (faulty) batch.  Or the drivers on the supplied restore DVDs may be bad.

Author

Commented:
Well, I will try the other DVD set, but the P/Ns on the two boxes are almost sequential...I gotta a funny feeling about this...Sure hope I still have a job by the time I get done jumping through HP support hoops just to get handed off to entitlement. Can't wait...
Director, Information Systems
CERTIFIED EXPERT
Commented:
Ha!  But this isn't your fault - all signs point to HP...

Author

Commented:
All signs point to the installation media having issues. It took booting to a Win 98 boot disk via USB floppy and a vanilla copy of XPP, (which went together in about ten minutes), to prove out the hardware. So now I await replacement media from entitlement...

But thanks for chiming in. Generally, I get vilified  in this forum for running a Win 2K server, apparently a crime against the state of Redmond to most. Christ, it's computers, not religion! And it's not my name on the building either.

Thanks. Have 500 points, if nothing else, for being a decent person. Adios...
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Hahaha!  If there's anything bad to be said about Win2k it's that it's no longer supported.  You'll have to move off it at some point, but there's nothing wrong with getting your money's worth.

Thanks for the points and best of luck!

Author

Commented:
Thanks. Like I said, not my name on the building, so I can make only recommendations, but ultimately, pulling the trigger is above my paygrade.

Author

Commented:
Update: Received the new restoration media from HP and was able to put the system back to standard 64 bit Win 7 no problem. What I did find out, and was able to replicate, was the same problem networking it to a 2000 domain. Because we have legacy applications, the users have to be in the Local Admin Group to run them. To prevent anyone from logging on to the machines, I remove all the pre-installed NT authority groups from the Users folder in Computer Management, and that's never been a problem with 2000 and XPP clients. With Win 7, you can't do that. Even if the domain user that is assigned to the Local Admin Group, they still need to be in the User Group as well or the profile comes up empty. Once networked, only the Domain Admins can bring up a profile without being added to any local computer user group. I have no idea if this would be the case above the Server 2000 level or not.
Paul MacDonaldDirector, Information Systems
CERTIFIED EXPERT

Commented:
Very interesting.  I'd guess it's a problem on the client (Windows 7) side, not the server side.  

Thanks for sharing the solution. I guarantee someone else will benefit from it.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.