Windows cannot bind to domain (extended error)
Background Information:
We have 8 different buildings: 7 branch offices and our headquarters. Each location is an AD site on the same domain with its own subnet and DC. Each DC in each site handles DNS and DHCP for the clients in the building. Some of the users at the site have their Desktop and My Docs folders redirected via Group Policy to a file server at our main headquarters (all sites are connected by 1GB fiber WAN).
The Issue:
I started to see errors on two computers at two different sites. When the user logged in first thing in the morning they received error messages saying "An Extended Error Has Occurred.” Their “My Docs” and Desktops were not being redirected as usual. When trying to access networked resources such as mapped drives or shares the connection fails saying "\\server is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have permission to access." In the event logs for the computer, I see Events 1006 USERENV (Windows cannot bind to domain (invalid credentials) as well as Events 1030 USERNV (cannot query group policy objects).
When the user logs on from a different computer everything works fine, so it is not a problem with the user account. And when I log in with my domain administrator account from the affected computers it also works without any trouble. We tried deleting the user profile and recreating it again from scratch and that did not work. We rejoined the computer to the domain as well and that did not fix it. We checked for cached credentials and there are none. The only way we've found to fix the problem is to completely re-image / rebuild the computer from scratch. The Domain Controllers at each site have no peculiar events in their logs indicating any problems.
Recent Changes:
We did make some changes to the domain recently right before we saw these errors start cropping up. At our main site, we had a 2003 DC that held all out FSMO roles. I installed a brand new 2008 R2 DC (after prepping the domain and forest) and after 2-3 weeks of it being in service, I moved all the FSMO roles to it. They moved successfully and we're still running on the 2003 forest / domain level. Also, there do not seem to be any errors in the new DCs event logs that would indicate any issues.
Any thoughts on what is happening and what can be done to fix it (aside from rebuilding machines from scratch?)
We have 8 different buildings: 7 branch offices and our headquarters. Each location is an AD site on the same domain with its own subnet and DC. Each DC in each site handles DNS and DHCP for the clients in the building. Some of the users at the site have their Desktop and My Docs folders redirected via Group Policy to a file server at our main headquarters (all sites are connected by 1GB fiber WAN).
The Issue:
I started to see errors on two computers at two different sites. When the user logged in first thing in the morning they received error messages saying "An Extended Error Has Occurred.” Their “My Docs” and Desktops were not being redirected as usual. When trying to access networked resources such as mapped drives or shares the connection fails saying "\\server is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have permission to access." In the event logs for the computer, I see Events 1006 USERENV (Windows cannot bind to domain (invalid credentials) as well as Events 1030 USERNV (cannot query group policy objects).
When the user logs on from a different computer everything works fine, so it is not a problem with the user account. And when I log in with my domain administrator account from the affected computers it also works without any trouble. We tried deleting the user profile and recreating it again from scratch and that did not work. We rejoined the computer to the domain as well and that did not fix it. We checked for cached credentials and there are none. The only way we've found to fix the problem is to completely re-image / rebuild the computer from scratch. The Domain Controllers at each site have no peculiar events in their logs indicating any problems.
Recent Changes:
We did make some changes to the domain recently right before we saw these errors start cropping up. At our main site, we had a 2003 DC that held all out FSMO roles. I installed a brand new 2008 R2 DC (after prepping the domain and forest) and after 2-3 weeks of it being in service, I moved all the FSMO roles to it. They moved successfully and we're still running on the 2003 forest / domain level. Also, there do not seem to be any errors in the new DCs event logs that would indicate any issues.
Any thoughts on what is happening and what can be done to fix it (aside from rebuilding machines from scratch?)
ASKER
I have Googled the events and come across those two links; neither of them seemed to give me any leads, unfortunately. As mentioned I did check for cached credentials and have logged in with other users and they work fine.
So DC Diag and Netdaig does not return any issues on the DC's then ?
how about disjoin and re-join to domain also ?
Also recreate of users local profile on the computer ?
ASKER
2 additional Erorrs that may be of help: Events 40961 SPNEGO (Negotiator)
"The Security System could not establish a secured connection with the server LDAP/server.DOMAIN.local. No authentication protocol was available." AND "The Security System could not establish a secured connection with the server ldap/server.DOMAIN.local/D
"The Security System could not establish a secured connection with the server LDAP/server.DOMAIN.local. No authentication protocol was available." AND "The Security System could not establish a secured connection with the server ldap/server.DOMAIN.local/D
ASKER
As mentioned above we recreated the profile and rejoined the domain with no effect.
ASKER
I ran dcdiag and netdiag and both are fine.
what model computers are these ?
Nic Card driver please try updating it.
Uninstall TCP/IP and re-install
Nic Card driver please try updating it.
Uninstall TCP/IP and re-install
When you say you have joined to the domain did u delete from AD and then join again?
Did you join them with the same name?
How about naming them with a new name ?
Did you join them with the same name?
How about naming them with a new name ?
ASKER
Both are HP computers but different models. Both have Broadcom NICS. Both have the most recent driver (I updated it when trying to troubleshoot these issues.) When we removed the computer from the domain we completely deleted it and rejoined.
The computer account in AD doesn't seem to be the issue since any other user logging into it has no problem. The user account in AD also works on any other computer. The user profile was deleted and it worked for the first login, but on the very next log in the same problems started again, still with just that one user account. Same situation at the other building with a different user.
The computer account in AD doesn't seem to be the issue since any other user logging into it has no problem. The user account in AD also works on any other computer. The user profile was deleted and it worked for the first login, but on the very next log in the same problems started again, still with just that one user account. Same situation at the other building with a different user.
another article of interest http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1
what os SP are they ?
Do they haev latest windows updates?
Do they haev latest windows updates?
ASKER
XP SP3, all latest updates and patches.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I worked with Microsoft and we were not able to solve the issue. There was no real solution except to rebuild the affected system from scratch.
What happens if another user logs on to that computer ?
Reset the TCP/IP Stack.