sbs2003 domain login problem

We have a single sbs2003 running exchange, and just recently, we are having problems with clients logging in to the domain. It seems to be worse on the older xp machines, but has occasionally affected V7 pro workstations too.

If we remove the workstation from the domain, and rejoin it, we can log in OK, but when we restart the workstation, the problem returns.

At the moment, all but one are logged in OK, but I wanted to know if there is anything we should look for, and how to resolve the issue.

Any advice, would be appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What error are you getting when they try to login?
nigelbeatsonMDAuthor Commented:
We just get the message that we have used an incorrect username or password.
Brian HarringtonIT ManagerCommented:
Dumb question, is the time set correctly on both the client and the server?  Kerberos is time dependent.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

nigelbeatsonMDAuthor Commented:
Yes, I can confirm that the workstation and server are set to the correct time.

The current problem workstation, I have found allows one user to log in, but not the other??

Brian HarringtonIT ManagerCommented:
have you ran dcdiag on the dc?  It may be a domain controller issue.
nigelbeatsonMDAuthor Commented:
No, I will give it try and post the results. Thanks.
Brian HarringtonIT ManagerCommented:
No problem.  If the dcdiag doesn't report errors, have you tried reinstalling the OS on the clients and re joining them to the domain? You may have some stuff in the registry causing the issue, such as HKU records for identical names, which would have different identifiers.
first step: check the event viewer on the pc. it may have problems connecting or updating with the DC. if this doesnt help, check the security log on the DC. if this shows the corresponding user login failure you know its not the PCs fault but the DC.

Let us know what you find and we can go from there,
nigelbeatsonMDAuthor Commented:
I will check the event log. Where is the DC security log??

Here is the DCDIAG report. A couple of errors which are beyond me I am affraid. Any help in assessing this would be appreciated.

Many thanks.
Brian HarringtonIT ManagerCommented:
One of them is a pretty big issue, but unrelated. The bad block on the hard drive should be addressed as soon as possible.  The SYSVOL may be the culprit but I doubt it.  have you tried a clean install on the client?  Also, is the client to the current on it's updates?
nigelbeatsonMDAuthor Commented:
Thankyou. Yes, we are aware of the bad block, but presumed the OS would mark it so, relocate the data and mark it "don't use".

We have not tried a clean install of the client OS, if that is what you mean, due to the amount of programs and data on the workstation in question. We will of course have to do this if essential.

Due to the amount of work involved in doing this, we thought we should try further investigations first, particulalry, as it has affected other workstations too.

Updates are enabled on each of our servers and client workstations.
the security log in in the event viewer on the Domain Controller should show any failed attempts for users to log on. the faiiures (or lack of them) can help work out where the issue is.
You also need the events from the applicaton and system logs on the PC though.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
It's not a workstation, the probability of more than one workstation needing an OS rebuild is "Zero", yes null so don't bother doing the work.

I would definitely be worried about the SYSVOL being affected you need to address this ASAP.

run dcdiag /test:dns, I know its part of dcdiag and post the results.

We need to start by fixing the following from dcdiag:

      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SWWSERVER failed test frsevent
      Starting test: kccevent
         ......................... SWWSERVER passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0001B77
            Time Generated: 03/15/2012   11:07:55
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0001B77
            Time Generated: 03/15/2012   11:24:40
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0001B77

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
1. has anything changed with your DHCP scope options?

2. run ipconfig /flushdns on the server

3. on workstations run ipconfig /flushdns then ipconfig /registerdns

4. run the connect to the internet wizard on the SBS, its a good place to start SBS love the built in wizards.
nigelbeatsonMDAuthor Commented:
Many thanks to all.

I have carried out the dcdiag test fir DNS and the results are as follows :-

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   Testing server: Default-First-Site-Name\SWWSERVER
      Starting test: Connectivity
         ......................... SWWSERVER passed test Connectivity

Doing primary tests
   Testing server: Default-First-Site-Name\SWWSERVER

DNS Tests are running and not hung. Please wait a few minutes...
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : swdom
   Running enterprise tests on : swdom.local
      Starting test: DNS
         Test results for domain controllers:
            DC: swwserver.swdom.local
            Domain: swdom.local

               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: (<name unavailable>)
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the failed on the DNS server
         Summary of DNS test results:
                                            Auth Basc Forw Del  Dyn  RReg Ext  
            Domain: swdom.local
               swwserver                    PASS PASS FAIL PASS PASS PASS n/a  
         ......................... swdom.local failed test DNS

The strange thing is, I changed the DNS forwarders to and also one other that I often use, but the error persists. Very strange.

Any suggestions?

I can also confirm that the problem workstation form yesterday (XP Pro client) is now working fine, but one of our Windows V7 workstations failed to log in (again incorrect username / password).

The user tried to log on a different usrer at a different V7 workstation, and this logged in fine. After doing this, they could then log in OK on their workstion too.

I checked the Security event log, and it showed :--

Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:
       Source Port:      3911

All are working OK at the moment, but there must be an underlying issue, as it has been like this for a few weeks now, and I need to get to the bottom of it.

Any further help would be appreciated.

nigelbeatsonMDAuthor Commented:
Not changed anything on the DHCP service at all.

I think it is a server based problem, as the workstations do connect sometimes, first time. They are all working now, but I know come Monday, we will get this issue somewhere on the network.

Many thanks.
WORKS2011Managed IT Services, Cyber Security, BackupCommented:
1. reset your switch since its a single point of failure, if it's a managed check the logs. Could be a port intermittently broadcasting bad info or something like this.
COuld you explain the following details from your post:

"Source Network Address:
       Source Port:      3911"

How come your IP has come out as an external IP instead an internal one?
Also, port 3911 is a little odd for workstation login.

Are there any details you've missed here?
nigelbeatsonMDAuthor Commented:
Sorry for the delay in replying.

No, I cannot explain the IP address?? The workstation is a local device and is connected via ethernet to our server.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.