Solved

Logon Failure, bad username or password when attempting to join new pc to domain

Posted on 2012-04-09
28
734 Views
Last Modified: 2012-06-25
Recently I have been experiencing some weird problems which all seem to point back to a central problem. I have a windows 2003 server set up as a domain controller and a dns server, also i have a 2nd windows 2003 server set up as a terminal server. I have about 50 workstations that join to my domain. Recently I have been experiencing a problem where users are not being handed ip addresses when connecting to the network. This was resolved by inserting a static ip on the offending workstation. Only a few machines were experiencing this so i really didn't know what to blame it on, i just gave the static and moved on. Then when adding a new workstation i cannot join it to the domain. A new windows 7 and windows XP workstation were just added and neither machine can join to the domain. They can ping the server and have correct IP and dns information although the information was not giving automatically they can still get online and ping the server. The error i get when joining says Logon Failure Bad Username or Password. I'm using the domain controllers administrator account to join them and have verified this password is working successfully by logging into the domain controller. I'm starting to suspect DNS as a problem but really don't know where to go from here. please assist
0
Comment
Question by:xpresscomp
  • 13
  • 8
  • 4
  • +2
28 Comments
 
LVL 9

Expert Comment

by:Geodash
ID: 37825166
Can they ping the server via both IP and hostname? What is your DHCP reservation set in your scope? Do you have scavenging turnedon?
0
 
LVL 9

Expert Comment

by:meko72
ID: 37825180
When it prompts for password try putting in domainname(the name of your
domain)\administrator then the password

Also can you Ping using the server name and resolving back to via IP?
0
 

Author Comment

by:xpresscomp
ID: 37825226
A quick clarification on the error, it actually says "unknown username or bad password"

i can ping the server both by name and number successfully from the workstation which can't be joined.

i'll have to check on the dhcp reservations and i don't know what scavenging is please clarify
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37825231
Check your hosts file for any "weird" entries. I have seen spyware cause similar issues - it is located at

%SystemRoot%\system32\drivers\etc\hosts
0
 

Author Comment

by:xpresscomp
ID: 37825238
how will i know what's weird?
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37825245
Open the files in notepad, copy and paste it here. We will know if its weird, or look here - A normal hosts file will look like this -

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost


If there are more, it may be bad!
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37825247
same with your lmhosts file, same location. This is where domain info can be added for talking to DC's
0
 

Author Comment

by:xpresscomp
ID: 37825255
do you want the host file from the server or from the workstation? the problem has to be with the server because the workstations are brand new and unused.
0
 
LVL 9

Expert Comment

by:meko72
ID: 37825256
You will know because there should only be,  maybe one entrie in it like Localhost 127.0.0.1  anything else needs to be deleted. Afterwords reboot the computer
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37825260
from the clients, not the server. Are all clients having the same issue?
0
 
LVL 9

Expert Comment

by:meko72
ID: 37825262
I would check your DHCP scope and make sure you have the Correct DNS, Gateway for Clients
0
 
LVL 9

Expert Comment

by:meko72
ID: 37825269
Make sure that the Domain controller is pointing to itself for DNS (If DNS is also on the same server)
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37825272
Are these clients all connecting your network through the Terminal Server? Or are they physically on your network?
0
 

Author Comment

by:xpresscomp
ID: 37825399
It appears the host file looks fine, also all these computers are connected physically to the domain and are not logging in via terminal services. I'll check on dhcp scope.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:xpresscomp
ID: 37825461
dhcp scope appears fine it's giving the correct dns and the dhcp pool is set to start at 192.168.0.30 and go up to .100
0
 

Author Comment

by:xpresscomp
ID: 37825471
could this be a licensing issue? i thought the way it worked was you had 20 user licenses that ment you could join as many computers as you wanted to the domain but only 20 could be logged on at any given time. let me know if that is correct
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37825484
I dont think licensing would produce errors like this.

Do these from a client that is having issues from the command prompt, in this order.

netsh int ip reset c:\resetlog.txt

ipconfig /flushdns
ipconfig /release
ipconfig /renew
ipconfig /registerdns

all in a row, reboot and see what happens. I want to see if something is holding up in TCP/IP
0
 

Author Comment

by:xpresscomp
ID: 37825560
i ran all these commands on the workstation which cannot join to the domain, what happens is the machine will not get an IP on it's own, it gets a 169.254 number the generic windows default and it has nothing listed under gateway. This happens on the other workstation as well. i don't believe the workstations are the issue here, has to be on the server somewhere.
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37825567
Have you stopped and restarted the DHCP Server Service on the server? Have you rebooted the server? Did clients pull form this server in the past without error?
0
 

Author Comment

by:xpresscomp
ID: 37825570
i can access the internet and such by giving the machine a static ip and dns, i can ping the server with name or number from workstation but if i try to do a remote desktop session to the server from the workstation i can make it to the logon prompt and when i type the correct user/pass i get the same error
0
 

Author Comment

by:xpresscomp
ID: 37825666
i have rebooted the server and clients did pull from the server successfully before, i'll have to stop and restart the service and try that
0
 
LVL 76

Expert Comment

by:arnold
ID: 37825675
What is your setup like?
Do you have gposthat supposed to have each newly added system auto enroll to get a certificate but new systems are unable to do that because if issues with the ca or subordinate CAs?
Use gpmc on the server and RSop on the client to check for any GPO errors.
0
 

Author Comment

by:xpresscomp
ID: 37825688
i'm not too familiar with how the server is set up in that respect, i just got this mess handed to me today. please explain what you want me to check more specifically as i don't know all of the acronyms you've used there. also you might wanna include where and how to check those for the ones i don't know
0
 
LVL 76

Expert Comment

by:arnold
ID: 37825763
On the server in th administrative tool, is there a group policy management option?
Or you can download it from http://www.microsoft.com/download/en/details.aspx?id=21895 and install. It does not require a reboot.

Within gpmc there is a group policy results where you can run the wizard, specify the system to test how the gpos apply.  
Using the administrative tool active directory users and computers and see whether the location where the currently working workstations are located is not the location where the newly added ones are.  Moving the new ones into the same location may help.

The allocation of ip in the 169.254.x.x suggests that there is something wrong with the DHCP server.

On another currently working workstation system, run the command
Ipconfig /all or get the properties for the network connection and look at the detail.

The information you are looking for is if this system gets a dynamically allocated ip and if so the dhcp server that allocated the ip will be listed.

On another check, are there any other systems that are working connected to the same network switch that these two are?

The switch may be configured to authenticate systems prior to granting them network access.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 37826063
There are a number of possibilities that can cause your problems:

Your getting a APIPA IP address (169....).

This means DHCP is down or your DHCP is not getting to the client. Go to a working client that you can test the DHCP server and don't need on the network and renew the IP address (command prompt type: IPconfig /renew).

If it renews, you have 802.1x settings configured on the network and that one problem child computer is failing 802.1x because it's not an AD computer and it's trying to authenticate the machine credentials prior to getting an IP. So, you need to configure a port that doesn't participate in 802.1x authentication in order to join the domain, so the problem child computer is able to authenticate and get an IP through the Network Access Protection (NAP client DHCP quarantine client side service).  Check the switch logs for 802.1x failures. Here's how 802.1x works: Client>>Supplicant Radius server>>Domain controller authenticates client<<<<If authenticated the domain controller sends backwards an IP address.


NOTE:::  (THESE ARE NOT YOUR PROBLEM IF YOU CONFIGURE A FIXED IP AND GET TO THE INTERNET)
If you don't have 802.1x with RADIUS servers set up, then your computer is blocked by MAC address on the switch. This is done through sticky ports (AKA port security). Depending upon how it's configured, a sticky port will except the first MAC address that is plugged into the switch, any of the next MAC addresses that plug into that switch will be denied an IP. IT COULD ALSO MEAN THE PORT IS MANUALLY SHUT DOWN TO DENY ANYONE FROM PLUGGING A COMPUTER INTO THAT PORT FOR ACCESS TO THE BROADCAST DOMAIN. For either a shut down port, or port security, you have to check the switch configuration of the port and the switch logs.


 ***Since you are able to configure a manual IP, and get outside network services, this is most likely your problem:
There is also the possibility that you have configured VLANS and are not getting an IP through the router to the client's VLAN because IPhelper is not enabled on the client machine to get DHCP requests through the router to the DHCP server. So, if you have VLANS, then on the client machine configure IPhelper as started and enabled.

Once you get an IP, let's talk about DNS configuration. NOWHERE on the entire LAN, should you configure an outside DNS server for DNS services, except on the DNS server itself. So, that client may get outside domain service, but not communicate with the domain controller because you are accessing outside DNS servers on the network for Domain services. Those outside DNS servers will not have your Domain service records (SRV records). The only place a domain should have external DNS servers is within DNS forwarders, or root hints (root hints comes out of the box already configured). It sounds like these are already configured or your clients that use DHCP would have problems like the manually configured computers do. Compare a working client DNS servers listed to your manually configured problem child computers by running IPconfig /all at the command prompt for both client computers.

Your problems are two fold: They start with a switch/router blocking DHCP. Then, it may involve DNS misconfigurations because you manually set it.
0
 

Author Comment

by:xpresscomp
ID: 37827455
thank you for all your wonderful suggestions, i'll be working on this problem this afternoon and will post an update later.
0
 

Accepted Solution

by:
xpresscomp earned 0 total points
ID: 37852181
the problem turned out to be someone actually did change the password on me, silly as it sounds, don't wanna award solution for incorrection answer as it may throw off people that are looking for actual solutions, thanks for all your help
0
 

Author Closing Comment

by:xpresscomp
ID: 38119674
the problem turned out to be someone actually did change the password on me, silly as it sounds, don't wanna award solution for incorrection answer as it may throw off people that are looking for actual solutions, thanks for all your help
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now