Win2k client cannot find domain controller name after domain upgrade

[dmandell]

Situation:
recently upgraded from NT domain to AD domain.
All computers and users in the same domain, site, etc.
Using Win2k DNS as primary (non AD integrated)
Using Win2k WINS servers.

Almost all clients working correctly. A few remote clients are having issues.

1. Remote Win2k computer connected to main office through 3DES firewall to firewall VPN.

Bootup computer and user logs in. There is a hang on loading the users perrsonal settings for 30 sec. or so. The following error shows in the client's event log.

Windows cannot obtain the domain controller name for your computer network. Return value (59).

This error presents itself in the log twice, one when the computer boots up and tried to reach the domain and also when the user tries to log in.

What works:
Access to file servers, shared directories, windows browsing, Exchange server access, internal DNS resolution, internal WINS resolution.

What I have checked.
DNS correctly registers on the server for this client in both forward and reverse zones.
WINS registers correctly for this client in WINS database.

What I have tried:
Checked DNS and WINS settings for correctness.
Setup lmhosts file with (domain and server settings)
(reset DNS and WINS cache on client)
remove and reinstall net card drivers
remove and reinstall TCP/IP
Refreshed service packs

This seems trivial, but there is a second client computer (laptop) that is exhibiting the same issue, but it will hang indefinitely while trying to load the user's "personal settings" (instead of just 30 seconds.) If the network cable is unplugged, the user login process completes (with eh same error in the logs) After plugging back in the cable the user then has access to the LAN, but not most Microsoft services. Here's the odd thing, if the user then starts a Microsoft PPTP VPN to our VPN server access to all services is available.

If this user plugs directly into the main office LAN with his laptop. (comes in to the office) the computer and access works correctly without error. These errors only started happening after the in place AD domain upgrade.

Anyone seen this kind of errors before?
Thanks, Dana

 

[dmandell]

That's an interesting thought, but if there were a conflict, when starting the Directory service on the exchange 5.5 server I would expect to see the following error, and I have not.

Event ID: 1306
Type: Error
Source: MSExchangeDS
Description: Register LDAP protocol failed with error 10048. If port number 389 is used by another application, change to an unused port, then shut down and restart Microsoft Exchange Directory Services. Contact Microsoft Support Service if condition persists.

-Dana

 

[dfedders]

We had a very similar problem. Try this to force Kerberos to use TCP instead of UDP. This solved our Netscreen problems. You may have to do it on the Domain Controllers as well as the clients, but I'm not positive. I did it on both myself.

Start Registry Editor.
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaKerberos\Parameters

If the Parameters key does not exist, you can create it now.
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: MaxPacketSize
Data Type: REG_DWORD
Value: 1

Quit Registry Editor.
Restart your computer.

 

[iamapollo]

Cool

With SBS I don't have this problem but I will put it im my memory banks somewhere for the next win2k installation.

Michael

 

[maverick22]

HERES THE SCENARIO, HOPE IT HELPS!!!!

1. With a windows NT client operating system you must logon and authenticate with the AD or DC.

2. When you network adapter is enabled and with an IP address it will try to find the AD or Domain server this why your users take time and login until it times out.

NOTE: If your users disconnect the network cable from the network adapter card prior to logging on and connect it back after they have you wont have this problem.

Solution:

"Logon to the VPN prior to logging on to the system"

Change the settings on the VPN Client to prompt you to logon to the VPN prior to logging onto windows.

1. Open the cisco vpn dialer, click options --> windows logon properties --> Select Enable Start Before Logon --> Click ok
2. Go to options --> properties --> connections --> select "Connect to the internet via dialup networking" and choose the DSL connection you are using. Click ok and close

If you restart your machine and go to ctr-alt-del you will recieve the VPN dialer prompt to logon to the VPN, go ahead and connect at the same time the dialer will connect to dsl provider and establish a VPN session with the network, then you will be able to login in without a problem.

 

[dmandell]

Additional note to Maverick22's post. This applies specifically to those using Cisco VPN.