Windows 2000/XP Clients Can't Log On!

[Frank668]

Hi, I got a problem here... I had a Windows NT 4.0 domain (PDC and BDC workign correctly (Domain was TEXDURE)). We have upgraded the domain to a Windows 2000 Domain but the users are only able to log onto the old WinNT domain. What I have seen into the W2k config is that it's domain is "DU-RE.com". So it was changed during the update. Windows 2000 has been put OVER Windows NT 4.0. I have tried today to log on that Windows 2000 domain with a Windows XP Pro computer but it can't find the domain. A Windows 2000 Client gets that error: "The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or he password on that account is incorrect." We have set the W2k to work in NATIVE mode but it didn't correct the problem.

If you have any ideas, thank you.

-Frank

 

[Frank668]

Sorry I forgot to say that the Windows 98/2000 computers are still able to log onto the TEXDURE (the old BDC) domain. Both BDC (TEXDURE) and AC (DU-RE.COM) domains are up, but only the TEXDURE domain are responding.

Thanks, Frank.

 

[PinoIT]

Have you changed the domain on clients checking the box "create computer account on server" ?

 

[Frank668]

I haven't found that option yet... note that the server has been upgraded.

Please give me more details.

Thank you, Frank.

 

[PinoIT]

If the domain name is changed during the upgrade you should preoceed like a new domain installation, so you should change the Net-Id, leaving the old domail and joining the new one. You find the wizard from right-clicking on My Computer then Property then the button "Network ID".

 

[Frank668]

I did that, but the clients doesn't communicate with the new domain controller!! Here is the error it gives me with a Windows 2000 Pro computer when I try to change the domain of the client to DU-RE.COM:

"Windows cannot find an account on the DU-RE.COM Domain."

Then it asks me to put in the COMPUTER NAME and the DOMAIN. The computer name by the way does exist on the W2k domain.

"The domain name "DU-RE.COM" is either invalid or does not exist."

Thank you, Frank.

 

[PinoIT]

Ok, I've understand: the correct domain name you must type in the w2k clients is DU-RE (the netbios name) and not the full AD domain DU-RE.COM. In XP clients the domain is asked 2 times: the first one you must type the AD domain name, the second the NetBios name. Try this... should be your solution.

Pino

 

[Frank668]

Sorry, I have tried that. The Windows 2000 Pro Client is unable to connect to the domain (DU-RE, and DU-RE.com I have tried them all)... :/

The XP client can't by the way.

-Frank

 

[PinoIT]

This is really a strange issue... have you tryed to add (if is not installed) IPX protocol? If also whith IPX installed both on server and clients nothing changes you should provide the standard diagnostic files to understand the problem.

 

[Frank668]

IPX was not installed, I installed it and I have just retried... nothing new! It still doesn't work. The computers doesn't find the DU-RE or DU-RE.COM domain.

They still find the TEXDURE (NT4 BDC) domain though, if I close that computer (BDC) then nobody can log on...!

-Frank

 

[PinoIT]

Uhm... in my memory I've found just one similar issue, and the problem was that on the clients was present IE with Hi Encryption. Are both (clients and server) at the same Encryption level?

 

[Frank668]

The server is a Windows 2000 Professional with Internet Explorer 5.00.3502.1000 With 128-bit Encryption. It also has Service Pack 3 installed. Do you think that I will need to install Internet Explorer 6.0 Service Pack 1 in order to have my Windows 2000 SP3 + IE55 clients to log on?

Note that also the Windows 95 and XP computers are NOT able to log on!

Thanks, Frank.

 

[buddafish]

have you looked into your dns setup? check that srv records were created for your upgraded pdc-now dc.
scottie

 

[PinoIT]

Ok, the 128bit is installed both on clients AND server? If not, you must do it. Also binkin's tip can help.
Surely you should apply also IE6 upgrade to be sure that all systems are up to date... but be careful to work at the same encryption level.

 

[Frank668]

Well for the DNS problem, could you give me more details about it? Maybe it's not a bad idea at all!

And about the 128-bit Encryption, yes, they are both 128-bit. The other computer is using IE6.0 SP1 and the server is using IE5.0.

I can't install IE6 now because the server may not go down.

Any other ideas?

Thanks, Frank.

 

[PinoIT]

ok, from the server session are you able to do nslookup to the fully qualified name of the server itself? And nslookup using the IP address? the server respond correctly?

Pino

 

[kameleon80]

about your dns question..

Log on to a client with the local admin account. See if you can ping your FQDN of your domain. (du-re.com) IF not then go to the properties of the TCP/IP protocol and change the DNS ip address to the IP of your Domain Controller. Then see if you can ping your domain, du-re.com.

Things to remember, NT/98/95 use netbios for name resolution. 2k/XP use Dns for name resolution, and fall back on netbios if DNS is not working but I believe since your in native mode netbios won't work with AD for login sessions.



Also I believe some one has mentioned this but log on the Domain controller and double check for the computer accounts in AD users and computers.

 

[Frank668]

Here's what it gives me:

C:\WTSRV\Profiles\Administrator>nslookup du-re.com
Server: galilee1.sogetel.net
Address: 205.236.148.130

Non-authoritative answer:
Name: du-re.com
Address: 207.253.100.82

-Frank

 

[PinoIT]

OK, so then your domain is not so clear to me... your server name is galilee1.sogetel.net? Not think.... here a normal response for a server named serverw2k.renord-mi.locale having the IP Address 172.18.76.195:

C:\>nslookup serverw2k.renord-mi.locale
Server: serverw2k.renord-mi.locale
Address: 172.18.76.195

Name: serverw2k.renord-mi.locale
Address: 172.18.76.195


C:\>nslookup 172.18.76.195
Server: serverw2k.renord-mi.locale
Address: 172.18.76.195

Name: serverw2k.renord-mi.locale
Address: 172.18.76.195

Can you paste an IPCONFIG /ALL in this thread?

Pino

 

[buddafish]

fire up the dns mmc. open up your domain's forward lookup zone. if you haven't used this console before, choose view --> advanced... now expand the du-re.com node --> dc --> sites --> default-1st-site --> _tcp. got srv records there? the same for the _sites node. as for the du-re.com forward lookup zone, do the A records look correct ? and you have a NS and SOA record for the servername.du-re.com..
w2k clients need to locate the dc via dns srv records. you might check that the 1st dc you built is still a global catalog. active directory sites & services, expand the sites --> default-1st-site --> servers --> servername --> right click the NTDS settings. i would also run dcdiag and netdiag from the command prompt. this will give you valuable info for troubleshooting.
scottie