RE: dr testing but cannot logon

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: S.J.Haribabu (sjhari_at_microsoft.com)
Date: 07/19/04 

Date: Mon, 19 Jul 2004 17:15:19 GMT

Hi,

I did some research and found KB article for "The system cannot log you on
to this domain because the system's computer account in its primary domain
is missing or the password on that account is incorrect."

CAUSE
========

This behavior may occur if the password for the computer account and the
local security authority (LSA) secret are not synchronized.

RESOLUTION
=============
To troubleshoot and resolve this behavior, use the following procedures, as
appropriate for your situation:
Reset the secure channel between the Windows XP-based client computer and
the domain controller.

You can use either the Nltest.exe or Netdom.exe command-line utilities to
reset the secure channel. Both these tools are located on the in the
Support\Tools folder of the Windows XP CD-ROM. To install these tools, run
Setup.exe or extract the files from the Support.cab file.
To use the Nltest.exe command-line utility or to query and reset the secure
channel, type the following lines at the at the command prompt, pressing
ENTER after each line:
nltest /sc_query
nltest /sc_reset

For additional information about how to use Nltest.exe to force a new
secure channel, click the following article number to view the article in
the Microsoft Knowledge Base:
156684 How to Use NLTEST to Force a New Secure Channel

To use the Netdom.exe command-line utility to reset the secure channel,
type the following lines at the at the command prompt, pressing ENTER after
each line:
netdom reset ComputerName /domain:DomainName

Note Make sure that you use the version of Netdom.exe that is included with
Windows XP. For additional information about how to use Netdom.exe to reset
the secure channel , click the following article number to view the article
in the Microsoft Knowledge Base:
216393 Resetting Computer Accounts in Windows 2000 and Windows XP

WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.
Check the event logs on both the PDC and Windows XP client computer.

For example, you may see the event messages similar to the following event
message in Event Viewer:

Event ID 5721

The session setup to the Windows NT Domain Controller <Unknown> for the
domain <DomainName> failed because the Windows NT Domain Controller does
not have an account for the computer <ComputerName>

Event ID 5722

The session setup from the computer DOMAINBDC failed to authenticate. The
name of the account referenced in the security database is DOMAINBDC$. The
following error occurred:

Access is denied.

For additional information, click the following article numbers to view the
articles in the Microsoft Knowledge Base:
160324 Event ID 5721 after Deleting Computer Account

150518 NetLogon Service Fails When Secure Channel Not Functioning

Verify that the computer account exists in the domain. To do so:
Click Start, point to Programs, point to Administrative Tools, and then
click Server Manager.
On the View menu, click Show Domain Members.
If the computer is not listed, either manually add the computer account on
the PDC, or join the domain from the client computer.
Make sure that NetBIOS over TCP/IP (NetBT) is enabled on the client
computer. For additional information, click the following article number to
view the article in the Microsoft Knowledge Base:
314366 Cannot Join Windows XP Client to a Windows NT Domain

If the following registry entries are configured on the Windows XP client
and on the domain controller, make sure that their values are set to 0
(zero):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilitylevel
 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous

For additional information, click the following article number to view the
article in the Microsoft Knowledge Base:
239869 How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT

On the Windows XP client computer, verify that the Network Security: LAN
Manager Authentication level Group Policy setting is configured to use the
Send LM & NTLM responses option. To do so:
Click Start, and then click Run.
In the Open box, type gpedit.msc, and then click OK.
Expand Local Computer Policy, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Local Policies, and then click
Security Options.
In the right pane, double-click Network Security: LAN Manager
Authentication level.
Make sure that the Send LM & NTLM responses option is set, and then click
OK.
Investigate possible name resolution issues.
Investigate possible trust relationship issues by using the Netdiag.exe
command-line utility.
Re-create the computer account, join a workgroup, and then rejoin the
domain.
On the Windows XP client computer, turn on logging for the Netlogon service
to capture and view NTLM logon events. For additional information about how
to do so, click the following article number to view the article in the
Microsoft Knowledge Base:
109626 Enabling Debug Logging for the Netlogon Service

Use Network Monitor to perform a network trace and analyze Remote Procedure
Call (RPC) traffic

For more information look in to
http://support.microsoft.com/default.aspx?scid=kb;en-us;810497

Thanks,

sjhari@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

 

Relevant Pages