Re: Some users unable to log into domain.
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Tue, 20 Jun 2006 15:05:04 +0100
Hi
Check this, for DNS configuration:
- Make sure that every domain controller has its DNS properties under NIC
configuration pointing to itself. (If DC IP Address is 10.0.0.1 then Dns
should be 10.0.0.1).
- Make sure that every DNS server can resolve all domains in the forest.
(Use Forwarding, Stub Zones or Secondary Zones).
- Make sure that all clients Only uses the local(s) Dns Server.
How Domain Controllers Are Located in Windows
http://support.microsoft.com/kb/247811/
DNS Conditional Forwarding in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
DNS Stub Zones in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
How To Create a Child Domain in Active Directory and Delegate the DNS
Namespace to the Child Domain
http://support.microsoft.com/kb/255248/
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Steven Platt" <me@xxxxxxxxxxx> wrote in message
news:O%23uHEOBlGHA.3720@xxxxxxxxxxxxxxxxxxxxxxx
I will try to find the docs that I followed when I was having major DNS
problems... I guarantee that is your problem. I highly doubt routing has
anything to do with it. What version of Windows Server are you running?
-Steven-
"quilty" <gtouss@xxxxxxxxx> wrote in message
news:1150745679.182268.189430@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
At the risk of spanning, here's another potential clue:
FROM THE LOCAL MACHINE:
I can ping localmachine.domain (name.celerant.local)
however, I cannot ping server.domain
FROM THE SERVER
I can ping server.domain
I cannot ping localmachine.domain
So it seems that name interpretation is ok, but perhaps a problem with
the routing.
Could this then be a problem with the DNS/static IPs I have assigned on
the terminals?
Forget the static IPs.. however, I now have the internal address of the
DNS server as the primary DNS at both stations, and our internet DNS as
the secondary DNS for both stations. Still no luck.
Argh.
quilty wrote:
I think you might be onto something, as I realized that I can ping the
internal address of the domain, however, I could not ping the name of
the domain from a command prompt.
I'm a little iffey as to how the DNS was supposed to be setup. (It did
pass all of the tests you suggested, but the DNS is the same server as
the PDC, so I dont see how it could really fail them.
I have a forward lookup zone ( I simply called it celzone) created. I
figured I would try now to make a new 'host' because I could not ping
the name of the domain server. I made the new host (celerant.local,
which shows that it creates celerant.local.celzone) and entered the
appropriate IP, but as it stands, I still cannot ping celerant.local,
celerant.local.celzone, OR <machine_name>.celerant.local
Was I supposed to right click and make a "New Domain" to put this host
in?
Steven Platt wrote:
It may have been working in the past and now it isn't. I would really
suggest you look into your DNS integrity. For some reason that
computer
cannot contact your domain controller upon login. In MMC(the DNS
snap-in)
right-click on your server then choose properties-->Monitoring
Tab-->run
those tests. I would also direct you to check the MS site for some
DNS
troubleshooting docs. There are tons of them (I had to fix mine a
while
back).
-Steven-
"quilty" <gtouss@xxxxxxxxx> wrote in message
news:1150736922.263189.208110@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Actually, it is not. As of now, this is the only desktop which has
joined the domain, which I am using to test. As it stands now
(through
some more investigation), only one account login is able to
currently
access the domain, and all other accounts receive the same error
message.
If one login was able to contact the domain, why wouldn't another be
able to from the same rig?
Thanks,
Gerard
Steven Platt wrote:
It just means that it can't contact the domain controller to
authenticate.
The reason you can login with that other user is probably because
at one
point the computer could contact the domain controller and
authenticate.
When you authenticate for the first time, by default, Windows will
cache
the
login information. Hence, even if the computer cannot contact the
domain
controller it will still login. Is this computer in question
perhaps a
wireless computer?
-Steven-
"quilty" <gtouss@xxxxxxxxx> wrote in message
news:1150734401.323372.243320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Testing to slowly move over 40-50 computers to a domain.. but
only
dealing with one XP box other than the server for now.
Anyway, I am able to log into the domain on my PC, using one
username.
(No roaming or managed profiles), and experience no problems. The
security is just as it should be.
Now, I want to log into this same PC with one of the
higher-access
accounts(as well as the domain's admin account itself), and it
fails
under the error message
'Cannot log you in now because the domain <DOMAIN NAME> is not
available'
This is strange for a few reasons, mainly:
1) I can switch back to the reduced access account and it does
work
fine.
2) Ive tried two logins featured under the domain admins group,
as well
as added these individual user accounts to the access of this
computer
[I did create an entry for this PC in an OU titled desktops] just
incase there was a problem with the domain admins group, and do
no
avail.
3) I removed these users from alternate groups, on the chance
that
another group which they were in would diminish their status as a
domain admin for some reason.
4) I confirmed that this user has full logon times, and 'Log On
To...'
is set to allow connections to all computers.
I'm completely lost at this point. The only other security option
I
attempted to enable was "deny log on locally" which I
disabled.Any help
is appreciated....
.
- References:
- Some users unable to log into domain.
- From: quilty
- Re: Some users unable to log into domain.
- From: Steven Platt
- Re: Some users unable to log into domain.
- From: quilty
- Re: Some users unable to log into domain.
- From: Steven Platt
- Re: Some users unable to log into domain.
- From: quilty
- Re: Some users unable to log into domain.
- From: quilty
- Re: Some users unable to log into domain.
- From: Steven Platt
- Some users unable to log into domain.
- Prev by Date: Re: Error message when adding user to group
- Next by Date: Re: AD tools
- Previous by thread: Re: Some users unable to log into domain.
- Next by thread: AD Replication: Wrong Bridgehead?? Help?
- Index(es):
Relevant Pages
|
