Re: Windows cannot connect to the domain & Event ID 3210 5722 - Lots of Details!

Should be:

Dsquery computer /stalepwd <numdays> | dsmod computer /disabled yes
Or
Dsquery computer /inactive <numweeks> | dsmod computer /disabled yes

Latter relies on w2k3 domain mode.



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:uPJsZNLQIHA.4684@xxxxxxxxxxxxxxxxxxxxxxx
Here is some info I will pass along from someone I know, I don't want to
put down the name or take credit for the response.

Machine accounts do expire after 30 days by default. If the workstations
has been off for 45 days for example then it will change its password a
few minutes after its first reboot (basically after the net logon service
starts as the net logon service initiates the password change process).


A test that can be run is to look for workstations that have not logged on
for this duration, the command to use is:

Dsquery user /stalepwd <numdays> | dsmod user /disabled yes

Or

Dsquery user /inactive <numweeks> | dsmod user /disabled yes

Latter relies on w2k3 domain mode.




So in a nutshell, the main reasons for people getting this issue are
things like duplicate SPN/UPN's, deleted computer accounts, the computer
account not replicated to all domain controllers and time not in sync
during the password change process between the DC and the client.


As for fixing this issue, its all about resetting the secure channel,
resetting the computer password on the AD object or in an extreme, disjoin
and rejoin the domain.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23LVRh2YPIHA.3516@xxxxxxxxxxxxxxxxxxxxxxx
I have got some info but not all yet, but my details previously provided
are incorrect. I am waiting on some additional details, when I get them I
will post them.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"JayDee" <dopamine@xxxxxxxx> wrote in message
news:e04977a1-7221-4bbd-970f-854ada470187@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Dec 12, 11:19 am, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:
The way I understand it, it isn't the number of days off but if the
machine
is turned on when the change takes place. So if you turn it off on day
28
and it is off for 3 days then it was off over the 30 day change.

I will run this by some other folks and get back to you in the next day
or
so. I will have to wait for an answer.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"JayDee" <dopam...@xxxxxxxx> wrote in message

news:1c9acc4a-733f-43a1-9d83-2fd9190b0d06@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



On Dec 12, 6:04 am, "Paul Bergson [MVP-DS]"
<pbergson@xxxxxxxxxxxxxxxxx> wrote:
When a machine joins the domain (Domain Controllers are included in
this)
it
is assigned a password. When you reboot it, when the machine is
starting
back up it is required to log onto the domain, just like a user
account.
By
default the password is changed every 30 days, if your machine has
been
turned off over the change the machine is unable to log back on
until you
either remove and add the machine from the domain -or- using nltest
or
netdom to reset the machine account.

http://support.microsoft.com/kb/216393/en-us

http://support.microsoft.com/default.aspx?scid=kb;en-us;154501

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"JayDee" <dopam...@xxxxxxxx> wrote in message

news:689dae55-eadd-4cf2-b449-004be24fb81b@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

There have been numerous posts regarding this over the past year,
but
virtually all of them offer the suggestion of removing the
computer
from the domain, adding it to a workgroup, then without rebooting
adding it back to the domain. My concern, however, is that we're
starting to see this on a number of computers and I need to
understand
why.

The problem is as follows:

We have some Windows XP devices that were removed from the network
for
a week or two then powered back on. They now receive the following
error when powered back up and as a result, my only choice is to
log
on with the administrator ID:

"Windows cannot connect to the domain, either because the domain
controller is down or otherwise unavailable, or because your
computer
account was not found."

1) Once logged on, the System Event Log on the XP workstation had
the
following message:

Event ID: 3210
"This computer could not authenticate with \\dc.domain.com, a
Windows
domain controller for domain DOMAIN, and therefore this computer
might
deny logon requests. This inability to authenticate might be
caused by
another computer on the same network using the same name or the
password for this computer account is not recognized. If this
message
appears again, contact your system administrator."

2) The domain control which attempted to authenticate the computer
had
this error:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description: The session setup from the computer ComputerName
failed
to authenticate. The name of the account referenced in the
security
database is AccountName$.
The following error occurred:
Access is denied.

3) I discovered that the computer is still registering with WINS
(yes,
we still have it around) but NOT registering with Dynamic DNS for
the
active directory domain it is a part of. I tried rebooting and
also
doing an "IPCONFIG /registerdns" to no avail. I also confirmed
correct
DNS addresses and there is only one network card in the computer.
I
also confirmed that the workstation can, in fact, PING all DC's in
it's site including the one in #2 above.

I tried adding a record for this computer into DNS manually just
to
see what would happen - no change.

So again, I know it will probably work to add it to a workgroup
and
then back to the domain, but I need to understand why this is
happen.

Here are some of the things I ruled out:

* I have confirmed that the computer has been off-line for less
than
the number of dates in the "HKLM\System\CurrentControlSet\Services
\Netlogon\Parameters\maximumpasswordage" key.

* The computer has not been rebuilt using the same name without
first
deleting the old name in the domain

* The computer name does not exist in any other DNS domains

I'm at a loss, please help!!

Thank you very much!!

- JayDee- Hide quoted text -

- Show quoted text -

Paul, thanks - but I covered that in my original email - excerpt
below. Any other ideas?

* I have confirmed that the computer has been off-line for less than
the number of dates in the "HKLM\System\CurrentControlSet\Services
\Netlogon\Parameters\maximumpasswordage" key.

- JayDee- Hide quoted text -

- Show quoted text -

That would mean that in a large company that is environmentally
conscience and makes all the employees turn their computers off over
the weekend would many many problems every monday morning. That
doesn't sound right.

Thanks for looking into this and any other reason why this issue may
be occuring in our environment. It seems affected machines have been
recently moved to a different subnet (which should not matter) and
they all share a common OU (which has not recently been restored - and
not all the computers in the OU are affected). And just as a reminder,
the affected computers do not have an entry in DNS but that entry is
properly added back when the machine is removed and readded to the
domain.

- JayDee






.

Relevant Pages
Loading