Joining NT4 to a Windows 2000 domain; secure channel prob?
- From: Alex Keene <alex.keene@xxxxxxxxx>
- Date: Tue, 19 Feb 2008 17:27:56 -0800 (PST)
Hi,
I have a single server windows 2000 domain with about 20 client
machines thats worked perfectly for over a year.
Today, for no reason I can discern, the 4 legacy NT4 workstations we
run have lost the ability logon to the domain.
All the remaining windows 2000/2003/XP clients are fine.
Trying to logon with a domain account pops up the error:
code:The system cannot log you on to this domain because the
system's computer
account in its primary domain is missing or the password is
incorrect.
The following is in the NT4 event log:
code:NETLOGON: Failed to authenticate with \\MYPDC, a Windows NT
domain controller for domain MYDOMAIN.
Logging in with a local account and browsing to \\MYPDC prompts for a
user/password which if entered give me access to network resources.
Attempting to browse one of the workstations via \\MYNT4WORKSTATION on
the DC pops up:
code:\\MYNT4WORKSTATION is not accessible.
The trust relationship between this workstation and the primary
domain failed.
I've tried the recommended method for fixing the secure channel;
disjoining the workstation by giving it a workgroup name, deleting the
computer account from the DC, rebooting and rejoining; but this does
not work.
(If I provide a domain admin account to create the computer account I
receive a "Welcome to the MYDOMAIN domain!" message & the
MYNT4WORKSTATION is visible in "Computers" on the DC)
On the NT4 workstation I have also tried:
code:>netdom /domain:MYDOMAIN member MYNT4WORKSTATION /joindomain
Searching PDC for domain MYDOMAIN ...
Found PDC \\MYPDC
Connecting to \\MYPDC ...
Querying domain information on PDC \\MYPDC ...
Querying domain information on computer \\MYNT4WORKSTATION ...
Computer \\MYNT4WORKSTATION is already a member of domain
MYDOMAIN.
Verifying secure channel on \\MYNT4WORKSTATION ...
Secure channel failed. Access is denied.
Either the DC used for the secure channel is not synchronized with
the PDC, or the computer account's password is incorrect.
Connecting to \\MYPDC ...
Resetting secure channel ...
Changing computer account on PDC \\MYPDC ...
Updating trusted domain ...
Changing startup of service NETLOGON on \\MYNT4WORKSTATION.
Stopping service NETLOGON on \\MYNT4WORKSTATION ... stopped.
Starting service NETLOGON on \\MYNT4WORKSTATION .... started.
Querying user groups of \\MYNT4WORKSTATION ...
Adding MYDOMAIN domain groups on \\MYNT4WORKSTATION ...
The computer \\MYNT4WORKSTATION joined the domain MYDOMAIN
successfully.
Logoff/Logon \\MYNT4WORKSTATION to take modifications into effect.
(The above doesnt allow me to logon)
>nltest /sc_query:MYDOMAIN
Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
Trusted DC Name
Trusted DC Connection Status Status = 1311 0x51f
ERROR_NO_LOGON_SERVERS
The command completed successfully
>nltest /dctrust:MYDOMAIN
NetGetAnyDCName failed: Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
On the DC:
code:>netdom reset MYNT4WORKSTATION /domain:MYPDC.MYDOMAIN
The trust relationship between this workstation and the primary
domain failed.
Nothing is logged in the DC's event log
DNS seems to be ok, NSLOOKUP on the workstations lists my PDC & can
resolve local & internet names.
DCDIAG/NETDIAG/REPLADMIN report no problems.
Any suggestions as to what else I can try?
.
- Prev by Date: Re: allow all local users but restrict certain domain users to logon locally
- Next by Date: RE: logon site with same subnet
- Previous by thread: Using a laptop as a backup DC
- Next by thread: RE: logon site with same subnet
- Index(es):
Relevant Pages
|
