Re: Cannot locate Domain after migrate from NT to Win2K3

From: "tony@i-cable" <tony@xxxxxxxxxxxx>
Date: Wed, 28 Jun 2006 16:39:57 +0800

Thanks Vincent.

I don't think the local administrators are revoked the "Log on locally"
permission. If the permission set deny "log on locally", I cannot use
domain admin (and/or those general domain user accounts) log on to those PCs
and see the Window NT Workstation desktop. Please correct me if I'm wrong.

P.S. : If I use the same Domain Admin and/or Domain User account logon to
those *NO* problem Windows NT Workstation, it works fine.

"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:1dMxPcnmGHA.132@xxxxxxxxxxxxxxxxxxxxxxxx

Hi Tony,

From the error message, it seems that the local administrators are revoked
the "Log on locally" permission so they cannot logon. In addition, there
are some problems with the security channel between the server and the
domain controller. I understand that this server is important to the

client

and we will pay more caution on trouble shooting. Considering the current
situation, let us perform the following suggestions to enable local
administrators with "Log on locally right":

Step 1: Grant "Log on locally right"
---------------------------------
Let us use the NTRights tools included in the Windows 2000 Resource Kit to
grant local administrator with "Log on locally" right. For example, you

can

logon as a user who has administrator right permission and run the
following command on another computer:

ntrights +r seinteractivelogonright -u "<ServerName>\administrator" -m
\\<ServerName>

Please replace <ServerName> by the name of the problematic server. For

information, please refer to the following Microsoft Knowledge Base

article:

279664 How to Set Logon User Rights with the Ntrights.exe Utility
http://support.microsoft.com/?id=279664

Check whether you can logon to the server as local administrator now.

Step 2: Check domain group policies
-----------------------------------
It is possible that the "Log on locally" group policy was defined by some
domain group policies. Please check the "Default domain policy" and any
other policies that may apply to the problematic server to ensure that

"Log

on locally" and "Deny log on locally" group policy is set to "Not

defined".

After that, please refresh the group policy on the domain controller and
the problematic server. If you do not want to reboot the Windows 2000
server, you can telnet to the server and run the secedit command:

1. On Computer B, click Start -> Run, type "cmd" in the text box, and

click

OK.
2. Type "telnet <IP of computer A> 23" command, and press Enter. Please
replace "<IP of computer A>" by the IP address of computer A.
3. In the Command windows, run the following command:

Secedit /refreshpolicy machine_policy /enforce

We can use Netdom tool to reset the security channel between the server

and

the domain controller. To do so, please refer to the following Microsoft
Knowledge Base article:

216393 Resetting computer accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?id=216393

If this problem continues and you can logon as local administrator, please
refer to the following Microsoft Knowledge Base article to perform further
trouble shooting:

810497 "System Cannot Log You On to This Domain" Error Message When You

Try

to
http://support.microsoft.com/?id=810497

Hope this helps.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================

--------------------

From: "tony@i-cable" <tony@xxxxxxxxxxxx>
References: <u0cCgqNmGHA.3980@xxxxxxxxxxxxxxxxxxxx>

<A72yXkOmGHA.4928@xxxxxxxxxxxxxxxxxxxxx>
<eSWwIyOmGHA.4100@xxxxxxxxxxxxxxxxxxxx>
<#ZPwm8QmGHA.1896@xxxxxxxxxxxxxxxxxxxx>
<bGqpygcmGHA.4528@xxxxxxxxxxxxxxxxxxxxx>
<e$rjpRdmGHA.3468@xxxxxxxxxxxxxxxxxxxx>
<OtKbzZemGHA.3732@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: Cannot locate Domain after migrate from NT to Win2K3
Date: Wed, 28 Jun 2006 10:01:22 +0800
Lines: 184
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <#TTkRblmGHA.3752@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windows.server.migration:24258

X-Tomcat-NG: microsoft.public.windows.server.migration

Yes, all those 6 workstations DNS and WINS point to DC2 (operations

master)

"Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
news:OtKbzZemGHA.3732@xxxxxxxxxxxxxxxxxxxxxxx

next thing to check would be DNS. Is the workstation pointed to the

right

DNS server?

--
--------
Hope It Helps!

dw
_______________________________
Don Wilwol
Distributed Application Technologies.
dwilwol(DELETE)@datbusiness.com
www.AtTheDataCenter.com (personal website)
www.skysphere.com (hosting available)

"tony@i-cable" <tony@xxxxxxxxxxxx> wrote in message
news:e$rjpRdmGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx

I did. I follow this http://support.microsoft.com/kb/255504/en-use

Transfer FSMO roles

"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:bGqpygcmGHA.4528@xxxxxxxxxxxxxxxxxxxxxxxx

Hi,

I'd like to suggest you transfer FSMO to the Windows server 2003 DC

to

see
the results.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your

newsreader

so

that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no
rights.
======================================================

--------------------

From: "tony@i-cable" <tony@xxxxxxxxxxxx>
References: <u0cCgqNmGHA.3980@xxxxxxxxxxxxxxxxxxxx>

<A72yXkOmGHA.4928@xxxxxxxxxxxxxxxxxxxxx>
<eSWwIyOmGHA.4100@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: Cannot locate Domain after migrate from NT to Win2K3
Date: Mon, 26 Jun 2006 18:56:08 +0800
Lines: 89
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <#ZPwm8QmGHA.1896@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path:

TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl

Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windows.server.migration:24232

X-Tomcat-NG: microsoft.public.windows.server.migration

Finally I demote all Win2K3 server and turn on my backup BDC.

Everything

seems ok now.

"tony@i-cable" <tony@xxxxxxxxxxxx> wrote in message
news:eSWwIyOmGHA.4100@xxxxxxxxxxxxxxxxxxxxxxx

I found it.

I have 2 Domain controller, computer name areDC1 and DC2.

Both Operations master are DC2.aa.bbb.com.

Now I have few Win2K users also has logon problem, they will

get

"The

system

cannot log you on to this domain because the system's computer
account

in

its primary domain is missing or the password on the account is

incorrect."

error message.

"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in

message

news:A72yXkOmGHA.4928@xxxxxxxxxxxxxxxxxxxxxxxx

Hi,

To identify the PDC emulator

1.Open Active Directory Users and Computers
2.Right-click Active Directory Users and Computers and click

Operations

Masters.
3.On the PDC tab, the name of the current PDC emulator

appears

in

Operations master.

Check if PDC is assigned.

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your

newsreader

so

that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and

confers

no

rights.

======================================================

--------------------

From: "tony@i-cable" <tony@xxxxxxxxxxxx>
Subject: Cannot locate Domain after migrate from NT to

Win2K3

Date: Mon, 26 Jun 2006 12:40:09 +0800
Lines: 6
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <u0cCgqNmGHA.3980@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: 59.188.32.186
Path:

TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl

Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windows.server.migration:24224

X-Tomcat-NG: microsoft.public.windows.server.migration

After migrate PDC from NT Server to Windows 2003 standard,

have

a

number

of user cannot locate the domain controller even I did the

clean

isntall

Win

NT Workstations. Any idea?

References:
- Cannot locate Domain after migrate from NT to Win2K3
  - From: tony@i-cable
- RE: Cannot locate Domain after migrate from NT to Win2K3
  - From: Vincent Xu [MSFT]
- Re: Cannot locate Domain after migrate from NT to Win2K3
  - From: tony@i-cable
- Re: Cannot locate Domain after migrate from NT to Win2K3
  - From: tony@i-cable
- Re: Cannot locate Domain after migrate from NT to Win2K3
  - From: Vincent Xu [MSFT]
- Re: Cannot locate Domain after migrate from NT to Win2K3
  - From: tony@i-cable
- Re: Cannot locate Domain after migrate from NT to Win2K3
  - From: Don Wilwol
- Re: Cannot locate Domain after migrate from NT to Win2K3
  - From: tony@i-cable
- Re: Cannot locate Domain after migrate from NT to Win2K3
  - From: Vincent Xu [MSFT]

Prev by Date: Re: NT4 -> Win2K3 question
Next by Date: RE: NDS to Windows Active Directory Migration Question
Previous by thread: Re: Cannot locate Domain after migrate from NT to Win2K3
Next by thread: RE: NDS to Windows Active Directory Migration Question
Index(es):
- Date
- Thread

Relevant Pages

RE: Trend, IIS, Permissions, Exhaustion and close to very bad language :-) Heelp!
... I understand when you logon on Company web ... Does the IP address point your Windows XP clients or SBS Server? ... Is the IP address of the Windows XP client or server that in your network? ...
(microsoft.public.windows.server.sbs)
Kerberos logon failure - Windows Server 2003 RTM
... Domain controller with Windows 2003 RTM. ... Authentication server with Windows Server 2003 RTM (Proxy ... Users logon to the web site from the authentication server and are ... see Help and Support Center at ...
(microsoft.public.win2000.security)
Re: Native Mode possible problems...help!
... their password will still be able to logon to an NT 4.0 - but using their ... Windows 2003/2000/NT ... > They NT 4.0 domain controllers will still be able to authenticate users, ... > Why not just upgrade the BDCs to Windows 2000 Server? ...
(microsoft.public.windows.server.general)
Re: WebDAV problem with digest authentication behind firewall
... I'm using IIS 6.0 on a windows 2003 enterprise server which is member of a windows 2000 ads. ... is the one from inside the firewall. ... > connection and they both got a logon box. ...
(microsoft.public.inetserver.iis)
Re: Windows 98/ME having problem to log-on Windows 2000 domain
... Can you ping the server by both IP address and name? ... are you entering credentials in the logon for Microsoft Networking box ... > i have few windows xp and windows 98/ME as the clients of my domain. ...
(microsoft.public.win2000.security)