RE: Certain clients not able to bind to domain or receive group policy

Hi Bill,

Thank you for posting in SBS newsgroup.

From the description, I understand the issue to be: Certain users can not
logon to domain and get errors when they logon to client computer. If I
have misunderstood your concerns, please do not hesitate to let me know.

Actually this issue can occur if the user accounts or computer accounts are
corrupted. To narrow down the problem, would you please help me collect the
following information?

1. Have you made any changes on these problematic users or computers?
2. When does the situation occur?
3. Do you have sufficient CALs on SBS?
4. Does the situation occur when the problematic users logon to all
computers?
5. Are there any related error in event log on SBS?

Currently please try the following steps:

For problematic users:

1. Open the Server Management console.
2. Click Change User permission properties in the task pad.
3. In the template selection page of the wizard, please choose User
Template.
4. In the same page, please click "Add permissions to any previous
permissions granted to the users".
5. In the User Selection page, please click the problematic users in the
users list and click Add to add them.
6. Finish the wizard and test your issue again.
7. If it does not help, please try to remove the account and recreate the
user account to see how thing goes.

For problematic computers:

Please disjoin and rejoin the computers to the domain:

1. In client computer, right-click My Computer and then select Properties.
2. In Computer Name tab, click Change and the change the computer from
Domain to Workgroup.
3. Reboot the machine.
4. Log on as a local administrator account
5. In client computer, open IE and run http://servername/connectcomputer
6. Follow the wizard to finish.
7. If it does not help, you may need to open the Computers or My
Business\Computers\SBSComputers container. Right click on a computer
account and choose Delete.
8. Please try to join the clients into the domain again.

Also please make sure all clients point to the SBS server's internal IP
address as their ONLY DNS server. Also both network adapters on the SBS
server are pointing to the SBS internal IP address of the only DNS server.
In DNS, use forwarder to forward all name resolution requests to the ISP's
DNS server. For more information, please refer to the following Microsoft
Knowledge Base article:

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

More information:

823712 Event IDs 40960 and 40961 in the System Event Log When You Restart
http://support.microsoft.com/?id=823712

824217 LSASRV Event IDs 40960 and 40961 When You Promote a Server to a
Domain
http://support.microsoft.com/?id=824217

826819 The Server Stops Responding and an Access Violation Occurs in
Lsass.exe
http://support.microsoft.com/?id=826819

I appreciate your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Certain clients not able to bind to domain or receive group
policy
| | From: =?Utf-8?B?QmlsbCBB?= <BillA@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Certain clients not able to bind to domain or receive group
policy
| Date: Mon, 13 Mar 2006 22:08:26 -0800
| | Newsgroups: microsoft.public.windows.server.sbs
||
| I have an SBS 2003 Server and certain clients are getting problems with
it.
| They cannot log in for a long time, and when they do, it comes up with
errors
| like:
| (these errors come up on the workstation, not the server):
|
| Event 40961
| LSASRV
| The security system could not establish a secured connection with the
| server. No authentication protocol was available.
|
| Event 40960
| SPNEGO
| The Security System detected an attempted downgrade attack for server
| ldap/sbs.mydomain.com/mydomain.com@xxxxxxxxxxxxx The failure code from
| authentication protocol Kerberos was "There are currently no logon
servers
| available to service the logon request.
| (0xc000005e)".
|
| Event 1006
| Windows cannot bind to mydomain.com domain (local error). Group policy
| processing aborted.
|
| Event 1030
| UserENV
| Windows cannot query for the list of Group policy objects. A message
that
| describes the reason for this was previously logged by the policy engine
|
|
| When the server is rebooted, these problems do not come up for several
| hours. When they do come up, it is with certain users on certain
| workstations. If user "a" logs into a workstation, they may do so with
no
| problem. However, if user "b" logs into the very same problem, these
issues
| will come up.
|
| The DNS tests all check out. I can connect to the sysvol share on the DC.
|
| Any ideas?
|
| Thank you.
|
|
|
|
|
|
|
|
|

.

Relevant Pages

  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • RE: Lost TS to SBS2003 Server
    ... I found my issue - the Default Domain Controller Group Policy did not have ... Paul Bockmann ... To log on to this remote computer, you must have Terminal Server User ... However when you logon locally, the error "The local policy of this system ...
    (microsoft.public.windows.server.sbs)
  • Re: Prevented from adding users
    ... but disabling will allow the clients to make a ... connection without the (there is a policy in affect...) message. ... setting I should configure my print server name? ... This policy setting restricts the servers that a client can ...
    (microsoft.public.windowsxp.print_fax)
  • RE: HELP!!!!
    ... I understand that users can not logon to the SBS ... server computer side) or when users logon the server using Remote Desktop ... The error "The local policy of this system does not permit you to log on ...
    (microsoft.public.windows.server.sbs)
  • RE: remote desktop problem (server to client machine)
    ... I understand that cannot RDP from SBS Server to client workstation. ... Double click the "Access this computer from the network" policy and make ... Double click the "Allow logon through Terminal Services" policy and make ...
    (microsoft.public.windows.server.sbs)
Loading