Announcement

Collapse
No announcement yet.

Domain Users can't Logon - Windows Server 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Users can't Logon - Windows Server 2003

    We've had Windows Server 2003 setup for about two years now and haven't had too many issues with it up until this point. Here is an outline of the problem:

    A select (and growing) list of users can only log into the domain about 20% of the time. They are spread out between two adjacent buildings. On logon it will either say the domain can't be accessed or the user account doesn't exist. However, when I logon with the local administrator account I can access the network. It even accept the same username/password to access the various network folders. It may also be important to note that we're running a static ip setup.

    About 50% of the time this problem can be resolved for the day if I unplug the computer from the router, restart and then plus the LAN cable back in. I've tried swapping out routers, but it hasn't effected the results. I can't find any related events in the event log.

    I'm open to any and all suggestions on why it randomly decides not recognize domain accounts on the main logon screen, but will accept it when accessing folders on the network from the local administrator account.

    I'm not exactly sure which direction to go with this problem, because I've yet to find a solid pattern in this failure.

  • #2
    Re: Domain Users can't Logon - Windows Server 2003

    How many licenses do you have / is License Service running?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Domain Users can't Logon - Windows Server 2003

      You are probably going to get more questions than answers at this point.

      Can you ping the client computer when the problem happens?
      Does it happen on all or on specific computers ?
      Have you got any time restriction applied to users Logon Hours?
      Do you use GPOs?

      Ta
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: Domain Users can't Logon - Windows Server 2003

        Thanks for the quick replies!

        Yes, I can still ping the client computers when the problem is occurring. It really only appears to be affecting the logon to the domain and refuses to recognize any active directory user accounts. I just had a user today that had this problem happen every morning for a week be able to logon with no problem.

        The licensing is running properly and we have more than enough licenses than the actual number of users that would be logged in at the same time.

        We don't have any GPO's setup at this time and there are no restricted hours setup on any users.

        Comment


        • #5
          Re: Domain Users can't Logon - Windows Server 2003

          A licensing problem/deficiency would not prohibit clients from logging on to the domain. This sounds like a DNS or network problem. Have you run dcdiag and netdiag? Also, a GPO setting or a logon hour restriction would be a very distinct, regular occurrence. It would not cause random problems like you have.

          Comment


          • #6
            Re: Domain Users can't Logon - Windows Server 2003

            Originally posted by joeqwerty View Post
            A licensing problem/deficiency would not prohibit clients from logging on to the domain. This sounds like a DNS or network problem. Have you run dcdiag and netdiag? Also, a GPO setting or a logon hour restriction would be a very distinct, regular occurrence. It would not cause random problems like you have.
            No, I've yet to use dcdiag or netdiag. If you wouldn't mind telling me the best uses of these tools to help resolve my problem, that would be very helpful to me. I'm ashamed to admit it, but I'm still just a student. I have basic windows server knowledge, but I'm not yet acustomed to troubleshooting other people's configurations (especially when the OS is in Japanese haha).

            Comment


            • #7
              Re: Domain Users can't Logon - Windows Server 2003

              Nothing to be ashamed of. We all start out the same. Here's everything you ever wanted to know about dcdiag and netdiag:

              http://technet.microsoft.com/en-us/l.../cc776854.aspx

              http://www.microsoft.com/technet/pro....mspx?mfr=true

              Comment


              • #8
                Re: Domain Users can't Logon - Windows Server 2003

                I've noticed a large amount of replication errors between two of the domain controllers. This network was setup by an external vendor about two years ago and I've noticed that in some cases it hasn't replicated properly since 2006. Could a replication problem effect domain logon? The replication problem seems to have been around for awhile, so I'd assume that isn't the case.

                Here are some of the errors I've gotten (replaced some things with *** for privacy):

                DCDIAG:


                DC=DomainDnsZones,DC=**,DC=co,DC=jp
                Last replication recieved from SVR4 at 2006-06-18 10:59:25.
                WARNING: This latency is over the Tombstone Lifetime of 60 days!
                DC=ForestDnsZones,DC=**,DC=co,DC=jp
                Last replication recieved from SVR4 at 2006-06-18 11:36:33.
                WARNING: This latency is over the Tombstone Lifetime of 60 days!
                CN=Schema,CN=Configuration,DC=**,DC=co,DC=jp
                Last replication recieved from SVR4 at 2006-06-18 11:57:28.
                WARNING: This latency is over the Tombstone Lifetime of 60 days!
                CN=Configuration,DC=**,DC=co,DC=jp
                Last replication recieved from SVR4 at 2006-06-18 10:59:20.
                WARNING: This latency is over the Tombstone Lifetime of 60 days!
                DC=**,DC=co,DC=jp
                Last replication recieved from SVR4 at 2006-06-18 11:44:32.
                WARNING: This latency is over the Tombstone Lifetime of 60 days!

                Starting test: FsmoCheck
                Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
                A Global Catalog Server could not be located - All GC's are down.
                ......................... ****.co.jp failed test FsmoCheck

                NetDiag:

                PASS - All the DNS entries for DC are registered on DNS server '***.117.186.4' and other DCs also have some of the names registered.
                [WARNING] The DNS entries for this DC are not registered correctly on DNS server '***.117.186.217'. Please wait for 30 minutes for DNS server replication.
                [WARNING] The DNS entries for this DC are not registered correctly on DNS server '***.117.203.203'. Please wait for 30 minutes for DNS server replication.
                [WARNING] The DNS entries for this DC are not registered correctly on DNS server '***.117.203.3'. Please wait for 30 minutes for DNS server replication.
                [WARNING] The DNS entries for this DC are not registered correctly on DNS server '***.199.160.67'. Please wait for 30 minutes for DNS server replication.
                [WARNING] The DNS entries for this DC are not registered correctly on DNS server '***.199.192.116'. Please wait for 30 minutes for DNS server replication.

                If you can think of any other information I could pull using these tools let me know. I'm fairly confident now that his is a dns, active directory or replication error of sorts.

                Comment


                • #9
                  Re: Domain Users can't Logon - Windows Server 2003

                  These domains are in different physical locations, right? If so, how are they connected: WAN, VPN?

                  You probably have two problems:

                  1. A network problem that causes AD communication and replication problems. This will also cause DNS communication and replication problems.

                  2. An incosistent AD/DNS database because of the network problem.

                  Open up ADUC and connect to each DC in turn and see if you see the same objects.

                  Can you bring the DC from the secondary office over to the primary office? If so, you could change it's ip address to fit on the primary office LAN and see if replication heals itself. Also, make both DC's also GC's. In a single forest there's no reason not to.

                  Comment


                  • #10
                    Re: Domain Users can't Logon - Windows Server 2003

                    Alternatively you could dcpromo and demote the DC at the secondary office, let AD on the primary office DC quiesce and re-dcpromo the secondary office DC. Check to see which DC holds all FSMO roles and dcpromo the OTHER DC.

                    Comment


                    • #11
                      Re: Domain Users can't Logon - Windows Server 2003

                      Originally posted by joeqwerty View Post
                      Alternatively you could dcpromo and demote the DC at the secondary office, let AD on the primary office DC quiesce and re-dcpromo the secondary office DC. Check to see which DC holds all FSMO roles and dcpromo the OTHER DC.
                      Thank for shedding some light on a direction to take. I'll let you know tomorrow how some of the changes I've made have turned out. Have to wait until the users login tomorrow morning to see if it made any impact. In the mean time I have greatly expanded my knowledge of netdiag, dcdiag and repadmin.

                      Comment

                      Working...
                      X