A computer account problem ?

This is really annoying. One of our customers has a 2003 server and about 35
users running a mix of xp and 2000 clients. Two of them repeatedly are unable
to log on with the classic ‘domain server not found or wrong username or
password’ message whoever they try and log on as (and the client dns settings
are pointing to the server and they exist in the forward lookup zone) the
only way to log these clients on is to kcik them out of the domain into a
workgroup and back into the domain and then they can log on, until the next
day or the day after when exactly the same thing happens. Both the iffy
clients are running xp pro sp2.
I do not know what computer account information is held on a client pc and I
suspect that if I did then then I would be a good deal nearer fixing this
than I currently am. If it were one pc then I might just rebuild it but two?
Any ideas?

Hi Andy,

Login using
domain\user

Not just:
user

Hope this helps.

--
Jabez Gan [MVP]
Microsoft MVP: Windows Server
http://www.blizhosting.com
MSBLOG: http://msblog.resdev.net


"Andy" <(E-Mail Removed)> wrote in message
news5368E4F-CA93-4B26-AC1F-(E-Mail Removed)...
> This is really annoying. One of our customers has a 2003 server and about
> 35
> users running a mix of xp and 2000 clients. Two of them repeatedly are
> unable
> to log on with the classic 'domain server not found or wrong username or
> password' message whoever they try and log on as (and the client dns
> settings
> are pointing to the server and they exist in the forward lookup zone) the
> only way to log these clients on is to kcik them out of the domain into a
> workgroup and back into the domain and then they can log on, until the
> next
> day or the day after when exactly the same thing happens. Both the iffy
> clients are running xp pro sp2.
> I do not know what computer account information is held on a client pc and
> I
> suspect that if I did then then I would be a good deal nearer fixing this
> than I currently am. If it were one pc then I might just rebuild it but
> two?
> Any ideas?
>

In news:(E-Mail Removed),
Jabez Gan [MVP] <(E-Mail Removed)> stated, which I commented
on below:
> Hi Andy,
>
> Login using
> domain\user
>
> Not just:
> user
>
> Hope this helps.

I noticed Andy posted this 3 times. I replied to one of the others before I
saw yours.

Now you mentioned this, I'm curious if they can logon using the UPN as
(E-Mail Removed) then the password.

I'm also curious if the AD domain is a single label name.

Ace

Have to admit that I have not tried either, I will next tine they break, but
my suspicion is that it will not work. What I don’t get is what has changed
between the first time when it can’t log in and the second when it has been
booted out and rejoined into the domain. I do not need to delete and recreate
the computer account, no changes need to be made on the server to allow the
user back in. Presumably it can find the domain and server (there is only one
server) or it would kick up a fuss when being disjoined from the domain. As
far as I can tell the only reason you would ever need to log in as
(E-Mail Removed) or def\abc would be if there were some ambiguity as to which
domain we are trying to attach to.

"Ace Fekay [MVP]" wrote:

> In news:(E-Mail Removed),
> Jabez Gan [MVP] <(E-Mail Removed)> stated, which I commented
> on below:
> > Hi Andy,
> >
> > Login using
> > domain\user
> >
> > Not just:
> > user
> >
> > Hope this helps.
>
> I noticed Andy posted this 3 times. I replied to one of the others before I
> saw yours.
>
> Now you mentioned this, I'm curious if they can logon using the UPN as
> (E-Mail Removed) then the password.
>
> I'm also curious if the AD domain is a single label name.
>
> Ace
>
>
>

In news:4F69A821-99D2-4C3A-86D2-(E-Mail Removed),
Andy <(E-Mail Removed)> stated, which I commented on below:
> Have to admit that I have not tried either, I will next tine they
> break, but my suspicion is that it will not work. What I don't get is
> what has changed between the first time when it can't log in and the
> second when it has been booted out and rejoined into the domain. I do
> not need to delete and recreate the computer account, no changes need
> to be made on the server to allow the user back in. Presumably it can
> find the domain and server (there is only one server) or it would
> kick up a fuss when being disjoined from the domain. As far as I can
> tell the only reason you would ever need to log in as (E-Mail Removed) or
> def\abc would be if there were some ambiguity as to which domain we
> are trying to attach to.
>
> "Ace Fekay [MVP]" wrote:

That would depend on if DNS is configured correctly, meaning if the zone and
SRV records for the domain exist, the clients and DCs are only using the
internal DNS (no ISPs' DNS).

Would you be able to provide that info I asked in the other thread? Here it
is again:
"Can we see an ipconfig /all from this client and from your DC please? Can
you also provide any Event log errors and anything you may have running on
the DC or the client."

Thanks
Ace

Sure

There is a 3210 error in the sys log at about the right time that says

This computer could not authenticate with \\NT1, a Windows domain controller
for domain PRISMNT, and therefore this computer might deny logon requests.
This inability to authenticate might be caused by another computer on the
same network using the same name or the password for this computer account is
not recognized. If this message appears again, contact your system
administrator.

I have run angry IP scan on both sites and if there is another computer with
the same name on eityher site then ill be damned if i can find it.
Ipconfig gives:

Windows IP Configuration
Host Name . . . . . . . . . . . . : PC26
Primary Dns Suffix . . . . . . . : prismnt.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : prismnt.local

Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR5005G Wireless Network
Adapter
Physical Address. . . . . . . . . : 00-11-F5-7D-82-C5
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.105
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCP Server . . . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 4.2.2.1
4.2.2.2
Lease Obtained. . . . . . . . . . : 18 January 2006 09:12:48
Lease Expires . . . . . . . . . . : 21 January 2006 09:12:48


Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Marvell Yukon 88E8036 PCI-E Fast
Ethernet Controller
Physical Address. . . . . . . . . : 00-0F-B0-90-EF-DA


As can be clearly seen there is a wireless card and a normal ethernet one,
the ethernet one not being plugged in. I am starting to wonder if for some
daft reason it is trying to use the disconnected LAN connection to
authenticate ?


"Ace Fekay [MVP]" wrote:

> In news:4F69A821-99D2-4C3A-86D2-(E-Mail Removed),
> Andy <(E-Mail Removed)> stated, which I commented on below:
> > Have to admit that I have not tried either, I will next tine they
> > break, but my suspicion is that it will not work. What I don't get is
> > what has changed between the first time when it can't log in and the
> > second when it has been booted out and rejoined into the domain. I do
> > not need to delete and recreate the computer account, no changes need
> > to be made on the server to allow the user back in. Presumably it can
> > find the domain and server (there is only one server) or it would
> > kick up a fuss when being disjoined from the domain. As far as I can
> > tell the only reason you would ever need to log in as (E-Mail Removed) or
> > def\abc would be if there were some ambiguity as to which domain we
> > are trying to attach to.
> >
> > "Ace Fekay [MVP]" wrote:
>
> That would depend on if DNS is configured correctly, meaning if the zone and
> SRV records for the domain exist, the clients and DCs are only using the
> internal DNS (no ISPs' DNS).
>
> Would you be able to provide that info I asked in the other thread? Here it
> is again:
> "Can we see an ipconfig /all from this client and from your DC please? Can
> you also provide any Event log errors and anything you may have running on
> the DC or the client."
>
> Thanks
> Ace
>
>
>

The swine !

There was another pc26 on the network but it was on a salesman's laptop
which it why i did not find it earlier. He VPNs into the network at night and
thats why the other computer strugles only first thing in the morning. I have
spoken to him and made him change his computer name and i am confident that
that will be an end to the matter. Thanks all for your help

Andy

Great to hear that! Thanks for the update!

--
Jabez Gan [MVP]
Microsoft MVP: Windows Server
http://www.blizhosting.com
MSBLOG: http://msblog.resdev.net


"Andy" <(E-Mail Removed)> wrote in message
news:EA3CD6AF-63FB-4EB9-A518-(E-Mail Removed)...
> The swine !
>
> There was another pc26 on the network but it was on a salesman's laptop
> which it why i did not find it earlier. He VPNs into the network at night
> and
> thats why the other computer strugles only first thing in the morning. I
> have
> spoken to him and made him change his computer name and i am confident
> that
> that will be an end to the matter. Thanks all for your help
>
> Andy

In news:EA3CD6AF-63FB-4EB9-A518-(E-Mail Removed),
Andy <(E-Mail Removed)> stated, which I commented on below:
> The swine !
>
> There was another pc26 on the network but it was on a salesman's
> laptop which it why i did not find it earlier. He VPNs into the
> network at night and thats why the other computer strugles only first
> thing in the morning. I have spoken to him and made him change his
> computer name and i am confident that that will be an end to the
> matter. Thanks all for your help
>
> Andy

Thanks for the update!

One thing that concerns me, however, and I would like to point out, is that
your ipconfig shows 4.2.2.1 and 4.2.2.2 as your DNS servers. They are
gtei.net's servers. I'm sure they don't have info about your domain, which
will cause further AD issues.

Keep in mind, DNS stores service and resource locations an are dynamically
updated by DCs, for the domain in the form of SRV folders (_msdcs, _sites,
_udp, _tcp). If they do not exist, or the DNS server you are using do not
exist, *numerous* errors can occur. You should only point all machines in an
AD domain to your internal only and configure a forwarder (optional) to your
ISP for efficient internet resolution.

Ace