Primary domain was down- but I couldn't log in to test domain!

Hello all! I just noticed something strange, can anyone help me?

Our main servers (Win2k server) were down one day last week for wiring work
in the computer room. I figured I could still use my Win2kPro workstation
to connect to my test server (also Win2k server), and that I could work on
that while I waited.

The initial login to my pc (Win2kPro) was fine, it told me there was no
domain controller available, and it was using cached profile settings. Then
it prompted me (as it always has) to log in to my test domain, to reconnect
my file shares. When I gave the computer my password for the test domain,
it
failed, and told me "incorrect password or unknown user name for
\\MainTest1\source". (MainTest1 being my server, source being my file
share.) It said that I had last connected as "ttest03@maintest" , which has
always worked in the past. What's strange is that nothing appeared on the
test server's event log! When the wiring work was done, and I brought up
our main servers, I could log into the test server again. Any idea what
might be causing this?

I've also noticed a problem with my laptop and the test server. I can
connect to our production servers using my laptop (XP Pro) by typing the
server's IP address into the Start/Run dialog box. (Ex: "\\192.168.0.1" )
But, when I try that with the test server's IP address, it repeatedly asks
me for a correct username or password. The test server's event log will
show a failure for "unknown user name or bad password". After today's
problem with my workstation, I think the two problems are related. It
doesn't matter if I'm using my laptop from home, or plugged directly into my
office jack- it still won't connect. (And I've tried every variation of
doman & username to log on!)

In fact- something else strange! I just typed start/run/ip address from my
workstation. It prompted for a username and password and didn't connect-
just like my laptop!! But remember that my laptop won't connect either way-
by start/run/ip address, OR by browsing the network. (I can double-click the
test domain from the laptop, but can't login to the server.)

Has anyone seen anything like this?? Any ideas?

And as far as the laptop goes with a domain, I never joined it to any
domain- main or test. It's still set on a workgroup named "workgroup", with
no full computer name. I don't think this is the problem, since I can get
to my main server & domain okay, I just can't get to the test one.

I have a feeling if I can figure out why my regular PC (Win2k) wouldn't
connect to the test domain when the real domain was down, then that's the
same answer for my laptop (WinXP).

Sorry this is so long, but I figure the more information I can throw out,
the better of an answer you guys can give me. Thanks!

-TH

Is your test server a DC or just a member server?

To access resources on a member server, you must use credentials which
are acceptable to that machine. If the user is logged into the domain, the
server will accept domain credentials. If the client is not a domain member
(or if no domain controllers are available) you will need credentials which
are valid on the server itself and can be validated by its local SAM
database.

"Thomas H" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello all! I just noticed something strange, can anyone help me?
>
> Our main servers (Win2k server) were down one day last week for wiring
work
> in the computer room. I figured I could still use my Win2kPro workstation
> to connect to my test server (also Win2k server), and that I could work on
> that while I waited.
>
> The initial login to my pc (Win2kPro) was fine, it told me there was no
> domain controller available, and it was using cached profile settings.
Then
> it prompted me (as it always has) to log in to my test domain, to
reconnect
> my file shares. When I gave the computer my password for the test domain,
> it
> failed, and told me "incorrect password or unknown user name for
> \\MainTest1\source". (MainTest1 being my server, source being my file
> share.) It said that I had last connected as "ttest03@maintest" , which
has
> always worked in the past. What's strange is that nothing appeared on the
> test server's event log! When the wiring work was done, and I brought up
> our main servers, I could log into the test server again. Any idea what
> might be causing this?
>
> I've also noticed a problem with my laptop and the test server. I can
> connect to our production servers using my laptop (XP Pro) by typing the
> server's IP address into the Start/Run dialog box. (Ex: "\\192.168.0.1" )
> But, when I try that with the test server's IP address, it repeatedly asks
> me for a correct username or password. The test server's event log will
> show a failure for "unknown user name or bad password". After today's
> problem with my workstation, I think the two problems are related. It
> doesn't matter if I'm using my laptop from home, or plugged directly into
my
> office jack- it still won't connect. (And I've tried every variation of
> doman & username to log on!)
>
> In fact- something else strange! I just typed start/run/ip address from
my
> workstation. It prompted for a username and password and didn't connect-
> just like my laptop!! But remember that my laptop won't connect either
way-
> by start/run/ip address, OR by browsing the network. (I can double-click
the
> test domain from the laptop, but can't login to the server.)
>
> Has anyone seen anything like this?? Any ideas?
>
> And as far as the laptop goes with a domain, I never joined it to any
> domain- main or test. It's still set on a workgroup named "workgroup",
with
> no full computer name. I don't think this is the problem, since I can get
> to my main server & domain okay, I just can't get to the test one.
>
> I have a feeling if I can figure out why my regular PC (Win2k) wouldn't
> connect to the test domain when the real domain was down, then that's the
> same answer for my laptop (WinXP).
>
> Sorry this is so long, but I figure the more information I can throw out,
> the better of an answer you guys can give me. Thanks!
>
> -TH
>
>

Bill, thanks for responding! It's a domain controller, on it's own domain,
running it's own DNS and it's own active directory and etc. That's why I
have no idea about the dependency. Both domains have their own DC's; I
don't understand why if the main domain was down, I can't log in to that
second domain (with it's own dc).

In fact, I even went to the main dc server of the main domain, and tried to
connect to the test domain- and the main server could!

I did some more probing on that main dc of the main domain, and found that I
had an entry under the DNS, in the subnet, in the reverse lookup- there was
a pointer with the IP address of my test server/dc, and the DNS name of my
test server/dc. Could that be the link between the two? I never set up a
forest or anything. I wanted to keep the test server/dc/domain completely
isolated from the real domain.

I have my installation notes from the installation of the test server/dc;
I'm thinking of grabbing another old PC, doing the installation notes
exactly, and see what happens.

Even still, shouldn't I be able to do a start / run / \\ipaddress to get to
the test server/domain, on both my PC and my notebook? I don't understand
why that part fails. It works for the real servers/domain. I searched the
microsoft site but can't find any doc that describes this problem.

I did some more hunting in my notes- seems that I had added an entry into my
pc workstation's HOSTS file, with the IP of the test server, and the DNS
name of the test server. I took that entry out of my hosts file (actually
that was the only entry!), rebooted, and tried a start / run / \\server.fqdn
from my pc. It couldn't find the server. I put the entry back into my
hosts file, rebooted, and then the start / run / \\server.fqdn worked.

Although- hey, speaking of credentials, every time I can't log in to the
test domain from my laptop, the event log on the test server/dc gives the
code for "incorrect password". Now, I'm typing the password correctly- for
testing, I even changed it to something incredibly simple- but not blank- so
it's just about impossible to mis-type. It doesn't give the code for
"unknown user"- which tells me my login of ttest03@maintest is a valid
username. But why the invalid password? Is that related to credentials
too? Both my laptop, pc, and test domain all sync their time from the same
NTP server...

Thanks!

-TH

"Bill Grant" <bill_grant at bigpond dot com> wrote in message
news:%(E-Mail Removed)...
> Is your test server a DC or just a member server?
>
> To access resources on a member server, you must use credentials which
> are acceptable to that machine. If the user is logged into the domain, the
> server will accept domain credentials. If the client is not a domain
member
> (or if no domain controllers are available) you will need credentials
which
> are valid on the server itself and can be validated by its local SAM
> database.
>
> "Thomas H" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hello all! I just noticed something strange, can anyone help me?
> >
> > Our main servers (Win2k server) were down one day last week for wiring
> work
> > in the computer room. I figured I could still use my Win2kPro
workstation
> > to connect to my test server (also Win2k server), and that I could work
on
> > that while I waited.
> >
> > The initial login to my pc (Win2kPro) was fine, it told me there was no
> > domain controller available, and it was using cached profile settings.
> Then
> > it prompted me (as it always has) to log in to my test domain, to
> reconnect
> > my file shares. When I gave the computer my password for the test
domain,
> > it
> > failed, and told me "incorrect password or unknown user name for
> > \\MainTest1\source". (MainTest1 being my server, source being my file
> > share.) It said that I had last connected as "ttest03@maintest" , which
> has
> > always worked in the past. What's strange is that nothing appeared on
the
> > test server's event log! When the wiring work was done, and I brought
up
> > our main servers, I could log into the test server again. Any idea what
> > might be causing this?
> >
> > I've also noticed a problem with my laptop and the test server. I can
> > connect to our production servers using my laptop (XP Pro) by typing the
> > server's IP address into the Start/Run dialog box. (Ex:
"\\192.168.0.1" )
> > But, when I try that with the test server's IP address, it repeatedly
asks
> > me for a correct username or password. The test server's event log will
> > show a failure for "unknown user name or bad password". After today's
> > problem with my workstation, I think the two problems are related. It
> > doesn't matter if I'm using my laptop from home, or plugged directly
into
> my
> > office jack- it still won't connect. (And I've tried every variation of
> > doman & username to log on!)
> >
> > In fact- something else strange! I just typed start/run/ip address from
> my
> > workstation. It prompted for a username and password and didn't
connect-
> > just like my laptop!! But remember that my laptop won't connect either
> way-
> > by start/run/ip address, OR by browsing the network. (I can double-click
> the
> > test domain from the laptop, but can't login to the server.)
> >
> > Has anyone seen anything like this?? Any ideas?
> >
> > And as far as the laptop goes with a domain, I never joined it to any
> > domain- main or test. It's still set on a workgroup named "workgroup",
> with
> > no full computer name. I don't think this is the problem, since I can
get
> > to my main server & domain okay, I just can't get to the test one.
> >
> > I have a feeling if I can figure out why my regular PC (Win2k) wouldn't
> > connect to the test domain when the real domain was down, then that's
the
> > same answer for my laptop (WinXP).
> >
> > Sorry this is so long, but I figure the more information I can throw
out,
> > the better of an answer you guys can give me. Thanks!
> >
> > -TH
> >
> >
>
>

"Thomas H" <(E-Mail Removed)> wrote in message
news:OrLRH%(E-Mail Removed)...
> (..snip..)
> Although- hey, speaking of credentials, every time I can't log in to the
> test domain from my laptop, the event log on the test server/dc gives the
> code for "incorrect password". Now, I'm typing the password correctly-
for
> testing, I even changed it to something incredibly simple- but not blank-
so
> it's just about impossible to mis-type. It doesn't give the code for
> "unknown user"- which tells me my login of ttest03@maintest is a valid
> username. But why the invalid password? Is that related to credentials
> too? Both my laptop, pc, and test domain all sync their time from the
same
> NTP server...
>
> Thanks!
>
> -TH

Just an update!! I fixed the laptop problem!!

On the test server, I was going through my installation notes carefully, and
found a spot where I deviated from the real domain/server's setup. I started
un-doing the changes- and found the problem. I had disabled LM and NTLM
authentication completely, and only allowed the stronger NTLMv2. You guys
can find more info about this at http://www.sans.org/top20/#w3 , roll down
to step "5" of this W3 vulnerability. I had edited the registry for a
setting of 5, which would prevent any older machines from accessing my
server (and therefore transmitting a not-too-secure password hash across the
'net). Only systems that transmit an NTLMv2 password would be able to
connect. (The proper way for doing this is on Win2k is through
administrative tools / local security policy / local policies / security
options / "Lan Manager Authentication Level".)

At the same time that I changed the server for just NTLMv2, I had changed my
desktop PC to be the same. That's why I could connect to the test
server/domain from my pc, but not from my laptop. Oops!

All I had to do was boost my XP Pro laptop to use level 5 (Send NTLMv2
response only, refuse LM & NTLM), and now I can connect with no problems.
In XP Pro, you can either change the registry or use the local security
policy snap-in (administrative tools / local security policy / local
policies / security options / "Network security: LAN Manager authentication
level"). I don't have to worry about connecting to older NT4 or Win9x
networks, so setting level 5 is perfect for me.

Curiously, the start / run / \\ipaddress method of access won't work from my
desktop workstation (Win2kPro), it still tells me that the network path
isn't found. So there's still some kind of dependency between my real
domain and my test domain. If anybody has any ideas on that one, let me
know! Otherwise, I'll keep testing, and let the newsgroup know what I find.

-TH

"Thomas H" <(E-Mail Removed)> wrote in message
news:OrLRH%(E-Mail Removed)...
> Bill, thanks for responding! It's a domain controller, on it's own
domain,
> running it's own DNS and it's own active directory and etc. That's why I
> have no idea about the dependency. Both domains have their own DC's; I
> don't understand why if the main domain was down, I can't log in to that
> second domain (with it's own dc).
>
> In fact, I even went to the main dc server of the main domain, and tried
to
> connect to the test domain- and the main server could!
>
> I did some more probing on that main dc of the main domain, and found that
I
> had an entry under the DNS, in the subnet, in the reverse lookup- there
was
> a pointer with the IP address of my test server/dc, and the DNS name of my
> test server/dc. Could that be the link between the two? I never set up a
> forest or anything. I wanted to keep the test server/dc/domain completely
> isolated from the real domain.

BINGO! I found the problem!! As promised, here are the details!

It was a stupid typing error on my Win2kPro workstation! When I set up the
main domain back in '02, I pointed my pc workstation to use the domain's DNS
server as my pc's primary DNS.

Then I -mistyped- the IP for the secondary DNS server (company's unix DNS)!

So of course when the main domain was down, the primary DNS was down. And
there was no secondary DNS because I typed the wrong IP. Here's what I did:

1. Left my workstation as using primary DNS = Win2k DNS, secondary DNS =
incorrect IP
2. Shut down my workstation
3. Brought down the main domain after convincing everyone to log off
4. Turned on my workstation and logged in to Win2kPro
5. Win2kPro told me it was using cached profile settings b/c no domain
controller available
6. Tried to log on to test domain- failed!
7. Tried to surf to google.com - IE6 told me server not found! (Proof of
no DNS)
8. Changed my workstation's secondary DNS to be the correct IP numbers
9. Rebooted my workstation for fun
10. Logged in to Win2kPro, told me it was using cached profile settings
11. Tried to log on to test domain- WORKED!
12. Went to google.com- of course, it was found this time!

So thanks everyone for reading along, and thanks to Bill for the help! Yet
another example of not checking out the simple things! (If only I had tried
to surf the web that day; I would've discovered that I had no name
resolution. Instead, I started checking the configuration of my test
server/domain/dc.)

But... curiously... if I still do a start/run/ipaddress, I get the "network
path not found". That's okay, because I can still do a start/run/
\\servername.fqdn. Go figure!

Thanks!

-TH