Workstation account issues in Active Directory

Over the past few weeks the follow problem has appeared on one of the
networks I’m administering…

Intermittently, each morning a number of the users cannot log in at their
workstations – they receive the following, or similar, message:

“Windows cannot connect to the domain either because the domain controller
is down or otherwise unavailable or because your computer account was not
found.�

At this point, the user cannot log on, but the administrator usually can log
in (but not always).

The computers are a mix of Windows 2000 Pro and Windows XP Pro. All have
the latest updates. All of the PCs are clean installs, i.e., they are not
cloned images. There is no way to predict which ones will exhibit the
problem on any particular

One of the following usually works to get user logged in:
1. Power off, restart and login.
2. Log in as administrator, log off and log in as the user.
3. Log in to the local administrator, remove the computer from the domain
and add it back in.

Once logged in, the workstation works fine.

The following is a description and brief history of the network –

The original network consisted of a Windows 2000 Server running Active
Directory and Exchange 2003 (Server A). In February a Windows 2003 server
was added as another Active Directory controller (Server B). (ADPREP
/domainprep and ADPREP /forestprep were run before promoting the new server.)

Replication of the Active Directory seems to be working fine. All computer
and users accounts appear on both servers. When a new user account is
created on Server A, it appears on Server B.

DHCP hands out DNS servers in the order of Server A – Server B – Internet.
It also hands out WINS address in the order Server A – Server B.

The network consists of a number of stacked 24 port 10/100 switches.

Any suggestions as to how to approach this issue?

Thanks,

Rick

Hi,
Hokyfan wrote:
> Intermittently, each morning a number of the users cannot log in at
> their workstations – they receive the following, or similar, message:
>
> “Windows cannot connect to the domain either because the domain
> controller is down or otherwise unavailable or because your computer
> account was not found.�
>
> At this point, the user cannot log on, but the administrator usually
> can log in (but not always).
>
> Replication of the Active Directory seems to be working fine. All
> computer and users accounts appear on both servers. When a new user
> account is created on Server A, it appears on Server B.
>
> DHCP hands out DNS servers in the order of Server A – Server B –
> Internet. It also hands out WINS address in the order Server A –
> Server B.
>
what does the event log of the affected clients report for error messages?
As you describe it, all is possible from DNS issues over IP address
assignment problems or digital signing broken.
So some more detailed information from the client would be welcome.
Best greetings from Germany
Olaf

Thanks for the reply - I was looking at the same area.

One thing that confuses me is that when a workstation doesn't allow the
login for the 'user' - I can immediately sign in as the domain admin and
there is no evidence of any problem. And even this is consistant - it may
work on the workstation one day and not the next - or work on one workstation
and not the one next to it.

I've started to log the incidents so I can trace which network switches the
problem pcs are going through.

I will check the PC's event logs and see if there are any entries for the
probems.

Rick

"Olaf Engelke [MVP Windows Server]" wrote:

> Hi,
> Hokyfan wrote:
> > Intermittently, each morning a number of the users cannot log in at
> > their workstations – they receive the following, or similar, message:
> >
> > “Windows cannot connect to the domain either because the domain
> > controller is down or otherwise unavailable or because your computer
> > account was not found.�
> >
> > At this point, the user cannot log on, but the administrator usually
> > can log in (but not always).
> >
> > Replication of the Active Directory seems to be working fine. All
> > computer and users accounts appear on both servers. When a new user
> > account is created on Server A, it appears on Server B.
> >
> > DHCP hands out DNS servers in the order of Server A – Server B –
> > Internet. It also hands out WINS address in the order Server A –
> > Server B.
> >
> what does the event log of the affected clients report for error messages?
> As you describe it, all is possible from DNS issues over IP address
> assignment problems or digital signing broken.
> So some more detailed information from the client would be welcome.
> Best greetings from Germany
> Olaf
>
>

Hi,
Hokyfan wrote:
> One thing that confuses me is that when a workstation doesn't allow
> the login for the 'user' - I can immediately sign in as the domain
> admin and there is no evidence of any problem. And even this is
> consistant - it may work on the workstation one day and not the next
> - or work on one workstation and not the one next to it.

maybe for the domain admin are working cached credentials, and for the users
not (depending from the configuration of your policies).
Best greetings from Germany
Olaf

I thought of that, but the admin has full access to network resources when
logged in. A cached accout would not.


"Olaf Engelke [MVP Windows Server]" wrote:

> Hi,
> Hokyfan wrote:
> > One thing that confuses me is that when a workstation doesn't allow
> > the login for the 'user' - I can immediately sign in as the domain
> > admin and there is no evidence of any problem. And even this is
> > consistant - it may work on the workstation one day and not the next
> > - or work on one workstation and not the one next to it.
>
> maybe for the domain admin are working cached credentials, and for the users
> not (depending from the configuration of your policies).
> Best greetings from Germany
> Olaf
>
>

Hi again,
could it be, that the DHCP lease for those clients is running off, the
contact to the DHCP server is not fast enough or the users are trying log in
to early (the shell is up, but the network not)?
Would it work better
a) with a fixed IP address
b) if the users power on the PC, go _slowly_ pick up their morning coffee,
and then login?

Best greetings from Germany
Olaf

That doesn't feel right - if the DHCP lease was up - or the workstation did
not receive the IP address then the admin could not log in.

I will try a static IP on one of the workstations...

"Olaf Engelke [MVP Windows Server]" wrote:

> Hi again,
> could it be, that the DHCP lease for those clients is running off, the
> contact to the DHCP server is not fast enough or the users are trying log in
> to early (the shell is up, but the network not)?
> Would it work better
> a) with a fixed IP address
> b) if the users power on the PC, go _slowly_ pick up their morning coffee,
> and then login?
>
> Best greetings from Germany
> Olaf
>
>

Hokyfan wrote:
> That doesn't feel right - if the DHCP lease was up - or the
> workstation did not receive the IP address then the admin could not
> log in.
well - user could have tried immediatly after startup, while admin comes
later and tries delayed (which would also function for the user then).
Is the name resolution (DNS) working properly? Are there multiple domains in
the forest? If yes, what is the status of the global catalog in each domain?
Is it reachable for the user PC?
Enable also Auditing of all failures for the workstation, so that maybe the
security log will ring and tell you more details.

> I will try a static IP on one of the workstations...

Good luck!
Best greetings from Germany
Olaf

Hi,

I have the same problems, I had posted a similar issue in here and was given
this article to read: http://support.microsoft.com/kb/898060
I hasnt resolved my problem but it might work for you try it.

Good luck,

Joe H

"Hokyfan" wrote:

> Over the past few weeks the follow problem has appeared on one of the
> networks I’m administering…
>
> Intermittently, each morning a number of the users cannot log in at their
> workstations – they receive the following, or similar, message:
>
> “Windows cannot connect to the domain either because the domain controller
> is down or otherwise unavailable or because your computer account was not
> found.�
>
> At this point, the user cannot log on, but the administrator usually can log
> in (but not always).
>
> The computers are a mix of Windows 2000 Pro and Windows XP Pro. All have
> the latest updates. All of the PCs are clean installs, i.e., they are not
> cloned images. There is no way to predict which ones will exhibit the
> problem on any particular
>
> One of the following usually works to get user logged in:
> 1. Power off, restart and login.
> 2. Log in as administrator, log off and log in as the user.
> 3. Log in to the local administrator, remove the computer from the domain
> and add it back in.
>
> Once logged in, the workstation works fine.
>
> The following is a description and brief history of the network –
>
> The original network consisted of a Windows 2000 Server running Active
> Directory and Exchange 2003 (Server A). In February a Windows 2003 server
> was added as another Active Directory controller (Server B). (ADPREP
> /domainprep and ADPREP /forestprep were run before promoting the new server.)
>
> Replication of the Active Directory seems to be working fine. All computer
> and users accounts appear on both servers. When a new user account is
> created on Server A, it appears on Server B.
>
> DHCP hands out DNS servers in the order of Server A – Server B – Internet.
> It also hands out WINS address in the order Server A – Server B.
>
> The network consists of a number of stacked 24 port 10/100 switches.
>
> Any suggestions as to how to approach this issue?
>
> Thanks,
>
> Rick
>