can only log in via upn after password change
27 June 2006, 12:15 PM
#1
Scooby Regular
Thread Starter
iTrader: (5)
Join Date: Feb 2003
Location: Worcester
Posts: 2,625
Likes: 0
Received 0 Likes
on
0 Posts
can only log in via upn after password change
now this one is fun
on 50+ pc's we are getting this issue
we implemented a password change policy and after the first change we had
the user changed the password and they could login but get no domain service ( could not see the sysvol share on dc's )
event ID 1006 cannot bind to domain
(domain is win2k3)
can reset the users password via aduc, the user logs in ONCE and everything seems fine can connect to everything
logout and login again can login but yet again 1006 cant bind to domain
now we lock workstation log back in and it works fine, untill you log out again
each time this happens I get a login faliure on the the dc
blimy yes I havn't had one this good for years
now I found the fix
it is to login in once using the users upn
wow very nice all good and Im happy ( took about 3 days )
BUT
WTF could be causing this, there are no stored passwords on the pc (looking in control pannel) rejoing the pc to the domain dosn't help yet the user seems to only have the problem on that machine has happened on 2k and xp (fully service packed)
reason I ask is by looking in the security event log of the dc we are getting serious amounts of failures and I guess allot of our users are happy not to get the nice domain secuirty and browse the internet all day downlading games and changing desktops as all dns \ dhcp seems to be working fine
should i also mention we did a domain rename 1 1/2 years ago and it looks like the only users that are been effected are pre domain change
a problem shared is a ...........
all ideas welcome
24 hours on and im still awake working on this ... now i must get back on with it ant not browse general
on 50+ pc's we are getting this issue
we implemented a password change policy and after the first change we had
the user changed the password and they could login but get no domain service ( could not see the sysvol share on dc's )
event ID 1006 cannot bind to domain
(domain is win2k3)
can reset the users password via aduc, the user logs in ONCE and everything seems fine can connect to everything
logout and login again can login but yet again 1006 cant bind to domain
now we lock workstation log back in and it works fine, untill you log out again
each time this happens I get a login faliure on the the dc
blimy yes I havn't had one this good for years
now I found the fix
it is to login in once using the users upnwow very nice all good and Im happy ( took about 3 days )
BUT
WTF could be causing this, there are no stored passwords on the pc (looking in control pannel) rejoing the pc to the domain dosn't help yet the user seems to only have the problem on that machine has happened on 2k and xp (fully service packed)
reason I ask is by looking in the security event log of the dc we are getting serious amounts of failures and I guess allot of our users are happy not to get the nice domain secuirty and browse the internet all day downlading games and changing desktops as all dns \ dhcp seems to be working fine
should i also mention we did a domain rename 1 1/2 years ago and it looks like the only users that are been effected are pre domain change
a problem shared is a ...........
all ideas welcome
24 hours on and im still awake working on this ... now i must get back on with it ant not browse general
27 June 2006, 01:17 PM
#2
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
Ummmmm..... clutch, clutch - DNS suffix in the IP properties showing the old domain name first?
How many DC's are you talking about?
Do they have multiple NICs? Are all of them in use? Are the non-used ones disabled? Have you DNS only bound to the active NICs?
This link shows some good pointers:
http://eventid.net/display.asp?event...serenv&phase=1
How many DC's are you talking about?
Do they have multiple NICs? Are all of them in use? Are the non-used ones disabled? Have you DNS only bound to the active NICs?
This link shows some good pointers:
http://eventid.net/display.asp?event...serenv&phase=1
27 June 2006, 02:27 PM
#5
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
You've split the FSMO roles tho' haven't you?
This article is a good one: http://www.windowsdevcenter.com/pub/...6/15/fsmo.html
Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.
Rule 2: The Infrastructure Master should not be placed on a GC.
Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.
Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.
Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.
Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.
This article is a good one: http://www.windowsdevcenter.com/pub/...6/15/fsmo.html
Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.
Rule 2: The Infrastructure Master should not be placed on a GC.
Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.
Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.
Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.
Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.
27 June 2006, 02:32 PM
#6
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
Also, if you think it might be domain rename orientated - unregister from the domain, uninstall the network card and reboot the p.c.
Hopefully this will completely reset the info held in the registry (really am clutching here!)
Hopefully this will completely reset the info held in the registry (really am clutching here!)
Trending Topics
27 June 2006, 03:59 PM
#8
Scooby Regular
Thread Starter
iTrader: (5)
Join Date: Feb 2003
Location: Worcester
Posts: 2,625
Likes: 0
Received 0 Likes
on
0 Posts
cheers for the heads up Kieran
the fsmo's look fine, I even moved them all to one server last night
will be moving back tonight, not something i can get away with in the day
the fsmo's look fine, I even moved them all to one server last night
will be moving back tonight, not something i can get away with in the day
Thread
Thread Starter
Forum
Replies
Last Post
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM