Unable to login from Pre Windows 2000 PCs

[sudhi_shrivatsa]

I have a Domain for which I have created one additional DC. I still have some
win9x PCs which login to this domain for resource utilization. All of a
sudden they started to get "The username Or Passwword you have typed is
incorrect or logon to domain is denied" error. Where as I tried login with
the same user and password from WinXPP pcs there they were successfull. I
installed ADSClient also but for no avail. ADC is running web services also.
Then I tried restarting the ADC then only the Win9x PC were able to login.
Can anybody throw some light on why this happened.

Cheers,
Sudhi...

 

[Ace Fekay [MVP]]

In

I have a Domain for which I have created one additional DC. I still
have some win9x PCs which login to this domain for resource
utilization. All of a sudden they started to get "The username Or
Passwword you have typed is incorrect or logon to domain is denied"
error. Where as I tried login with the same user and password from
WinXPP pcs there they were successfull. I installed ADSClient also
but for no avail. ADC is running web services also. Then I tried
restarting the ADC then only the Win9x PC were able to login. Can
anybody throw some light on why this happened.

Cheers,
Sudhi...

From the Windows 9x machines, are you logged on with a domain account that
has permissions to the resources? Since WIn9x doesn't support runas or the
ability to provide a different set of credentials when performing network
tasks, it is important to be logged on with the right account.

Also, another issue that can occur is you may need to disable SMB Signing on
the DC(s). Each one needs it done. You also have to make sure at least IE6
is installed on the 9x machines. Here's more info.

555038 - How to enable Windows 98-ME-NT clients to logon to Windows 2003
based Domains:
http://support.microsoft.com/?id=555038

811497 - Error Message When Windows 95 or Windows NT 4.0 Client Logs On to
Windows Server 2003 Domain - follow the workaround:
http://support.microsoft.com/?id=811497

How to upgrade Windows 2000 domain controllers to Windows Server 2003 -
talks about SMB signing:
http://support.microsoft.com/kb/325379

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

 

[sudhi_shrivatsa]

Let me clear some more points,

1. User was a domain account.
2. Same user was successfully loging from WINXPP PC at the same time & it
was failing with the said error in Win9x PC.
3. ADS is of windows 2000Server not win2k3.
4. User was using same username and password till evening the day before
problem started.
5. The problem resolved only after restarting the ADC which is also a WIN2k
server.

Regards,
Sudhi...

 

[Ace Fekay [MVP]]

In

Let me clear some more points,

1. User was a domain account.
2. Same user was successfully loging from WINXPP PC at the same time
& it was failing with the said error in Win9x PC.
3. ADS is of windows 2000Server not win2k3.
4. User was using same username and password till evening the day
before problem started.
5. The problem resolved only after restarting the ADC which is also a
WIN2k server.

Regards,
Sudhi...

What SP level is the DC?
Is IE6 installed on the 9x?

What was changed prior to this occuring? Obviously if you had to restart the
DC to fix it, something must have changed. Is the DC set to automatically
install updates?

Ace

 

[Richard Mueller [MVP]]

Then DSClient is installed on the client.

The error seems to indicate the domain was contacted. Remember, the password
is case sensitive.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

 

[sudhi_shrivatsa]

SP4 and yes even IE6 was installed. As I have already informed ADC was not
responding at that time. Only Additional Domain Controller was restarted.
After restarting WIN9x PCs were successfully login. And to check error when
tried to see event viewer nothing was reported.It was totally empty.

@Richard Mueller
Please go thru the thread it was not related ot password case sensitivity.
As the same user was successfully login form WINXP SP2 PCs.

Cheers,
Sudhi....

 

[Ace Fekay [MVP]]

In

SP4 and yes even IE6 was installed. As I have already informed ADC
was not responding at that time. Only Additional Domain Controller
was restarted. After restarting WIN9x PCs were successfully login.
And to check error when tried to see event viewer nothing was
reported.It was totally empty.

@Richard Mueller
Please go thru the thread it was not related ot password case
sensitivity. As the same user was successfully login form WINXP SP2
PCs.

Cheers,
Sudhi....

Q272594 - Problems Logging On to a Windows 2000-Based Server:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q272594&

You may still need to disable SMB signing. Have you tried it? You can always
put it back the way it was if it didn;t help.

Ace

 

[sudhi_shrivatsa]

Ace,

My point is,

1. The problem got resolved only when I restarted Additional Domain
Controller,as it was is hung state.
2. Then WIN9x were successfully logged in.
3. I dont understand is thr any link with the login of WIN9x PC with ADC.
4. During the problem. Win9x PCs were tryng to contact ADC?
5. Why Even logger was completely blank. Even today it is blank?

Hope you are clear about my worries this time.

Sudhi...

 

[Richard Mueller [MVP]]

Possibly WINS stopped on the DC and restarting the DC restarted WINS.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

 

[Ace Fekay [MVP]]

In

Possibly WINS stopped on the DC and restarting the DC restarted WINS.

Or the netlogon service could have been hung. He did mention the DC was in a
hung state, so I would imagine it would directly affect 9x clients
immediately but not 2000 and newer since they cache their credentials.

Ace

 

[sudhi_shrivatsa]

Ok Agreed but the roor DC was the primary wins server. How come Win9x pcs did
not contacted Primary WINS Server. ADC is secondary WINS server.

Sudhi...

 

[sudhi_shrivatsa]

@Ace thts what I was suspecting and for that I checked th event viewer and to
for my surprise the event veiwer was totally empty. One more question arises.
I have 2 servers root and ADc ADC netlogon service is hung or suppose I shut
ADC down will login from my WIN9x PCs will fail ?

Sudhi...

 

[Ace Fekay [MVP]]

In

Ok Agreed but the roor DC was the primary wins server. How come Win9x
pcs did not contacted Primary WINS Server. ADC is secondary WINS
server.

Sudhi...

Windows 9x machines are NOT domain members. Therefore they do not
authenticate the same as a joined 2000 or newer machine. The 2000 and newer
machines use Kerberos. Non-domain members use NTLM which is NetBIOS based.
If configured with a WINS address, it will use the WINS server(s) to query
and contact the domain. DNS is not used for non-domain members or NT4. DNS
is used by 2000 and newer machines. When the 9x machines query, they try
them in order specified much like the DNS query process. If the prinary
entry doesn't respond within one second, it goes to the next one.

How NetBIOS name resolution really works (multiple WINS):
http://articles.techrepublic.com.com/5100-6349_11-5034239.html

Chapter 4: Authenticating and Accessing Domain Resources from Non-Domain
Machines
http://computing.fnal.gov/cd/windows/w2kdoc/html/remoteaccess.html

Are the WINS servers Push/Pull replication partners? Which server is the
"YOURDOMAINNAME[1Ch]" entry in? That is what the 9x machine will be querying
for.

Ace

 

[Ace Fekay [MVP]]

In

@Ace thts what I was suspecting and for that I checked th event
viewer and to for my surprise the event veiwer was totally empty. One
more question arises. I have 2 servers root and ADc ADC netlogon
service is hung or suppose I shut ADC down will login from my WIN9x
PCs will fail ?

If the 9x machines cache the original server that logged it on and it goes
down, then it won't be able to authenticate. Tehre is a period of time when
it refreshes the cache, but if it already found the [1CH] entry, it will be
cached. I am not sure how long it keeps it in the cache, but I believe it is
10 minutes, but if a connection is attempted after the original one goes
down, 9x won't be able to query the DC that logged it in.

Ace

 

[sudhi_shrivatsa]

But what is both rootDC and ADC are located at same location and same
network. Even clients are on same networ. say for example 10.200.200.x series.

Sudhi...

 

[Ace Fekay [MVP]]

In

But what is both rootDC and ADC are located at same location and same
network. Even clients are on same networ. say for example
10.200.200.x series.

Sudhi...

I'm not sure what to tell you. Maybe suggest to upgrade the server or
upgrade the clients to Windows 2000 or newer? This way you won't have a
problem.

Ace

 

[sudhi_shrivatsa]

OK Ace let us end this here. Thanx for your participation.

Cheers,
Sudhi...

 

[Ace Fekay [MVP]]

In

OK Ace let us end this here. Thanx for your participation.

Cheers,
Sudhi...

Sorry I couldn't be more helpful.

Ace

 

[sudhi_shrivatsa]

Its ok ace You tried your best.
Bye.

Sudhi...

OK Ace let us end this here. Thanx for your participation.

Cheers,
Sudhi...