Secure chanel nltest problems.

[MarcusB]

Please help me. How to fix problem with secure chanel? Domain
controlers run Windows 2000 server. The problem is that Windows NT
workstation can not log to the secondary domain controler. When I shut
down secondary DC. All NT workstation log in without problem. Here are
the result of nltest commant run on both domian controllers.:

From Secondary domain controller

C:\Documents and Settings\admin>NLTEST /SC_RESET:Natblue

Flags: 30 HAS_IP HAS_TIMESERV

Trusted DC Name \\primary.natblue.slu.se

Trusted DC Connection Status Status = 0 0x0 NERR_Success

The command completed successfully



From Primary domain controller

C:\>nltest /sc_reset:Natblue

I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN


MArcus

 

[Ben [MSFT]]

Can you detail more on cannot logon to the secondary domain controller?
What's the exact error that the NT workstations see upon a filed logon to
the W2K domain?

Also in a W2K domain there is no real sense of a PDC/BDC, master/slave role
but instead all DCs are equal with one holding a PDC Emulator role for
backward compatibility and other functions.

The nltest failure that you are seeing is expected when running nltest
/sc_query or /sc_reset from the PDC Emulator to the domain. It won't have
a secure channel to anybody else within the domain.

-blim
--------------------
| >Date: Tue, 18 Nov 2003 17:09:10 +0100
| >From: MarcusB <[email protected]>
| >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
Gecko/20031007
| >X-Accept-Language: en, en-us, sv
| >MIME-Version: 1.0
| >Subject: Secure chanel nltest problems.
| >Content-Type: text/plain; charset=us-ascii; format=flowed
| >Content-Transfer-Encoding: 7bit
| >Message-ID: <[email protected]>
| >Newsgroups: microsoft.public.win2000.active_directory
| >NNTP-Posting-Host: ansvarig.natgeo.lu.se 130.235.98.202
| >Lines: 1
| >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:56629
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >Please help me. How to fix problem with secure chanel? Domain
| >controlers run Windows 2000 server. The problem is that Windows NT
| >workstation can not log to the secondary domain controler. When I shut
| >down secondary DC. All NT workstation log in without problem. Here are
| >the result of nltest commant run on both domian controllers.:
| >
| > From Secondary domain controller
| >
| >C:\Documents and Settings\admin>NLTEST /SC_RESET:Natblue
| >
| >Flags: 30 HAS_IP HAS_TIMESERV
| >
| >Trusted DC Name \\primary.natblue.slu.se
| >
| >Trusted DC Connection Status Status = 0 0x0 NERR_Success
| >
| >The command completed successfully
| >
| >
| >
| > From Primary domain controller
| >
| >C:\>nltest /sc_reset:Natblue
| >
| >I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
| >
| >
| >MArcus
| >
| >

 

[MarcusB]

When you are loging from NT workstation you are getting.
"The system could not log you on to this domain because the system's
computer account in its primary domain is missing or the password on
that account is incorrect."

Rejoining computer to the domain do not help.

In the Logs you ca find Event ID 3210. The on that event from microsoft
do not help much.

The question is why NT could not log to the another domain controler.
The one NT could not log is faster and respond faster, therefore we got
that problem. But what couse the problem. We had the system working for
2 years with 100 NT workstation and never had such problem.


Marcus

 

[Ben [MSFT]]

Marcus,

On the W2K DC that when brought down the NT client logons work, check the
RestrictAnonymous setting under
HKLM\System\CCS\Control\Lsa\[RestrictAnonymous]. If it is set to 2 set it
to either 0 or 1.

Do you have any W2K clients or member servers? If so do they have any
problems allowing users to logon when both W2k DCs are online?

-blim
--------------------
| >Date: Wed, 19 Nov 2003 09:37:30 +0100
| >From: MarcusB <[email protected]>
| >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
Gecko/20031007
| >X-Accept-Language: en, en-us, sv
| >MIME-Version: 1.0
| >Subject: Re: Secure chanel nltest problems.
| >References: <[email protected]>
<[email protected]>
| >In-Reply-To: <[email protected]>
| >Content-Type: text/plain; charset=us-ascii; format=flowed
| >Content-Transfer-Encoding: 7bit
| >Message-ID: <[email protected]>
| >Newsgroups: microsoft.public.win2000.active_directory
| >NNTP-Posting-Host: ansvarig.natgeo.lu.se 130.235.98.202
| >Lines: 1
| >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| >Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:56776
| >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >
| >When you are loging from NT workstation you are getting.
| >"The system could not log you on to this domain because the system's
| >computer account in its primary domain is missing or the password on
| >that account is incorrect."
| >
| >Rejoining computer to the domain do not help.
| >
| >In the Logs you ca find Event ID 3210. The on that event from microsoft
| >do not help much.
| >
| >The question is why NT could not log to the another domain controler.
| >The one NT could not log is faster and respond faster, therefore we got
| >that problem. But what couse the problem. We had the system working for
| >2 years with 100 NT workstation and never had such problem.
| >
| >
| >Marcus
| >
| >Ben [MSFT] wrote:
| >
| >> Can you detail more on cannot logon to the secondary domain
controller?
| >> What's the exact error that the NT workstations see upon a filed logon
to
| >> the W2K domain?
| >>
| >> Also in a W2K domain there is no real sense of a PDC/BDC, master/slave
role
| >> but instead all DCs are equal with one holding a PDC Emulator role for
| >> backward compatibility and other functions.
| >>
| >> The nltest failure that you are seeing is expected when running nltest
| >> /sc_query or /sc_reset from the PDC Emulator to the domain. It won't
have
| >> a secure channel to anybody else within the domain.
| >>
| >> -blim
| >> --------------------
| >> | >Date: Tue, 18 Nov 2003 17:09:10 +0100
| >> | >From: MarcusB <[email protected]>
| >> | >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5)
| >> Gecko/20031007
| >> | >X-Accept-Language: en, en-us, sv
| >> | >MIME-Version: 1.0
| >> | >Subject: Secure chanel nltest problems.
| >> | >Content-Type: text/plain; charset=us-ascii; format=flowed
| >> | >Content-Transfer-Encoding: 7bit
| >> | >Message-ID: <[email protected]>
| >> | >Newsgroups: microsoft.public.win2000.active_directory
| >> | >NNTP-Posting-Host: ansvarig.natgeo.lu.se 130.235.98.202
| >> | >Lines: 1
| >> | >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| >> | >Xref: cpmsftngxa06.phx.gbl
| >> microsoft.public.win2000.active_directory:56629
| >> | >X-Tomcat-NG: microsoft.public.win2000.active_directory
| >> | >
| >> | >Please help me. How to fix problem with secure chanel? Domain
| >> | >controlers run Windows 2000 server. The problem is that Windows NT
| >> | >workstation can not log to the secondary domain controler. When I
shut
| >> | >down secondary DC. All NT workstation log in without problem. Here
are
| >> | >the result of nltest commant run on both domian controllers.:
| >> | >
| >> | > From Secondary domain controller
| >> | >
| >> | >C:\Documents and Settings\admin>NLTEST /SC_RESET:Natblue
| >> | >
| >> | >Flags: 30 HAS_IP HAS_TIMESERV
| >> | >
| >> | >Trusted DC Name \\primary.natblue.slu.se
| >> | >
| >> | >Trusted DC Connection Status Status = 0 0x0 NERR_Success
| >> | >
| >> | >The command completed successfully
| >> | >
| >> | >
| >> | >
| >> | > From Primary domain controller
| >> | >
| >> | >C:\>nltest /sc_reset:Natblue
| >> | >
| >> | >I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
| >> | >
| >> | >
| >> | >MArcus
| >> | >
| >> | >
| >>
| >
| >