Windows XP machine unable to log onto a Windows 2003 domain; used to have no problem

[Edward W. Ray]

I have a machine which will not log into my Windows 2003 domain. No user
works, including domain admins and enterprise admins. This has not been a
problem before. The machine is a member or a Windows 2003 domain, and part
of an organizational unit with other machines which are able to login to the
domain.

The security logs on the DCs and the machine in question show no errors.
The machine itself is authenticated into the domain. The immediate error
which occurs after typing the user name and password is

"Logon error: The system could not log you on. Make sure
your user name and domain are correct, then type your password again.
Letters in password must be typed using the
correct case."


By the speed at which this logon window appears, the fact that other
machines in the same OU have no issues, and the lack of errors in the
security event log on the DCs leads me to believe that this is an issue with
this machine only.

If anyone knows how to resolve this issue or knows of a KB article that
might help, please let me know.

Regards,

Edward W. Ray

 

[Roger Abell]

Check that the client machine is using _only_ the correct DNS
services for the AD infrastructure.
On the client, run netdiag from the support\tools optional install
and see what errors it shows.

 

[George Foster]

netdiag shows Kerberos and trust failures. I had to logon using the
computer name instead of the domain. No user, including admins, can logon
to this machine into the domain.

Unfortunately, since no user are being recognized, I am unable to remove it
from the domain.

Event Log shows Netlogon error ID 3210 and LsaSrv Warning ID 40961,
signifying that the XP Pro machine is unable to authenticate to either of my
Windows 2003 DCs.

I though about removing it from the OU, but it would probably not be a good
idea to remove the machine account from the
OU while the machine still thinks it is a member.

 

[Roger Abell]

And you are configured to use only the DNS servers that
support the Active Directory, right ? (Guess so or you
would have mentioned the DNS errors in netdiag output).

If when logged in as a local admin you run netdiag and get
those results, it seems to me to be saying that the machine is
not completely joined (if DNS is correct) or has become out
of sync.

In this case, as a local admin you can disjoin from the domain,
that as a domain admin within the domain elsewhere clean up
by deleting the computer object.

 

[Roger Abell]

The machine was not cloned without use of sysprep was it ?