Domain unavailable for some logons

[zuke]

Hello,

I've got a W2K AD network with static IP addresses all round. I use just a
couple logon accounts for most of the 25 PC's. I have a couple logons for
individuals.

I just set up a Linksys WRT54G wireless router/access point behid my
firewall. I set it up using WPA/AES, the network is bridged, not routed (as
in a gateway). I have, at the moment, just one laptop with wireless enabled,
with an Atheros WiFi chip and using the Atheros driver. I have physical
connectivity. I can log onto the domain with my Enterprise/Domain Admin
account. I can log on with just one of my Domain/User accounts.

Other Domain/User accounts return the following message at the logon prompt:
"This system cannot log you on now because the Domain "X" is not available"

But I can just enter my Domain/Admin logon account or the one Domain/User
account and it logs on, no error. If I use the incorrect password I get the
usual suggestion to "check my user name and password".

Any suggestions?

Zuke

 

[Steven L Umbach]

You probably have a dns problem and the computer that you can not logon to
with the domain account can not find the domain controller. My guess is that
the reason you can logon with some accounts is because you are logging on
with "cached" domain credentials which is enabled by default. Try pinging
the domain controller by it's fully qualified domain name to see what
happens, run the support tool netdiag on that domain computer and the domain
controller, and use Event Viewer to check the logs on the domain computer
and domain controller. The link below shows how dns MUST be configured for
an AD domain to work correctly and NEVER configure any domain computer to
use the IP address of an ISP dns server as a preferred dns server anywhere
in the list. You can however configure your domain controller/dns server to
forward to your ISP dns server so that all domain computers can resolved
internet names as explained in the KB dns article. Make sure that DHCP is
disabled on your router device so that only your domain controller is used
for DHCP. You can use the command ipconfig /all on any computer to see the
current IP configuration and what computer/device is acting as the DHCP
server. You only need to configure your DHCP scope or manually configure
computers with static IP addresses like your domain controller to use the IP
of your router as the default gateway. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 --- AD
dns FAQ.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- Netdiag
http://support.microsoft.com/kb/301423/ --- how to install support tools

 

[zuke]

I can ping the DC's FQDN from the laptop over the air.

RE: logging on with cached credentials, I was guessing that too, but it is
strange that one of the user logons that returns the "..domain unavailable"
complaint has logged on to this machine many times over the wire and so also
should have cached credentials.

I have no DHCP servers and yes, the routers' DHCP has been disabled..

My client hosts' preferred DNS server settings already point to my two DNS
servers(one primary, the other a backup), and NOT to the ISP.

Regards,
Zuke

 

[Steven L Umbach]

Hmm. Logon to that computer with a domain account that you can and run the
support tool netdiag on it to see if any problems are found with dns, dc
discovery, domain membership, or trust/secure channel and post the results
in a reply here. Also run netdiag on the domain controller. The error
message usually means there is a problem finding or contacting the domain
controller. --- Steve

 

[zuke]

Hello,

So, I ran netdiag on the server, no problems.

Then on the two machines (one wired; one wireless) hooked up to the Linksys
netdiag returned a "failed" for [fatal] "Kerberos does not have a ticket
for host..." All else passed. But these also say they have a secure channel,
not to the PDC, but to the secondary DC.

Is there any connection betwen Kerberos and joining the host to the AD
domain?

So, it appears I can go to the network from these hosts, but some data
cannot come from the LAN to these hosts. I am using a backup software that
also cannot find the host, whereas it could before.

I have a lot of other machines that work fine logging on and off, so I doubt
it is a DC config.

Any suggestions?
Regards,
Zuke

 

[Steven L Umbach]

There is a problem with netdiag and that the kerberos error may not be of
any significance. It is OK to have a secure channel to any DC. If you could
post the results of netdiag in a reply here of one of the domain computers
where you can not logon as a domain user and also the results of netdiag
/test:kerberos /debug and netdiag /test:dsgetdc /debug. Also post ipconfig
/all for each domain controller. --- Steve

Hello,

So, I ran netdiag on the server, no problems.

Then on the two machines (one wired; one wireless) hooked up to the
Linksys netdiag returned a "failed" for [fatal] "Kerberos does not have
a ticket for host..." All else passed. But these also say they have a
secure channel, not to the PDC, but to the secondary DC.

Is there any connection betwen Kerberos and joining the host to the AD
domain?

So, it appears I can go to the network from these hosts, but some data
cannot come from the LAN to these hosts. I am using a backup software
that also cannot find the host, whereas it could before.

I have a lot of other machines that work fine logging on and off, so I
doubt it is a DC config.

Any suggestions?
Regards,
Zuke

Hmm. Logon to that computer with a domain account that you can and run
the support tool netdiag on it to see if any problems are found with dns,
dc discovery, domain membership, or trust/secure channel and post the
results in a reply here. Also run netdiag on the domain controller. The
error message usually means there is a problem finding or contacting the
domain controller. --- Steve

 

[Steven L Umbach]

The info shown in the reports generated for netdiag contain all the info
that is included in ipconfig /all. Your reports all look great in that the
domain controllers and domain clients are configured correctly and
communicating with each other [well at least after startup] . I believe the
problem is your wireless network. What happens is that wireless network
cards often do not initialize fast enough at startup to have network
connectivity and contact a domain controller. One solution to fix the
problem is to have the users that need to logon to the computer do so when
it is connected to the network by cable. That should create a cached logon
for that user and by default a domain computer can store 10 cached logons.
This behavior is a security option controlled in Local Security Policy under
local policies/security options - number of previous logons to cache. Once
the user has a cached logon he can logon via the wireless network via the
cached logon and then after the wireless network adapter initializes it will
have network connectivity and the user will be able to use domain resources.

Beyond that you could contact the manufacturer of your wireless equipment
and ask them if they have any solution which could be a driver upgrade or a
registry change for the wireless adapter or you may be stuck with
performance as is. There may be particular brand of wireless network
adapters that work better in an Active Directory domain environment but I
can't recommend any based on my experience. You might also want to post in
the Active_directory newsgroup with a topic along the lines of "wireless
domain user logon problems" to see if anyone there has any recommendations
or experience with that problem. --- Steve

Hello,

Here most of the requested logs. Any suggestion on producing a text file
of the ipconfig/all output?

Interestingly I can unjoin the wireless laptop from the domain and then
join it again creating a new computer account with DNS entries. But then I
cannot log onto the domain now, even with cached credentials. I can always
log on using the NIC chip that runs the wire connection. Of course, I do
not have both the wireless and the wired connection enabled at the same
time.

It is interesting that there is enough connectivity with AD to delete or
create a computer account wirelessly, but not enough to log on to the
domain.

Thanks

There is a problem with netdiag and that the kerberos error may not be of
any significance. It is OK to have a secure channel to any DC. If you
could
post the results of netdiag in a reply here of one of the domain
computers
where you can not logon as a domain user and also the results of netdiag
/test:kerberos /debug and netdiag /test:dsgetdc /debug. Also post
ipconfig
/all for each domain controller. --- Steve

Hello,

So, I ran netdiag on the server, no problems.

Then on the two machines (one wired; one wireless) hooked up to the
Linksys netdiag returned a "failed" for [fatal] "Kerberos does not
have
a ticket for host..." All else passed. But these also say they have a
secure channel, not to the PDC, but to the secondary DC.

Is there any connection betwen Kerberos and joining the host to the AD
domain?

So, it appears I can go to the network from these hosts, but some data
cannot come from the LAN to these hosts. I am using a backup software
that also cannot find the host, whereas it could before.

I have a lot of other machines that work fine logging on and off, so I
doubt it is a DC config.

Any suggestions?
Regards,
Zuke


Hmm. Logon to that computer with a domain account that you can and run
the support tool netdiag on it to see if any problems are found with
dns,
dc discovery, domain membership, or trust/secure channel and post the
results in a reply here. Also run netdiag on the domain controller.
The
error message usually means there is a problem finding or contacting
the
domain controller. --- Steve



I can ping the DC's FQDN from the laptop over the air.

RE: logging on with cached credentials, I was guessing that too, but
it
is strange that one of the user logons that returns the "..domain
unavailable" complaint has logged on to this machine many times over
the
wire and so also should have cached credentials.

I have no DHCP servers and yes, the routers' DHCP has been disabled..

My client hosts' preferred DNS server settings already point to my two
DNS servers(one primary, the other a backup), and NOT to the ISP.

Regards,
Zuke

You probably have a dns problem and the computer that you can not
logon
to with the domain account can not find the domain controller. My
guess
is that the reason you can logon with some accounts is because you
are
logging on with "cached" domain credentials which is enabled by
default. Try pinging the domain controller by it's fully qualified
domain name to see what happens, run the support tool netdiag on that
domain computer and the domain controller, and use Event Viewer to
check the logs on the domain computer and domain controller. The link
below shows how dns MUST be configured for an AD domain to work
correctly and NEVER configure any domain computer to use the IP
address
of an ISP dns server as a preferred dns server anywhere in the list.
You can however configure your domain controller/dns server to
forward
to your ISP dns server so that all domain computers can resolved
internet names as explained in the KB dns article. Make sure that
DHCP
is disabled on your router device so that only your domain controller
is used for DHCP. You can use the command ipconfig /all on any
computer
to see the current IP configuration and what computer/device is
acting
as the DHCP server. You only need to configure your DHCP scope or
manually configure computers with static IP addresses like your
domain
controller to use the IP of your router as the default gateway. ---
Steve



tp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
AD dns FAQ.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
Netdiag
http://support.microsoft.com/kb/301423/ --- how to install support
tools

Hello,

I've got a W2K AD network with static IP addresses all round. I use
just a couple logon accounts for most of the 25 PC's. I have a
couple
logons for individuals.

I just set up a Linksys WRT54G wireless router/access point behid my
firewall. I set it up using WPA/AES, the network is bridged, not
routed (as in a gateway). I have, at the moment, just one laptop
with
wireless enabled, with an Atheros WiFi chip and using the Atheros
driver. I have physical connectivity. I can log onto the domain with
my Enterprise/Domain Admin account. I can log on with just one of my
Domain/User accounts.

Other Domain/User accounts return the following message at the logon
prompt:
"This system cannot log you on now because the Domain "X" is not
available"

But I can just enter my Domain/Admin logon account or the one
Domain/User account and it logs on, no error. If I use the incorrect
password I get the usual suggestion to "check my user name and
password".

Any suggestions?

Zuke

 

[zuke]

Hello,
On the Toshiba A60 Satellite laptop there is an option in the Atheros
wireless chip config utility labled, "Let windows manage..."

Once I checked this, I opened the windows (WinXP SP2) wireless Networks
config and checked the box "Use Windows to configure my wireless settings",
opened the utility, entered my WPA/AES key, and rebooted.

Logons work fine now.

Whoot!
Zuke

 

[Steven L Umbach]

Cool! Thanks for reporting back what worked and glad you could configure
your wireless adapter to work for domain logon. --- Steve