Logon Issues

  • Thread starter Thread starter Victor Fisher
  • Start date Start date
V

Victor Fisher

Got myself an interesting issue.

Our network:

Root Domain (Sys.AD) (Native Mode Windows 2000)
Child Domain (Corp.Sys.Ad) (Native Mode Windows 2000)
Child Domain (Web1.Sys.Ad) (Mixed mode Windows 2000)
Child Domain (Nt1.Sys.Ad) (Mixed mode Windows 2000)

I have verified the trusts between the domains.
All of our user accounts are in the child domain corp.sys.ad
Servers are in web1.sys.ad

The mixed mode domains were in-place upgrades from NT 4.0 domains.

The users in corp.sys.ad can not login to any machine in web1.sys.ad.
I know permissions are correct. I can log in to the machines with an
account from web1.sys.ad or nt1.sys.ad. The interesting thing is that
if I type the password incorrect multiple times, it will lock out the
account in corp.sys.ad, but if I continue to type the password
correct, it will never lockout, but never allow me to logon. I get
the message that "The system can not log you on, make sure your
username and password are correct...". Of course, I get a 529 event
in the security log.

If I logon to the server with an account in the local domain, and map
a drive, I can use my corp.sys.ad credentials and everything will work
fine.

Thanks in advance.
 
In
Victor Fisher said:
Got myself an interesting issue.

Our network:

Root Domain (Sys.AD) (Native Mode Windows 2000)
Child Domain (Corp.Sys.Ad) (Native Mode Windows 2000)
Child Domain (Web1.Sys.Ad) (Mixed mode Windows 2000)
Child Domain (Nt1.Sys.Ad) (Mixed mode Windows 2000)

I have verified the trusts between the domains.
All of our user accounts are in the child domain corp.sys.ad
Servers are in web1.sys.ad

The mixed mode domains were in-place upgrades from NT 4.0 domains.

The users in corp.sys.ad can not login to any machine in web1.sys.ad.
I know permissions are correct. I can log in to the machines with an
account from web1.sys.ad or nt1.sys.ad. The interesting thing is that
if I type the password incorrect multiple times, it will lock out the
account in corp.sys.ad, but if I continue to type the password
correct, it will never lockout, but never allow me to logon. I get
the message that "The system can not log you on, make sure your
username and password are correct...". Of course, I get a 529 event
in the security log.

If I logon to the server with an account in the local domain, and map
a drive, I can use my corp.sys.ad credentials and everything will work
fine.

Thanks in advance.
Click to expand...

How are the users logging in to the web1.sys.ad and nt1.sys.ad domain? Are
they using the UPN method or the NetBIOS legacy (3 line) method? If legacy
and this is a routed network, is WINS in place?

How is DNS configured? Is there one DNS server for the whole infrastructure
or is there a delegation? If delegation, is there a forwarder from the child
DNS to the parent and then a forwarder from the parent to the ISP?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Back
Top