New users added to a Win 2000 server can't log on

[Michael Cantkier]

Hello,

I have a Windows 2000 Server sp4 that has about 200 users on it. Recently
when I add new users to the server they cannot log on from their
workstations. Existing users can log on from any workstation but the new
users cannot. I have also tried copying existing users but still no luck.

When logging on from the workstation I receive the standard error as if I
typed an incorrect password:
----------------------
"The system could not log you on. Make sure your User Name and Domain are
correct, then type your password again. Letters in passwords must be typed
using the correct case. Make sure the caps lock isn't on."
----------------------


This generates the following error in the Security log on the server:
----------------------
Event ID: 537

Logon Failure:
Reason: An unexpected error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
----------------------


Also if I log on to the workstation as an Administrator and try to add the
user (Control Panel/Users and Passwords/Add/Browse) I can see the user in
the directory. When I select the user I get the following error:
----------------------
"Processing of object <user> failed with the following error:
Name Translation: Generic processing error."
----------------------


The last bit of information I can add is that I am able to log in as the new
user at the server console. Just not at any workstation.

Any help or ideas would be most appreciated.

Many thanks in advance,
Michael

 

[Dmitry Korolyov]

I've seen such error message (unexpected error...) as a result of users'
passwords expiration. Is that your single DC?

 

[Jack Seredyniecki]

How many DCs?

 

[Michael Cantkier]

We have a PDC and one BDC. I just checked on my BDC and noticed that the new
users that I added to the PDC are not visible. Looking into that issue now.

 

[Dmitry Korolyov]

So you definitely have a replication problem. And the new users getting
logon errors are authenticating at the other DC which does not have the new
user account objects replicated to it.

 

[Michael Cantkier]

Forgive me for my lack of knowledge on this subject but how should I begin
troubleshooting replicatin?

Thanks,
Michael

 

[Dmitry Korolyov]

You can start by checking your DNS configuration on both domain controllers.
Running dcdiag /c /v (support tools utility) won't hurt either. And check
event logs for any suspicious entries.

 

[Michael Cantkier]

I fixed it. I had to set the clocks to be "within 5 minutes of each other"
and the reset the secure channels. Replication fired up and everything
sync'd. Now able to add new users and actually log them on.

Thanks again,
Michael

 

[Rajdeep Larha]

Hi Michael,
Be careful as I had the same problem and you have not
resolved the ptroblem so far. you have to sync either the
PDC and BDC to one time server and then let that server
be the "time-server" for your domain. all the machines
will sync themselves with that server. What problem you
had was very small. I had a major problem when no user
was aloowed to log in and then I have to sync the time on
both servers using NET TIME and restarting the "Time
Services".