Win 98 logon problems in 2000 domain

[Ed A.]

Ok, after searching the knowledge base, I'm at my wits
end. All my 2000 pro workstations logon to the 2000 adv.
server and access resources fine. The DC computer doesn't
show up in the net neighbor browser, but can be accessed
by using \\servername. None of the 98 workstations will
logon. I get the "wrong password or access denied"
message. I've installed the Active Directory Client for
98. I've edited the registry to use NTLM 2 security.
I've removed the NetBuie protocol so there's only one
protocol (IP) to prevent conflicts. I've changed the
server security settings to use LM, NTLM, or NTLM 2. I've
added the computer accounts. On two of the boxes, I got
on after I had renamed the computers and added the new
names. I was able to log on with admin account and a user
account. But after I left and came back, I logged off and
then back on to test it and it was denied. I'm logging on
as administrator, so it's not a permissions issue. Hope
someone can help. Ed

 

[David]

Do you have DNS servers integrated with active
directory? 2000 insists on being a dns server for
correct active directory integration. If you are using
DHCP, does your DHCP server assign the DNS server ip of
the Active Directory DNS server to your DHCP clients?

-dave

 

[Pegasus \(MVP\)]

Ok, after searching the knowledge base, I'm at my wits
end. All my 2000 pro workstations logon to the 2000 adv.
server and access resources fine. The DC computer doesn't
show up in the net neighbor browser, but can be accessed
by using \\servername. None of the 98 workstations will
logon. I get the "wrong password or access denied"
message. I've installed the Active Directory Client for
98. I've edited the registry to use NTLM 2 security.
I've removed the NetBuie protocol so there's only one
protocol (IP) to prevent conflicts. I've changed the
server security settings to use LM, NTLM, or NTLM 2. I've
added the computer accounts. On two of the boxes, I got
on after I had renamed the computers and added the new
names. I was able to log on with admin account and a user
account. But after I left and came back, I logged off and
then back on to test it and it was denied. I'm logging on
as administrator, so it's not a permissions issue. Hope
someone can help. Ed

Try this:

1. Create a new domain admin account, e.g. Win98.
2. Set the Win98 PC to log on ***without*** NT domain validation.
3. Log on at the Win98 PC as "Win98", with the correct
password specified in Step 1 above.
4. Run this command from a DOS prompt:
net use x: \\YourServer\SomeShare

What do you get?

 

[Steven L Umbach]

Make sure that netbios over tcp/ip is enabled on the domain controller as shown in
tcp/ip properties/advanced/wins. That is a prime suspect since it does not show in My
Network Places. If you run nbtstat -n on the domain controller it should show at
least three entries and probably more including master browser. Since you are using
downlevel clients, you should be running wins in the domain and the domain
controllers need to be wins clients. The domain controllers should not be multihomed
or rras servers if at all possible or problems may occur. If any are make sure that
in network connections/advanced settings that the nic for the internal lan is at the
top of the priority list. Additionally I would run first netdiag and then dcdiag on
the domain controller looking for any failed tests that may indicate the problem and
check Event Viewer for any reported problems that may be a clue.

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708

In Domain Controller Security Policy I would configure the following security
options, at least until the problem is resolved. Set the lan manager authentication
level to "send ntlmV2 responses only" and there are four options for digitally sign
communications. Set the two that include "always" to disabled. Then run [ secedit
/resfrshpolicy machine_policy /enforce ] on the domain controller. If you still have
no luck see the KB article in the link below and review the sections on "examples of
compatibility problems". I don't know exactly what you did but you can not join
Windows 98 computer accounts to the domain even though you may have added the
computer names to the computers container in Active Directory.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659

 

[Doug Sherman [MVP]]

Also, on the Win98 machines configure the NT domain logon with the NetBIOS
name of the domain - NOT the fully qualified domain name.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Guest]

-----Original Message-----
Do you have DNS servers integrated with active
directory? 2000 insists on being a dns server for
correct active directory integration. If you are using
DHCP, does your DHCP server assign the DNS server ip of
the Active Directory DNS server to your DHCP clients?

-dave

Yes, I have both dns and wins set up. I only have one DC
and it is the server for both services. I can ping the
server by name from the 98 boxes, so I know these services
are working. Just can't logon. I am not using
DHCP...just static IP's. I have added the A host of the
98 boxes in the dns forward lookup and reverse lookup
lists.

 

[Guest]

Steve, if I can't add the computer accounts by adding them
to computer container in AD, how do I do it? Don't they
have to have and account to logon?
Ed

-----Original Message-----
Make sure that netbios over tcp/ip is enabled on the domain controller as shown in
tcp/ip properties/advanced/wins. That is a prime suspect since it does not show in My
Network Places. If you run nbtstat -n on the domain controller it should show at
least three entries and probably more including master browser. Since you are using
downlevel clients, you should be running wins in the domain and the domain
controllers need to be wins clients. The domain

controllers should not be multihomed

or rras servers if at all possible or problems may occur. If any are make sure that
in network connections/advanced settings that the nic for the internal lan is at the
top of the priority list. Additionally I would run first netdiag and then dcdiag on
the domain controller looking for any failed tests that may indicate the problem and
check Event Viewer for any reported problems that may be a clue.

http://support.microsoft.com/default.aspx?scid=kb;en- us;321708

In Domain Controller Security Policy I would configure the following security
options, at least until the problem is resolved. Set the lan manager authentication
level to "send ntlmV2 responses only" and there are four options for digitally sign
communications. Set the two that include "always" to disabled. Then run [ secedit
/resfrshpolicy machine_policy /enforce ] on the domain controller. If you still have
no luck see the KB article in the link below and review the sections on "examples of
compatibility problems". I don't know exactly what you did but you can not join
Windows 98 computer accounts to the domain even though you may have added the
computer names to the computers container in Active Directory.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;823659

 

[Steven L Umbach]

Only NT type operating systems such as NT4.0/W2K/XP Pro/W2003 can actually "join" a
domain. Users on Windows 98 can logon to the domain as a domain user and access
domain resources however. The advantage of having a computer that can join the domain
is better security and configuration of options centrally such as security policy,
user rights, and Group Policy in Windows 2000 and newer operating systems. You can
add computer accounts to the AD container but that does no mean the computer is
"joined" to the domain. Reasons to add the computer account ahead of time would be to
permit computers to be joined to the non default container and for users to join the
computer that actually do not have the user right to add workstations to the domain
or create computer objects. To join a Windows 2000 computer to the domain you use
System Properties [right click My Computer/properties] /computer name/change and you
have the option to join a domain. --- Steve

Steve, if I can't add the computer accounts by adding them
to computer container in AD, how do I do it? Don't they
have to have and account to logon?
Ed

-----Original Message-----
Make sure that netbios over tcp/ip is enabled on the domain controller as shown in
tcp/ip properties/advanced/wins. That is a prime suspect since it does not show in My
Network Places. If you run nbtstat -n on the domain controller it should show at
least three entries and probably more including master browser. Since you are using
downlevel clients, you should be running wins in the domain and the domain
controllers need to be wins clients. The domain

controllers should not be multihomed

or rras servers if at all possible or problems may occur. If any are make sure that
in network connections/advanced settings that the nic for the internal lan is at the
top of the priority list. Additionally I would run first netdiag and then dcdiag on
the domain controller looking for any failed tests that may indicate the problem and
check Event Viewer for any reported problems that may be a clue.

http://support.microsoft.com/default.aspx?scid=kb;en- us;321708

In Domain Controller Security Policy I would configure the following security
options, at least until the problem is resolved. Set the lan manager authentication
level to "send ntlmV2 responses only" and there are four options for digitally sign
communications. Set the two that include "always" to disabled. Then run [ secedit
/resfrshpolicy machine_policy /enforce ] on the domain controller. If you still have
no luck see the KB article in the link below and review the sections on "examples of
compatibility problems". I don't know exactly what you did but you can not join
Windows 98 computer accounts to the domain even though you may have added the
computer names to the computers container in Active Directory.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;823659

 

[Ed A.]

Thanks Steve. I went to the sites you listed in your
first post and noted some of the things that I thought
might be interfering with the logon. I went to the server
and changed those properties in the DC group policy. The
two 98 clients I was working with are able to log on now.
I'm going to see if the others will follow suit. I still
have a problem with DNS though. When I ran dcdiag, it
failed the connectivity test because the GUID didn't
resolve. I'm reading the knowledge base about what to
do. Something I've done in the last 2 days has messed it
up. Before I could ping every name in the DNS list from
any workstation, but now my fqdn won't ping.

-----Original Message-----
Only NT type operating systems such as NT4.0/W2K/XP

Pro/W2003 can actually "join" a

domain. Users on Windows 98 can logon to the domain as a domain user and access
domain resources however. The advantage of having a

computer that can join the domain

is better security and configuration of options centrally such as security policy,
user rights, and Group Policy in Windows 2000 and newer operating systems. You can
add computer accounts to the AD container but that does no mean the computer is
"joined" to the domain. Reasons to add the computer

account ahead of time would be to

permit computers to be joined to the non default

container and for users to join the

computer that actually do not have the user right to add workstations to the domain
or create computer objects. To join a Windows 2000 computer to the domain you use
System Properties [right click My

Computer/properties] /computer name/change and you

have the option to join a domain. --- Steve

Steve, if I can't add the computer accounts by adding them
to computer container in AD, how do I do it? Don't they
have to have and account to logon?
Ed

-----Original Message-----
Make sure that netbios over tcp/ip is enabled on the domain controller as shown in
tcp/ip properties/advanced/wins. That is a prime suspect since it does not show in My
Network Places. If you run nbtstat -n on the domain controller it should show at
least three entries and probably more including master browser. Since you are using
downlevel clients, you should be running wins in the domain and the domain
controllers need to be wins clients. The domain

controllers should not be multihomed

or rras servers if at all possible or problems may

occur.
If any are make sure that

in network connections/advanced settings that the nic

for
the internal lan is at the

top of the priority list. Additionally I would run first netdiag and then dcdiag on
the domain controller looking for any failed tests that may indicate the problem and
check Event Viewer for any reported problems that may be a clue.

http://support.microsoft.com/default.aspx?scid=kb;en- us;321708

In Domain Controller Security Policy I would configure the following security
options, at least until the problem is resolved. Set the lan manager authentication
level to "send ntlmV2 responses only" and there are four options for digitally sign
communications. Set the two that include "always" to disabled. Then run [ secedit
/resfrshpolicy machine_policy /enforce ] on the domain controller. If you still have
no luck see the KB article in the link below and review the sections on "examples of
compatibility problems". I don't know exactly what you did but you can not join
Windows 98 computer accounts to the domain even though you may have added the
computer names to the computers container in Active Directory.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en- us;823659

.

 

[Steven L Umbach]

Make sure that your domain controller is ponting to itself via it's assigned
static IP address as it's preferred dns server in tcp/ip properties as shown
by Ipconfig /all. If you change your dns configuration run first netdiag
/fix on it and then restart the netlogon service. See the link below on
configuring dns in an Active Directory domain. That would be the first step
in resolving your problem. Event Viewer can also be very helpful in
tracking down problems. Also make sure that the dhcp client service is
running on your domain controller.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294328 -- may also
be helpful

Thanks Steve. I went to the sites you listed in your
first post and noted some of the things that I thought
might be interfering with the logon. I went to the server
and changed those properties in the DC group policy. The
two 98 clients I was working with are able to log on now.
I'm going to see if the others will follow suit. I still
have a problem with DNS though. When I ran dcdiag, it
failed the connectivity test because the GUID didn't
resolve. I'm reading the knowledge base about what to
do. Something I've done in the last 2 days has messed it
up. Before I could ping every name in the DNS list from
any workstation, but now my fqdn won't ping.

-----Original Message-----
Only NT type operating systems such as NT4.0/W2K/XP

Pro/W2003 can actually "join" a

domain. Users on Windows 98 can logon to the domain as a domain user and access
domain resources however. The advantage of having a

computer that can join the domain

is better security and configuration of options centrally such as security policy,
user rights, and Group Policy in Windows 2000 and newer operating systems. You can
add computer accounts to the AD container but that does no mean the computer is
"joined" to the domain. Reasons to add the computer

account ahead of time would be to

permit computers to be joined to the non default

container and for users to join the

computer that actually do not have the user right to add workstations to the domain
or create computer objects. To join a Windows 2000 computer to the domain you use
System Properties [right click My

Computer/properties] /computer name/change and you

have the option to join a domain. --- Steve

Steve, if I can't add the computer accounts by adding them
to computer container in AD, how do I do it? Don't they
have to have and account to logon?
Ed
-----Original Message-----
Make sure that netbios over tcp/ip is enabled on the
domain controller as shown in
tcp/ip properties/advanced/wins. That is a prime suspect
since it does not show in My
Network Places. If you run nbtstat -n on the domain
controller it should show at
least three entries and probably more including master
browser. Since you are using
downlevel clients, you should be running wins in the
domain and the domain
controllers need to be wins clients. The domain
controllers should not be multihomed
or rras servers if at all possible or problems may occur.
If any are make sure that
in network connections/advanced settings that the nic for
the internal lan is at the
top of the priority list. Additionally I would run first
netdiag and then dcdiag on
the domain controller looking for any failed tests that
may indicate the problem and
check Event Viewer for any reported problems that may be
a clue.

http://support.microsoft.com/default.aspx?scid=kb;en-
us;321708

In Domain Controller Security Policy I would configure
the following security
options, at least until the problem is resolved. Set the
lan manager authentication
level to "send ntlmV2 responses only" and there are four
options for digitally sign
communications. Set the two that include "always" to
disabled. Then run [ secedit
/resfrshpolicy machine_policy /enforce ] on the domain
controller. If you still have
no luck see the KB article in the link below and review
the sections on "examples of
compatibility problems". I don't know exactly what you
did but you can not join
Windows 98 computer accounts to the domain even though
you may have added the
computer names to the computers container in Active
Directory.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-
us;823659

.

 

[Guest]

Pointing it to itself and removing the ISP dns entries
fixed the problem. In the help section of the server, I
had read that the server should not point to itself, but I
guess that's if there is another main dns server. This is
the only one.
Thanks for taking the time to reply to my questions. Your
help has made the difference for me. Again, thank you
very much, Steve.
Ed

 

[Steven L Umbach]

Glad that you got it working and thanks for reporting back. --- Steve