Re: Access denied to domain after joining the domain, HELP!

From: Steven L Umbach (n9rou_at_attbi.com)
Date: 06/11/03 

Date: Tue, 10 Jun 2003 23:48:43 GMT

      I would run netdiag possibly with the /v switch on one of the problem
computers looking for errors. If any are found you could use the debug
switch for more detailed info on failed test. Make sure that you are using
the proper dns server on the problem computers, and never have an ISP dns
server listed in the preferred dns server tcp/ip configuration. Another
thing to try until problem is cleared up is if you have your dns zone to
only accept secure dynamic updates, change it to just dynamic updates. If
you are using ipsec, there can be problems if you use the require policy on
a domain controller. See links to KB articles. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b257734
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b258503
http://www.jsiinc.com/SUBM/tip6000/rh6056.htm
http://support.microsoft.com/default.aspx?scid=kb;EN-US;254949

"Donald P Crawford" <crawford@ksu.edu> wrote in message
news:0d1a01c32f5b$c1f98330$a301280a@phx.gbl...
> Greetings,
>
> We recently started having some problems with accessing
> domain resources after adding a computer to the domain.
> When the computer is NOT in the domain, user can logon
> and access resources with no problem. Immediately
> after adding the computer to the domain, we see the
> following two errors in the system logs:
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5789
> Date: 6/9/2003
> Time: 1:38:12 PM
> User: N/A
> Computer: RCP0006
> Description:
> Attempt to update DNS Host Name of the computer object in
> Active Directory failed. The updated value
> was 'rcp0006.dept.schoolname.edu'. The following
> error occurred:
> The security context could not be established due to a
> failure in the requested quality of service (e.g. mutual
> authentication or delegation).
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5788
> Date: 6/9/2003
> Time: 1:38:12 PM
> User: N/A
> Computer: RCP0006
> Description:
> Attempt to update HOST Service Principal Names (SPNs) of
> the computer object in Active Directory failed. The
> updated values were '<UNAVAILABLE>' and
> '<UNAVAILABLE>'. The following error occurred:
> The security context could not be established due to a
> failure in the requested quality of service (e.g. mutual
> authentication or delegation).
>
> The computer welcomes us to the domain and looking at the
> Active Directory on the server we see the computer has
> been added. Nothing suspicious appears in the server
> logs.
>
> After rebooting the computer, we logon to the domain with
> no errors. We then try to access the server and we
> receive the following error:
>
> \\servername is not accessible.
> There are currently no logon servers available to service
> the logon request.
>
> Looking at the local system log we see the following,
> both of these are slightly different then the ones above:
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5789
> Date: 6/9/2003
> Time: 1:44:26 PM
> User: N/A
> Computer: RCP0006
> Description:
> Attempt to update DNS Host Name of the computer object in
> Active Directory failed. The updated value
> was 'rcp0006.dept.schoolname.edu'. The following
> error occurred:
> Could not find the domain controller for this domain.
>
> Event Type: Error
> Event Source: NETLOGON
> Event Category: None
> Event ID: 5788
> Date: 6/9/2003
> Time: 1:44:26 PM
> User: N/A
> Computer: RCP0006
> Description:
> Attempt to update HOST Service Principal Names (SPNs) of
> the computer object in Active Directory failed. The
> updated values were '<UNAVAILABLE>' and
> '<UNAVAILABLE>'. The following error occurred:
> Could not find the domain controller for this domain.
>
> In the application log we see:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1000
> Date: 6/9/2003
> Time: 1:44:30 PM
> User: NT AUTHORITY\SYSTEM
> Computer: RCP0006
> Description:
> Windows cannot determine the user or computer name.
> Return value (1908).
>
> Again, nothing appears suspicious in the server logs.
>
> We have verified the problem on several PCs so far. We
> were in the process of preparing a school lab and had
> reformatted several machines.
>
> We imported the domain servers LMHOSTS file, and
> an 'nbtstat -c' reflects the server and domain info
> correctly.
>
> Two recent changes were made to the server around the
> same time we started having these problems. Installed
> Q811114 security update at the end of May, and we also
> granted the "Create Computer Objects" and "Delete Computer
> Objects" Access Control Entries (ACEs) to Authenticated
> Users as per KB251335. We have uninstalled that security
> patch and the problem persists. We also removed
> permission for Authenticated Uses that we had granted.
> Still no change in the problem.
>
> Computers that have been in the domain prior to us seeing
> these problems, haven't experienced errors yet. However,
> we have another server in the domain that has started
> getting the same error:
>
> \\servername is not accessible.
> There are currently no logon servers available to service
> the logon request.
>
> When we restart IPSEC service on that server, the problem
> goes away.
>
> Restarting IPSEC on the workstations does not cause the
> problem to go away.
>
> Folks, we are in a pinch and we have been fighting this
> problem for about two weeks... Any help or tips would be
> greatly appreciated!