can only login with upn after a password change policy applied

Discussion in 'Active Directory' started by Richard Danson, Jun 27, 2006.

  1. now this one is fun


    on 50+ pc's we are getting this issue

    we implemented a password change policy and after the first change we had
    the user changed the password and they could login but get no domain service
    ( could not see the sysvol share on dc's )

    event ID 1006 cannot bind to domain

    (domain is win2k3)

    can reset the users password via aduc, the user logs in ONCE and everything
    seems fine can connect to everything

    logout and login again can login but yet again 1006 cant bind to domain

    now we lock workstation log back in and it works fine, untill you log out
    again

    each time this happens I get a login faliure on the the dc

    blimy yes I havn't had one this good for years

    now I found the fix it is to login in once using the users upn

    wow very nice all good and Im happy ( took about 3 days )

    BUT

    WTF could be causing this, there are no stored passwords on the pc (looking
    in control pannel) rejoing the pc to the domain dosn't help yet the user
    seems to only have the problem on that machine has happened on 2k and xp
    (fully service packed)

    reason I ask is by looking in the security event log of the dc we are
    getting serious amounts of failures and I guess allot of our users are happy
    not to get the nice domain secuirty and browse the internet all day
    downlading games and changing desktops as all dns \ dhcp seems to be working
    fine

    should i also mention we did a domain rename 1 1/2 years ago and it looks
    like the only users that are been effected are pre domain change

    a problem shared is a ...........

    all ideas welcome
     
    Richard Danson, Jun 27, 2006
    #1
    1. Advertisements

  2. In
    First "guess" is something with the NetBIOS domain name for the pre-domain
    name change. How about (probably won't like this idea) delete those users
    and recreate them?

    :)

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy. - [Me]
     
    Ace Fekay [MVP], Jun 29, 2006
    #2
    1. Advertisements

  3. cheers

    situation getting worse, ad boxes are now comming up with the 1006 error
    which kickes every pc of the domain for a second or so and carries on

    the only way we can get tis to happen on spec is to start and stop mail
    stores (exchange 2k3) other wise its happening 3\ 4 times a day

    we are getting lots more 675 login failures but looking at the pc's the user
    seems logged in fine

    have tried to reset kerberos password but thats hasn't fixed

     
    Richard Danson, Jun 29, 2006
    #3
  4. In
    I apologize for the late response.

    Curious, if you are still monitoring this thread, can you provide us with an
    ipconfig /all of a DC and a sample user? I would like to make sure all
    machines are only using the intenral DNS servers (and not the ISP's or some
    other external DNS that does not host the AD zone name).

    Ace
     
    Ace Fekay [MVP], Jul 2, 2006
    #4
  5. sorry for the late reply been away from the office

    We have logged a support call with MS, about 10 days ago now and they are
    still struggling to find a fix

    DC's and DNS are all fine

    thanks for help ... any more ideas welcome : )
     
    Richard Danson, Jul 10, 2006
    #5
  6. In
    Interesting. If you can, please post what PSS believes the problem is and
    what they did to fix it.

    Thanks!

    Ace
     
    Ace Fekay [MVP], Jul 12, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.