can only login with upn after a password change policy applied

now this one is fun


on 50+ pc's we are getting this issue

we implemented a password change policy and after the first change we had
the user changed the password and they could login but get no domain service
( could not see the sysvol share on dc's )

event ID 1006 cannot bind to domain

(domain is win2k3)

can reset the users password via aduc, the user logs in ONCE and everything
seems fine can connect to everything

logout and login again can login but yet again 1006 cant bind to domain

now we lock workstation log back in and it works fine, untill you log out
again

each time this happens I get a login faliure on the the dc

blimy yes I havn't had one this good for years

now I found the fix it is to login in once using the users upn

wow very nice all good and Im happy ( took about 3 days )

BUT

WTF could be causing this, there are no stored passwords on the pc (looking
in control pannel) rejoing the pc to the domain dosn't help yet the user
seems to only have the problem on that machine has happened on 2k and xp
(fully service packed)

reason I ask is by looking in the security event log of the dc we are
getting serious amounts of failures and I guess allot of our users are happy
not to get the nice domain secuirty and browse the internet all day
downlading games and changing desktops as all dns \ dhcp seems to be working
fine

should i also mention we did a domain rename 1 1/2 years ago and it looks
like the only users that are been effected are pre domain change

a problem shared is a ...........

all ideas welcome

 

In

First "guess" is something with the NetBIOS domain name for the pre-domain
name change. How about (probably won't like this idea) delete those users
and recreate them?



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]

 

cheers

situation getting worse, ad boxes are now comming up with the 1006 error
which kickes every pc of the domain for a second or so and carries on

the only way we can get tis to happen on spec is to start and stop mail
stores (exchange 2k3) other wise its happening 3\ 4 times a day

we are getting lots more 675 login failures but looking at the pc's the user
seems logged in fine

have tried to reset kerberos password but thats hasn't fixed

 

In

I apologize for the late response.

Curious, if you are still monitoring this thread, can you provide us with an
ipconfig /all of a DC and a sample user? I would like to make sure all
machines are only using the intenral DNS servers (and not the ISP's or some
other external DNS that does not host the AD zone name).

Ace

 

sorry for the late reply been away from the office

We have logged a support call with MS, about 10 days ago now and they are
still struggling to find a fix

DC's and DNS are all fine

thanks for help ... any more ideas welcome : )

 

In

Interesting. If you can, please post what PSS believes the problem is and
what they did to fix it.

Thanks!

Ace