Certain clients not able to bind to domain or receive group policy

Discussion in 'Windows Small Business Server' started by Bill A, Mar 14, 2006.

  1. Bill A

    Bill A Guest

    I have an SBS 2003 Server and certain clients are getting problems with it.
    They cannot log in for a long time, and when they do, it comes up with errors
    like:
    (these errors come up on the workstation, not the server):

    Event 40961
    LSASRV
    The security system could not establish a secured connection with the
    server. No authentication protocol was available.

    Event 40960
    SPNEGO
    The Security System detected an attempted downgrade attack for server
    ldap/sbs.mydomain.com/. The failure code from
    authentication protocol Kerberos was "There are currently no logon servers
    available to service the logon request.
    (0xc000005e)".

    Event 1006
    Windows cannot bind to mydomain.com domain (local error). Group policy
    processing aborted.

    Event 1030
    UserENV
    Windows cannot query for the list of Group policy objects. A message that
    describes the reason for this was previously logged by the policy engine


    When the server is rebooted, these problems do not come up for several
    hours. When they do come up, it is with certain users on certain
    workstations. If user "a" logs into a workstation, they may do so with no
    problem. However, if user "b" logs into the very same problem, these issues
    will come up.

    The DNS tests all check out. I can connect to the sysvol share on the DC.

    Any ideas?

    Thank you.
     
    Bill A, Mar 14, 2006
    #1
    1. Advertisements

  2. Bill A

    Crina Li Guest

    Hi Bill,

    Thank you for posting in SBS newsgroup.

    From the description, I understand the issue to be: Certain users can not
    logon to domain and get errors when they logon to client computer. If I
    have misunderstood your concerns, please do not hesitate to let me know.

    Actually this issue can occur if the user accounts or computer accounts are
    corrupted. To narrow down the problem, would you please help me collect the
    following information?

    1. Have you made any changes on these problematic users or computers?
    2. When does the situation occur?
    3. Do you have sufficient CALs on SBS?
    4. Does the situation occur when the problematic users logon to all
    computers?
    5. Are there any related error in event log on SBS?

    Currently please try the following steps:

    For problematic users:

    1. Open the Server Management console.
    2. Click Change User permission properties in the task pad.
    3. In the template selection page of the wizard, please choose User
    Template.
    4. In the same page, please click "Add permissions to any previous
    permissions granted to the users".
    5. In the User Selection page, please click the problematic users in the
    users list and click Add to add them.
    6. Finish the wizard and test your issue again.
    7. If it does not help, please try to remove the account and recreate the
    user account to see how thing goes.

    For problematic computers:

    Please disjoin and rejoin the computers to the domain:

    1. In client computer, right-click My Computer and then select Properties.
    2. In Computer Name tab, click Change and the change the computer from
    Domain to Workgroup.
    3. Reboot the machine.
    4. Log on as a local administrator account
    5. In client computer, open IE and run http://servername/connectcomputer
    6. Follow the wizard to finish.
    7. If it does not help, you may need to open the Computers or My
    Business\Computers\SBSComputers container. Right click on a computer
    account and choose Delete.
    8. Please try to join the clients into the domain again.

    Also please make sure all clients point to the SBS server's internal IP
    address as their ONLY DNS server. Also both network adapters on the SBS
    server are pointing to the SBS internal IP address of the only DNS server.
    In DNS, use forwarder to forward all name resolution requests to the ISP's
    DNS server. For more information, please refer to the following Microsoft
    Knowledge Base article:

    825763 How to configure Internet access in Windows Small Business Server
    2003
    http://support.microsoft.com/?id=825763

    More information:

    823712 Event IDs 40960 and 40961 in the System Event Log When You Restart
    http://support.microsoft.com/?id=823712

    824217 LSASRV Event IDs 40960 and 40961 When You Promote a Server to a
    Domain
    http://support.microsoft.com/?id=824217

    826819 The Server Stops Responding and an Access Violation Occurs in
    Lsass.exe
    http://support.microsoft.com/?id=826819

    I appreciate your time and look forward to hearing from you.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: Certain clients not able to bind to domain or receive group
    policy
    | | From: =?Utf-8?B?QmlsbCBB?= <>
    | Subject: Certain clients not able to bind to domain or receive group
    policy
    | Date: Mon, 13 Mar 2006 22:08:26 -0800
    | | Newsgroups: microsoft.public.windows.server.sbs
    ||
    | I have an SBS 2003 Server and certain clients are getting problems with
    it.
    | They cannot log in for a long time, and when they do, it comes up with
    errors
    | like:
    | (these errors come up on the workstation, not the server):
    |
    | Event 40961
    | LSASRV
    | The security system could not establish a secured connection with the
    | server. No authentication protocol was available.
    |
    | Event 40960
    | SPNEGO
    | The Security System detected an attempted downgrade attack for server
    | ldap/sbs.mydomain.com/. The failure code from
    | authentication protocol Kerberos was "There are currently no logon
    servers
    | available to service the logon request.
    | (0xc000005e)".
    |
    | Event 1006
    | Windows cannot bind to mydomain.com domain (local error). Group policy
    | processing aborted.
    |
    | Event 1030
    | UserENV
    | Windows cannot query for the list of Group policy objects. A message
    that
    | describes the reason for this was previously logged by the policy engine
    |
    |
    | When the server is rebooted, these problems do not come up for several
    | hours. When they do come up, it is with certain users on certain
    | workstations. If user "a" logs into a workstation, they may do so with
    no
    | problem. However, if user "b" logs into the very same problem, these
    issues
    | will come up.
    |
    | The DNS tests all check out. I can connect to the sysvol share on the DC.
    |
    | Any ideas?
    |
    | Thank you.
    |
    |
    |
    |
    |
    |
    |
    |
    |
     
    Crina Li, Mar 15, 2006
    #2
    1. Advertisements

  3. Bill A

    Bill A Guest

    Thank you for your efforts. Unfortunately, these suggestions are typical of
    other solutions I have found in my search, all of which are to no avail.

    I did try these things once again, but the results were the same, and it did
    not fix the problem.

    I finally had to open a service call with Microsoft PSS. We do have the
    problem now solved.

    The issue is reflected in KB244474.
    http://support.microsoft.com/kb/244474/en-us

    This was a very frustrating issue to troubleshoot and I am at a loss as to
    why it suddenly "decided" to lose communication in this way. However,
    forcing Kerberos to be passed along with TCP instead of UDP has solved the
    problem.

    Thank you for your assistance. I hope that by posting this information, it
    will save others the grief.

    Bill A.
     
    Bill A, Mar 26, 2006
    #3
  4. Bill A

    Crina Li Guest

    Hi Bill,

    Thanks for your efforts and time on the issue.

    I am glad to hear the problem is resolved. Also thanks for your great
    sharing.

    It is my pleasure to work with you in this post. If you encounter any
    difficulties in the future, please submit the post to the newsgroup. We
    are glad to be of the assistance.

    Again, thank you for using Microsoft newsgroup. Have a nice day. :)

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: Certain clients not able to bind to domain or receive group
    po
    | thread-index: AcZRJ0zo0RIa3++wRfa2rf2lHWHTCw==
    | X-WBNR-Posting-Host: 68.147.189.141
    | From: =?Utf-8?B?QmlsbCBB?= <>
    | References: <>
    <pLOFmQ#>
    | Subject: RE: Certain clients not able to bind to domain or receive group
    po
    | Date: Sun, 26 Mar 2006 14:47:46 -0800
    | Lines: 200
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | Newsgroups: microsoft.public.windows.server.sbs
    | Path: TK2MSFTNGXA01.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:255704
    | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Thank you for your efforts. Unfortunately, these suggestions are typical
    of
    | other solutions I have found in my search, all of which are to no avail.
    |
    | I did try these things once again, but the results were the same, and it
    did
    | not fix the problem.
    |
    | I finally had to open a service call with Microsoft PSS. We do have the
    | problem now solved.
    |
    | The issue is reflected in KB244474.
    | http://support.microsoft.com/kb/244474/en-us
    |
    | This was a very frustrating issue to troubleshoot and I am at a loss as
    to
    | why it suddenly "decided" to lose communication in this way. However,
    | forcing Kerberos to be passed along with TCP instead of UDP has solved
    the
    | problem.
    |
    | Thank you for your assistance. I hope that by posting this information,
    it
    | will save others the grief.
    |
    | Bill A.
    |
    | ""Crina Li"" wrote:
    |
    | > Hi Bill,
    | >
    | > Thank you for posting in SBS newsgroup.
    | >
    | > From the description, I understand the issue to be: Certain users can
    not
    | > logon to domain and get errors when they logon to client computer. If I
    | > have misunderstood your concerns, please do not hesitate to let me know.
    | >
    | > Actually this issue can occur if the user accounts or computer accounts
    are
    | > corrupted. To narrow down the problem, would you please help me collect
    the
    | > following information?
    | >
    | > 1. Have you made any changes on these problematic users or computers?
    | > 2. When does the situation occur?
    | > 3. Do you have sufficient CALs on SBS?
    | > 4. Does the situation occur when the problematic users logon to all
    | > computers?
    | > 5. Are there any related error in event log on SBS?
    | >
    | > Currently please try the following steps:
    | >
    | > For problematic users:
    | >
    | > 1. Open the Server Management console.
    | > 2. Click Change User permission properties in the task pad.
    | > 3. In the template selection page of the wizard, please choose User
    | > Template.
    | > 4. In the same page, please click "Add permissions to any previous
    | > permissions granted to the users".
    | > 5. In the User Selection page, please click the problematic users in
    the
    | > users list and click Add to add them.
    | > 6. Finish the wizard and test your issue again.
    | > 7. If it does not help, please try to remove the account and recreate
    the
    | > user account to see how thing goes.
    | >
    | > For problematic computers:
    | >
    | > Please disjoin and rejoin the computers to the domain:
    | >
    | > 1. In client computer, right-click My Computer and then select
    Properties.
    | > 2. In Computer Name tab, click Change and the change the computer from
    | > Domain to Workgroup.
    | > 3. Reboot the machine.
    | > 4. Log on as a local administrator account
    | > 5. In client computer, open IE and run http://servername/connectcomputer
    | > 6. Follow the wizard to finish.
    | > 7. If it does not help, you may need to open the Computers or My
    | > Business\Computers\SBSComputers container. Right click on a computer
    | > account and choose Delete.
    | > 8. Please try to join the clients into the domain again.
    | >
    | > Also please make sure all clients point to the SBS server's internal IP
    | > address as their ONLY DNS server. Also both network adapters on the SBS
    | > server are pointing to the SBS internal IP address of the only DNS
    server.
    | > In DNS, use forwarder to forward all name resolution requests to the
    ISP's
    | > DNS server. For more information, please refer to the following
    Microsoft
    | > Knowledge Base article:
    | >
    | > 825763 How to configure Internet access in Windows Small Business
    Server
    | > 2003
    | > http://support.microsoft.com/?id=825763
    | >
    | > More information:
    | >
    | > 823712 Event IDs 40960 and 40961 in the System Event Log When You
    Restart
    | > http://support.microsoft.com/?id=823712
    | >
    | > 824217 LSASRV Event IDs 40960 and 40961 When You Promote a Server to a
    | > Domain
    | > http://support.microsoft.com/?id=824217
    | >
    | > 826819 The Server Stops Responding and an Access Violation Occurs in
    | > Lsass.exe
    | > http://support.microsoft.com/?id=826819
    | >
    | > I appreciate your time and look forward to hearing from you.
    | >
    | > Best regards,
    | >
    | > Crina Li (MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | >
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | > --------------------
    | > | Thread-Topic: Certain clients not able to bind to domain or receive
    group
    | > policy
    | > | | From: =?Utf-8?B?QmlsbCBB?= <>
    | > | Subject: Certain clients not able to bind to domain or receive group
    | > policy
    | > | Date: Mon, 13 Mar 2006 22:08:26 -0800
    | > | | Newsgroups: microsoft.public.windows.server.sbs
    | > ||
    | > | I have an SBS 2003 Server and certain clients are getting problems
    with
    | > it.
    | > | They cannot log in for a long time, and when they do, it comes up
    with
    | > errors
    | > | like:
    | > | (these errors come up on the workstation, not the server):
    | > |
    | > | Event 40961
    | > | LSASRV
    | > | The security system could not establish a secured connection with the
    | > | server. No authentication protocol was available.
    | > |
    | > | Event 40960
    | > | SPNEGO
    | > | The Security System detected an attempted downgrade attack for server
    | > | ldap/sbs.mydomain.com/. The failure code
    from
    | > | authentication protocol Kerberos was "There are currently no logon
    | > servers
    | > | available to service the logon request.
    | > | (0xc000005e)".
    | > |
    | > | Event 1006
    | > | Windows cannot bind to mydomain.com domain (local error). Group
    policy
    | > | processing aborted.
    | > |
    | > | Event 1030
    | > | UserENV
    | > | Windows cannot query for the list of Group policy objects. A message
    | > that
    | > | describes the reason for this was previously logged by the policy
    engine
    | > |
    | > |
    | > | When the server is rebooted, these problems do not come up for
    several
    | > | hours. When they do come up, it is with certain users on certain
    | > | workstations. If user "a" logs into a workstation, they may do so
    with
    | > no
    | > | problem. However, if user "b" logs into the very same problem, these
    | > issues
    | > | will come up.
    | > |
    | > | The DNS tests all check out. I can connect to the sysvol share on
    the DC.
    | > |
    | > | Any ideas?
    | > |
    | > | Thank you.
    | > |
    | > |
    | > |
    | > |
    | > |
    | > |
    | > |
    | > |
    | > |
    | >
    | >
    |
     
    Crina Li, Mar 27, 2006
    #4
  5. Bill A

    Bill A Guest

    HI Crina,

    Thank you for your response. I appreciate your correspondance. This was a
    very difficult issue to solve, and it took the support engineers some time to
    find it.

    This was my first post to the newsgroups, but of course, I will try it again
    if I need to in the future. Thank you and have a nice day.

    Bill
     
    Bill A, Mar 27, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.