Member server can't browse either Domain Controller

Discussion in 'Windows Server' started by Zonky, Jan 7, 2008.

  1. Zonky

    Zonky Guest

    I have a windows 2000 server which can't browse on to either domain
    controller.

    When i do gpresult i see the error LookupAccountSid failed with 1789.
    throughout the result.

    I've seen http://support.microsoft.com/kb/262958
    http://support.microsoft.com/kb/246108 and have checked:

    My DNS is set to the two domain controllers and i can use nslookup and it
    confirms i am using the domain controllers for dns.

    The computer config in gpo above is set correctly.

    Furthermore i can see inthe Eventlog:
    Windows cannot access the file gpt.ini for GPO The file must be present
    at the location <>. (). Group Policy processing aborted.

    It seems very much like this member server can't access either domain
    controller. It can talk to C$ share on other member servers /
    workstations when using valid domain credentials.

    Domain Controllers are 2003 SBS 32 bit and 2003 64bit R2.

    There are other physical and virtual 2000 member servers which work fine.

    If i connect to \\domaincontroller\C$ (or other share on the domain
    controllers), i get the username/password box popup. When i enter valid
    domain creditentials, they are not accepted and the username/password box
    reappears.

    Help!

    Z.
     
    Zonky, Jan 7, 2008
    #1
    1. Advertisements

  2. Zonky

    Zonky Guest

    I'd like to clarify: No firewalls present, software or otherwise, and i
    can ping the two servers with reply.

    The netlogon service on the member server is working correctly..

    I suspect it is some kind of authentication/encyption problem causing
    failing of communication between the two, but i'm not really sure how to
    troubleshoot further.

    Z.
     
    Zonky, Jan 7, 2008
    #2
    1. Advertisements

  3. Zonky

    Zonky Guest

    Further to this, i can see that the problem lies in local security policy.

    For some reason,

    Digitally sign client commucation (where possible) is disabled
    Digitally sign server commucation (always) is disabled
    Digitally sign client commucation (where possible) is disabled.

    I can change these on the local settings, but the effective setting remains
    disable, i assume to what the server thinks is a group policy override.

    Of course, since i can't connect to the Group Policy par tof Actgive
    Directory, i can't force it to refresh the correct settings!

    This is a bit of a catch 22 - any ideas how to solve?

    Z.
     
    Zonky, Jan 8, 2008
    #3
  4. Zonky

    Zonky Guest

    Solved!

    I found this document http://support.microsoft.com/kb/887429

    I enabled the workstation signing in the registry

    ( Registry values associated with Group Policy configuration for Windows
    Server 2003, Windows XP, and Windows 2000
    Client
    In Windows Server 2003 and Windows XP, the "Microsoft network client:
    Digitally sign communications (if server agrees)" Group Policy, and in
    Windows 2000, the "Digitally sign client communication (when possible)"
    Group Policy map to the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation
    \Parameters
    Value Name: EnableSecuritySignature
    Data Type: REG_DWORD
    Data: 0 (disable), 1 (enable) )

    And then restarted the workstation service.

    I logged back in as a domain account, and can now reach my domain
    controllers.


    Z.
     
    Zonky, Jan 8, 2008
    #4
  5. Robert L. \(MS-MVP\), Jan 8, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.