Monday, February 25, 2008

There's No Reason, Active Directory Just Hates You

The Problem

Today is Monday. In addition to a morning coffee I got to start off the week with a pretty angry error when I tried to log in to the domain this morning. It looked a whole lot like:

Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.

Now lucky for me I actually have multiple machines and was still able to log in via another computer and start to troubleshoot this Monday special.

I decided to log in to my machine under a local administrator account account and look in the event log, sure enough I found some errors in the System category.

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 3210
Date: 2/25/2008
Time: 12:06:33 PM
User: N/A
Computer: W2K3-TYLER-VIRT
Description:
This computer could not authenticate with \\[DC].[DOMAINNAME].com, a Windows domain controller for domain [DOMAINNAME], and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

Even more fortunate for me is that I have Domain Administrator credentials and have the ability to log in to the domain controller and poke around a bit. On the server there was this error in the event log.

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 2/25/2008
Time: 10:45:28 AM
User: N/A
Computer: [DC]
Description:
The session setup from the computer W2K3-TYLER-VIRT failed to authenticate. The name(s) of the account(s) referenced in the security database is W2K3-TYLER-VIRT$. The following error occurred:
Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I didn't really find a KB article that really fixed this nicely (which is why I'm writing this in the first place). I did however get a high level explanation of what was going on through various forums, KB's, blogs, etc...

The Explanation (attempt)

Windows clients have what's called a Secure Channel to the domain controller. It uses this to communicate with the domain controller. There is an account and a credential associated with this Secure Channel and stored on your machine AND on the domain controller. On some interval (30 days is what I found on the web) these credentials change. The domain controller also caches the OLD credential for some amount of time while it tries to propagate the new credential to your machine account. If they are changed on the domain controller and for some reason or another do not propagate to your machine then you're in trouble and you can have the error that I was getting.

You could also get this error if you have multiple machines with the same SID on the same domain or if you've been messing with the NETDOM utility in an unhealthy way.

The Fix

I was able to fix this by:

  1. Leaving the domain on my client machine. To do this, log in with a local administrator account, open up the System Properties->Computer Name->Change, and then join some fake workgroup to leave the domain. Restart your machine.
  2. Reset your machine account on the domain controller. Start ->Administrative Tools->Active Directory Users and Computers->Click on the Computers folder, right click on your computer and choose Reset Machine(below). Reseting Machine Account in Windows 2003
  3. Wait a while (I went for lunch) and then join the domain again with your local machine.

Pleasant? No. Functional again? Yes.

I wish I had a better explanation of why this happened, I have a theory but I'm still not confident enough to write it up. Hope this helps some nice folk somewhere.

Best,
Tyler

8 comments:

Eric Fang said...

Great solutions! This fixed my problem perfectly.

My problem is caused by the same virtual machines, I guess that confused domain controller, since something is bound with MAC.

I would suggest to stop SQL server first before the rejoin operation.

Dashsa said...

I have been having this issue on one of the machines on our network, I have resolved it by doing your steps but after a few days it returns! Only on one machine!! VERY annoying.
Thanks for the post!

Tyler Holmes said...

Hey dashsa,

If this continues to happen then I'm wondering if there's some other machine on the domain with either the same SID or Computer Name as your computer.

I would consider leaving the domain and then running the MS NewSID tool. Change both your SID and your computer name to something random/unique. Then join the domain again.

HTH,
Tyler

Michael said...

Thanks a lot - solved my problem. It started when I restored my Acronis C: drive image backup. It was no longer synced to the Domain Controller.

JD BCN said...

Solved my problem! Nice one mate!

Tinley Harrier said...

That was a great article! I was tearing my hair out trying to figure out why my user had dropped off the domain, after reading a dozen articles yours was the one that fixed it! Thank you!

Anonymous said...

Thank you God for this link!

Anonymous said...

Hi,
I know this is a very old post, but I am encountering the same problem.
I followed your suggestion, but now I cannot rejoin my pc to the domain?

I get the error that a AD DC could not be contacted, but I can ping the DC?