"System Cannot Log You On to This Domain" Error Message When You Try to Log On to a Windows NT 4.0 Domain| Article ID | : | 810497 | | Last Review | : | January 27, 2005 | | Revision | : | 1.4 |
SYMPTOMSWhen you try to log on to a Windows NT 4.0 domain from a
Windows XP-based computer, you may receive the following error message: The system cannot log you on to this domain because the system's
computer account in its primary domain is missing or the password on that
account is incorrect. You can log on locally to your computer and map
drives to the Windows NT 4.0 Server-based computer by using your user domain
credentials, and you can log on to the domain by using the same user account
from a Windows NT 4.0-based computer.  Back to the top
CAUSEThis behavior may occur if the password for the computer
account and the local security authority (LSA) secret are not synchronized.
Back to the top RESOLUTIONTo troubleshoot and resolve this behavior, use the following
procedures, as appropriate for your situation:
| • | Reset the secure channel between the Windows XP-based
client computer and the domain controller.
You can use either the
Nltest.exe or Netdom.exe command-line utilities to reset the secure channel.
Both these tools are located on the in the Support\Tools folder of the Windows
XP CD-ROM. To install these tools, run Setup.exe or extract the files from the
Support.cab file.
| • | To use the Nltest.exe command-line utility or to query
and reset the secure channel, type the following lines at the at the command
prompt, pressing ENTER after each line: nltest /sc_query
nltest /sc_reset | | • | To use the Netdom.exe command-line utility to reset the
secure channel, type the following lines at the at the command prompt, pressing
ENTER after each line: netdom reset ComputerName /domain:DomainName
Note Make sure that you use the version of Netdom.exe that is included
with Windows XP.
For additional information about how to
use Netdom.exe to reset the secure channel , click the following article number
to view the article in the Microsoft Knowledge Base: 216393 (http://support.microsoft.com/kb/216393/EN-US/)
Resetting Computer Accounts in Windows 2000 and Windows XP
|
|
Back to the top Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows | • | Check the event logs on both the PDC and Windows XP client
computer.
For example, you may see the event messages similar to the
following event message in Event Viewer:Event ID 5721
The session setup to the Windows NT Domain Controller <Unknown> for the domain <DomainName> failed because the Windows NT Domain Controller does not have an account for the computer <ComputerName> Event ID 5722
The session setup from the computer DOMAINBDC failed to authenticate. The name of the account referenced in the security database is DOMAINBDC$. The following error occurred:
Access is denied.
160324 (http://support.microsoft.com/kb/160324/EN-US/)
Event ID 5721 after Deleting Computer Account
150518 (http://support.microsoft.com/kb/150518/EN-US/) NetLogon Service Fails When Secure Channel Not Functioning
| | • | Verify that the computer account exists in the domain. To
do so:
| 1. | Click Start, point to
Programs, point to Administrative Tools, and
then click Server Manager. | | 2. | On the View menu, click Show
Domain Members. |
If the computer is not listed, either manually add the
computer account on the PDC, or join the domain from the client
computer. | | • | Make sure that NetBIOS over TCP/IP (NetBT) is enabled on
the client computer.
For additional information, click the following
article number to view the article in the Microsoft Knowledge Base: 314366 (http://support.microsoft.com/kb/314366/EN-US/)
Cannot Join Windows XP Client to a Windows NT Domain
| | • | If the following registry entries are configured on the
Windows XP client and on the domain controller, make sure that their values are
set to 0 (zero): HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilitylevel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous
For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base: 239869 (http://support.microsoft.com/kb/239869/EN-US/)
How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT
| | • | On the Windows XP client computer, verify that the
Network Security: LAN Manager Authentication level Group
Policy setting is configured to use the Send LM & NTLM
responses option. To do so:
| 1. | Click Start, and then click
Run. | | 2. | In the Open box, type
gpedit.msc, and then click
OK. | | 3. | Expand Local Computer Policy, expand
Computer Configuration, expand Windows
Settings, expand Security Settings, expand
Local Policies, and then click Security
Options. | | 4. | In the right pane, double-click Network
Security: LAN Manager Authentication level. | | 5. | Make sure that the Send LM & NTLM
responses option is set, and then click
OK. |
| | • | Investigate possible name resolution issues. | | • | Investigate possible trust relationship issues by using the
Netdiag.exe command-line utility. | | • | Re-create the computer account, join a workgroup, and then
rejoin the domain. | | • | On the Windows XP client computer, turn on logging for the
Netlogon service to capture and view NTLM logon events.
For
additional information about how to do so, click the following article number
to view the article in the Microsoft Knowledge Base: 109626 (http://support.microsoft.com/kb/109626/EN-US/)
Enabling Debug Logging for the Netlogon Service
| | • | Use Network Monitor to perform a network trace and analyze
Remote Procedure Call (RPC) traffic. |
Back to the top MORE INFORMATION For additional information about how to
troubleshoot related issues, click the following article numbers to view the
articles in the Microsoft Knowledge Base: 318266 (http://support.microsoft.com/kb/318266/EN-US/)
A Windows XP Client Cannot Log On to a Windows NT 4.0 Domain
314462 (http://support.microsoft.com/kb/314462/EN-US/) Err Msg Joining Windows XP Computer to Windows 2000 Domain
314366 (http://support.microsoft.com/kb/314366/EN-US/) Cannot Join Windows XP Client to Windows NT Domain
294355 (http://support.microsoft.com/kb/294355/EN-US/) Netdom.exe Cannot Join a Windows XP Professional-Based Computer to a Domain
For additional information Netlogon behavior in Window NT 4.0,
click the following article number to view the article in the Microsoft
Knowledge Base: 266729 (http://support.microsoft.com/kb/266729/EN-US/)
Netlogon Behavior in Windows NT
4.0
175024 (http://support.microsoft.com/kb/175024/EN-US/) Resetting Domain Member Secure Channel
250877 (http://support.microsoft.com/kb/250877/EN-US/) Changing Domains Without Rebooting Within 10 Minutes Causes Secure Channel Problem
For
additional information about related topics, click the following article
numbers to view the articles in the Microsoft Knowledge Base: 162797 (http://support.microsoft.com/kb/162797/EN-US/)
Trust Relationship Between Workstation and Domain Fails
147706 How to Disable LM Authentication on Windows NT
Back to the top
APPLIES TO| • | Microsoft Windows XP Professional | | • | Microsoft Windows XP Professional SP1 | | • | Microsoft Windows NT 4.0 Service Pack 6a |
Back to the top | Other Support Options - Need More Help?
Contact a Support professional by Email, Online or Phone. - Customer Service
For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more. - Newsgroups
Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.
|
|
