"System Cannot Log You On to This Domain" Error Message When You Try to Log On to a Windows NT 4.0 Domain

When you try to log on to a Windows NT 4.0 domain from a Windows XP-based computer, you may receive the following error message:You can log on locally to your computer and map drives to the Windows NT 4.0 Server-based computer by using your user domain credentials, and you can log on to the domain by using the same user account from a Windows NT 4.0-based computer.

This behavior may occur if the password for the computer account and the local security authority (LSA) secret are not synchronized.

To troubleshoot and resolve this behavior, use the following procedures, as appropriate for your situation:

• Reset the secure channel between the Windows XP-based client computer and the domain controller.
  
  You can use either the Nltest.exe or Netdom.exe command-line utilities to reset the secure channel. Both these tools are located on the in the Support\Tools folder of the Windows XP CD-ROM. To install these tools, run Setup.exe or extract the files from the Support.cab file.
  • To use the Nltest.exe command-line utility or to query and reset the secure channel, type the following lines at the at the command prompt, pressing ENTER after each line:
    nltest /sc_query
    nltest /sc_reset
  • To use the Netdom.exe command-line utility to reset the secure channel, type the following lines at the at the command prompt, pressing ENTER after each line:
    netdom reset ComputerName /domain:DomainName
    Note Make sure that you use the version of Netdom.exe that is included with Windows XP. For additional information about how to use Netdom.exe to reset the secure channel , click the following article number to view the article in the Microsoft Knowledge Base:
    216393  (http://support.microsoft.com/kb/216393/EN-US/ ) Resetting Computer Accounts in Windows 2000 and Windows XP

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

• Check the event logs on both the PDC and Windows XP client computer.
  
  For example, you may see the event messages similar to the following event message in Event Viewer:

  Event ID 5721
  
  The session setup to the Windows NT Domain Controller <Unknown> for the domain <DomainName> failed because the Windows NT Domain Controller does not have an account for the computer <ComputerName>

  Event ID 5722
  
  The session setup from the computer DOMAINBDC failed to authenticate. The name of the account referenced in the security database is DOMAINBDC$. The following error occurred:
  
  Access is denied.

  For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
  160324  (http://support.microsoft.com/kb/160324/EN-US/ ) Event ID 5721 after Deleting Computer Account
  150518  (http://support.microsoft.com/kb/150518/EN-US/ ) NetLogon Service Fails When Secure Channel Not Functioning
• Verify that the computer account exists in the domain. To do so:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Server Manager.
  2. On the View menu, click Show Domain Members.
  If the computer is not listed, either manually add the computer account on the PDC, or join the domain from the client computer.
• Make sure that NetBIOS over TCP/IP (NetBT) is enabled on the client computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  314366  (http://support.microsoft.com/kb/314366/EN-US/ ) Cannot Join Windows XP Client to a Windows NT Domain
• If the following registry entries are configured on the Windows XP client and on the domain controller, make sure that their values are set to 0 (zero):
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilitylevel
  
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous
  For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  239869  (http://support.microsoft.com/kb/239869/EN-US/ ) How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT
• On the Windows XP client computer, verify that the Network Security: LAN Manager Authentication level Group Policy setting is configured to use the Send LM & NTLM responses option. To do so:
  1. Click Start, and then click Run.
  2. In the Open box, type gpedit.msc, and then click OK.
  3. Expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  4. In the right pane, double-click Network Security: LAN Manager Authentication level.
  5. Make sure that the Send LM & NTLM responses option is set, and then click OK.
• Investigate possible name resolution issues.
• Investigate possible trust relationship issues by using the Netdiag.exe command-line utility.
• Re-create the computer account, join a workgroup, and then rejoin the domain.
• On the Windows XP client computer, turn on logging for the Netlogon service to capture and view NTLM logon events. For additional information about how to do so, click the following article number to view the article in the Microsoft Knowledge Base:
  109626  (http://support.microsoft.com/kb/109626/EN-US/ ) Enabling Debug Logging for the Netlogon Service
• Use Network Monitor to perform a network trace and analyze Remote Procedure Call (RPC) traffic.

For additional information about how to troubleshoot related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base: For additional information Netlogon behavior in Window NT 4.0, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base: