TipsMake.com — Some time after your computer is logged in as a member of the Active Directory domain or more simply, some member of the domain uses a virtual software, you will encounter the following error
Windows cannot connect to the domain, either due to a faulty Domain controller, or because your computer account doesn’t see it. Try again. If this message still appears, contact the system administrator to resolve it.
No matter how hard you try, you still can’t log in with your account on the system. The only way to log in is to use a user account on the machine.
Note :
— In most cases, unless this happens because of an administrator error, you can log in with a domain user account when you disconnect. It only happens when this account you have used on this computer before and has not been disabled by the administrator.
— If you use a copy software or have just copied a computer that is a member of the domain, you should pay attention to the following two things:
1. Never copy a computer from a domain member.
2. Never copy a computer’s operating system that is supposed to work with the Active Directory domain or any type of network without using SYSPREP.
After logging in, you will see in the Event Viewer the following errors:
NETLOGON 3210
This computer cannot authenticate WIN2003-SRV1.petrilabs.local , a Windows domain controller for the PETRILABS domain. Therefore, the new computer refuses to log in to the domain, this non-authentication error is caused by having another computer on the domain using the same name and password so your computer cannot be identified. If this message still appears, contact the system administrator.
LSASRV 40961
The security system cannot establish a secure connection with the server’s cifs / WIN2003-SRV1.petrilabs.local , there is no connection protocol at all.
W32Time 18
NtpClient (time management program) cannot establish a connection between your computer and the petrilabs.local domain to ensure virtual synchronization time. This program will retry within 15 minutes.
Along with some other errors may occur. So, why are these errors?
An error occurs because the computer’s password does not match. Domain members think their machine password is X, while the Domain Controller confirms it as Y, so the computer cannot verify the Domain Controller causing an error to occur.
Basically, there are 2 ways to fix this error:
Method 1: use the GUI
This method is the easiest to implement.
Note : The following images were taken from Windows XP Pro machine, but other operating systems can still apply this method.
1. Right-click My Computer , select Properties
2. Click the Change button in the Computer Name tab. Then, change the Member of choice in the Active Directory domain to Workgroup
3. Enter the workgroup name, then click OK
4. Immediately after that, you will have to fill in the confirmation from the administrator
5. Next is a confirmation message.
6. Restart the computer.
After restarting, log in and join the domain.
Method 2: use the command
You can use the netdom.exe tool.
Note : In Windows Server 2008 or Windows 7, netdom is available on the system, no need to download more.
Open the command prompt , type netdom.exe remove winxp cl1 /Domain:petrilabs.local / userd: petrilabsadministrator / passwordd: ***************
At this point, the computer account will display a red X in the Active Directory Users and Computers tab.
Using netdom.exe will not have to restart
Then type: netdom.exe join winxp-cl1 /Domain:petrilabs.local / userd: petrilabsadministrator / passwordd: ***************
Restart the device.
Now you can use the computer as usual.
When trying to logon to the virtual machine the following error is reported:
«Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found.»
The system Event log reports the following errors:
Event ID: 3210
«This computer could not authenticate with \\dc.domain.com, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.»
Event ID: 40960
«The Security System detected an authentication error for the server cifs/dc.domain.com. The failure code from authentication protocol Kerberos was «The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)».»
Event ID: 40960
«The Security System detected an authentication error for the server LDAP/dc.domain.com/domain.com@domain.com. The failure code from authentication protocol Kerberos was «The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)».»
On a Microsoft Windows NT-based host the computer account passwords are regularly changed for security purposes. By default, on Windows 2000/2003-based hosts, the computer account password automatically changes every 30 days.
The security channel’s password is stored together with the computer account on the primary domain controller (PDC), and is replicated to all backup domain controllers (BDCs). The password is also in LSA secret $MACHINE.ACC of the host .
If the password is not changed for «MaximumPasswordAge» days the machine account becomes invalid, denying domain logon.
If a machine is reverted to a previous snapshot the secure channel password on the host could differ from the copy held by domain controllers, denying domain logon.
Disable computer account password changes on the affected host and rejoin the domain:
HLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
"DisablePasswordChange"=dword:00000001
Effects of machine account replication on a domain
http://support.microsoft.com/kb/175468
Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/kb/888794
In Windows XP and Windows Server 2003, machine account password settings can also be configured by using Group Policy Editor (Gpedit.msc). To configure these settings, follow these steps:
In Group Policy Editor (Gpedit.msc):
— Expand Local Computer Policy | Windows Settings | Security Settings | Local Policies | Security Settings | Local Policies | Security Options.
— Domain Member: Disable machine account password changes (DisablePasswordChange)
— Domain Member: Maximum machine account password age (MaximumPasswordAge)
— Domain Controller: Refuse machine account password changes (RefusePasswordChange)
Microsoft Windows XP Embedded (any)
Microsoft Windows XP SP2
Microsoft Windows XP (any)
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 RTM
Microsoft Windows Server 2003 (any)
Microsoft Windows 2000 SP4
Microsoft Windows 2000 (any)
Unable to Logon to Win2003 Domain AD Due to Windows Cannot Connect to the Domain Error
Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear contact your System Administrator for assistance.
The symptom or error may appear when a PC is replaced with another computer with the same computer name without first deleting the duplicate computer name from the domain Active Directory service before joining the new workstation to the domain with that duplicate name. The symptom may appear immediately or after a few successful log-ons. The cause of the error will probably due to security identifier (SID) issues. Another possible cause for the error is that the computer account for the workstation is accidentally deleted.
The resolution and workaround to solve the above error in above condition is as below.
- Login to the Windows 2003 domain controller, and delete the computer account object from the Active Directory by using Microsoft Management Console (MMC) which you can always access from “Manage Your Server”.
- Log-in to the PC workstation as local administrator. If you cannot logon as local administrator, try to unplug the network cable and logon to the computer by using a domain administrator user that used to logon on the PC before, by using cached logon credentials feature.
- Go to Control Panel, then click on System icon, then go to Computer Name tab.
- Unjoin the computer from the domain by clicking on “Change”. You should see that Domain button is now selected. Remember your domain name in the text box. Select (Click) on “Workgroup” to remove the computer from the domain, and put any workgroup name in the text box (e.g. workgroup).
- Click OK to exit.
- Restart the computer (optional)
- Go back to the Control Panel, launch System properties and then go to Computer Name tab, and click on “Change”.
- Rejoin the domain by uncheck the Workgroup button and select (check) Domain button, and put in the domain name noted above into the text box.
- Click OK to exit.
- Reboot the PC.
This should solve the unable to logon to domain error, without changing or losing the user profiles on AD.
About the Author: LK
Page load link
Причиной ошибки “The specified domain either does not exist or could not be contacted/ Указанный домен не существует, или к нему невозможно подключиться” в Windows чаще всего являются некорректные сетевые настройки (IP адрес, DNS сервера, шлюз по умолчанию) на клиентском компьютере, в результате чего компьютер не может подключиться к контроллеру домена Active Directory и выполнить аутентификацию.
Содержание:
- Ошибка: “Указанный домен не существует” при добавлении компьютера в Active Directory
- «Указанный домен не существует» при входе в Windows
Ошибка: “Указанный домен не существует” при добавлении компьютера в Active Directory
При попытке добавить компьютер Windows в домен Active Directory может появится ошибка:
The following error occurred attempting to join the domain WINITPRO. The specified domain either does not exist or could not be contacted.
Это означает, что с этого компьютера не доступен указанный домен AD. Причина может быть в некорректном IP адресе компьютера или неверных настройках DNS, в результате чего Windows не может отрезвить IP адрес контроллера домена по его DNS имени.
Вам нужно:
- Проверить корректность работы сети на компьютере и его сетевые настройки
- Проверьте корректность работы DNS
Проверьте, что ваш компьютер получил корректные сетевые настройки IP от DHCP сервера. Выведите сетевые настройки вашего подключения с помощью команды:
ipconfig /all
Можно узнать настройки сетевого интерфейса с помощью PowerShell:
Get-NetAdapter -Physical | ? {$_.Status -eq "Up"} | Get-NetIPConfiguration
Проверьте, что на вашем компьютере задан корректный IP адрес из вашего сегмента сети.
Попробуйте обновить IP адрес:
ipconfig/release
ipconfig/release6
ipconfig/renew
Проверьте доступность DNS сервера:
Test-NetConnection 192.168.13.10
Test-NetConnection 192.168.13.10 -Port 53
В этом примере DNS сервер доступен по ICMP (
PingSucceeded:true
) и на нем открыт DNS порт (
TcpTestSucceeded:True
).
Проверьте, что данный DNS сервер может разрешить имя домена в IP адрес:
nslookup winitpro.ru
Проверьте, что в вашем локальном файле hosts отсутствует ручные записи для вашего домена:
Get-Content -Path "C:\Windows\System32\drivers\etc\hosts"
Если в настройках сетевого интерфейса указан неверный IP адрес вашего DNS сервера или он не доступен, вы можете задать его вручную через панель управления сетевыми подключениями. Откройте панель ncpa.cpl -> свойства сетевого адапретера -> свойства TCP/IPv4 -> Preffered DNS server. Задайте здесь IP адрес вашего ближайшего контроллера домена AD.
Очистите DNS кэш:
ipconfig /flushdns
net stop dnscache
net start dnscache
Если этого не сработало, нужно дополнительно нажать на кнопку Advanced:
- На вкладке DNS включите опцию Use this connection’s DNS suffix in DNS registration и вручную укажите имя домена в DNS suffix for this connection;
- Затем на вкладке WINS вручную добавьте IP адрес вашего DC.
В некоторых случаях помогает отключение протокола IPv6 на сетевом интерфейсе.
Попробуйте теперь выполнить обнаружение контроллеров домена в DNS:
nltest /dnsgetdc:winitpro.ru
И возможность подключения к контроллеру домена в вашем сайте:
nltest /dsgetdc:winitpro.ru
Попробуйте еще раз добавить компьютер в домен AD.
«Указанный домен не существует» при входе в Windows
Ошибка “Указанный домен не существует, или к нему невозможно подключиться” может появится при попытке входа в Windows под доменной учетной записью.
Эта ошибка может указывать на то:
- Недоступность контроллера домена с компьютера (неверные сетевые настройки в Windows);
- Если проблема проявляется на нескольких компьютерах, возможно это указывает на ошибки в работе контролера домена.
Если проблема возникла на одном компьютер, попробуйте войти под локальной учетной записью (укажите имя .\administrator на экране входа в Windows). Если вы не знаете пароль локального администратора, можно сбросить его. Проверьте корректность сетевых настроек компьютера, доступность DNS сервера и контроллера домена. Исправьте настройки IP вручную, если нужно.
Если проблема возникает на нескольких компьютерах, проверьте что на вашем контроллере домена (Logon сервере) запушена служба NetLogon:
Проверьте что на DC опубликованы сетевые папки SYSVOL и NETLOGON. Если они отсуствууют, измените значение параметра реестра SysvolReady с 0 на 1 в ветке HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters и перезапустите службу NetLogon.
Выполните диагностику контроллеров домена и репликации с помощью команд
dcdiag
и
repadmin
.