Topic: Windows Domain, Authenticating as workstation not user

[StuC]

I have a SME server (7.2) acting as Windows Domain controller.
I now also (unfortunately) have a Microsoft server acting as a domain controller for another domain on the same subnet.
As part of over 2hour (no really) support call trying to fix a problem with Symantec Corporate Antivirus I took my own XP-Pro workstation off the SME domain and joined the MS Server 2003 Domain, seems it was a one way trip.

If I try to rejoin the SME domain it fails and the message in the server log is
Workstation WORKSTATIONNAME$: no account in domain.

I assume joining the MS domain changed the authentication method on my XP workstation to authenticate by machine rather than user.
Applying the registry patch and rebooting does not seem to have changed anything.

I've searched the forum and assume it will be a registry setting to change but would really appreciate some pointers.

Many thanks

[cactus]

I have a SME server (7.2) acting as Windows Domain controller.
I now also (unfortunately) have a Microsoft server acting as a domain controller for another domain on the same subnet.
As part of over 2hour (no really) support call trying to fix a problem with Symantec Corporate Antivirus I took my own XP-Pro workstation off the SME domain and joined the MS Server 2003 Domain, seems it was a one way trip.

You can not have two primary domain controllers on the same subnet, you will have to change one of the subnets so the domain controllers each have their own subnet, or you need to disable one of the servers DHCP functions.

If I try to rejoin the SME domain it fails and the message in the server log is
Workstation WORKSTATIONNAME$: no account in domain.

I assume joining the MS domain changed the authentication method on my XP workstation to authenticate by machine rather than user.
Applying the registry patch and rebooting does not seem to have changed anything.

This is a wrong assumption, machines authenticate to a domain when you try to join them, to join them you need to use a
account whit the proper privileges for that domain.

I've searched the forum and assume it will be a registry setting to change but would really appreciate some pointers.

Like said before change either one of the subnets or disable one of the servers DHCP function. If you really need two domain controllers you will have to change on e of the subnets. If you need the domains to be able to contact each other you will need to create proper routing between the domains.

[StuC]

Thanks for the reply,
Neither Servers are DHCP servers, that is handled by a router with IP's bound to macs.

The XP Workstation was joined to the domain using an account with the correct privileges (after being challenged).
From the computer name tab (while logged on locally) shows it being on the correct domain but it will not allow log on with any account from the domain it is supposed to be on, admin user or otherwise.
It has been on this domain about twenty minutes previously.

What I would expect when joining the domain for the first time.
1 Select the domain in the Windows box -
2 get challenged for credentials that allow you to get to the domain,
3 if accepted prompted to reboot.
4 after reboot get on with user credentials.

What I get when try to connect to the domain having been on a different windows Server 2003 controlled domain.
1 Select the domain in the Windows box -
2 get challenged for credentials that allow you to get to the SME domain,
3 accepted, prompted to reboot
4 find that any log on indicates that the domain controller is not available (errors show up the SME server log for that domain)

No network settings were changed in that 20 minutes, all other machines are currently happy on the SME domain.

[cactus]

Thanks for the reply,
Neither Servers are DHCP servers, that is handled by a router with IP's bound to macs.

The XP Workstation was joined to the domain using an account with the correct privileges (after being challenged).
From the computer name tab (while logged on locally) shows it being on the correct domain but it will not allow log on with any account from the domain it is supposed to be on, admin user or otherwise.
It has been on this domain about twenty minutes previously.

What I would expect when joining the domain for the first time.
1 Select the domain in the Windows box -
2 get challenged for credentials that allow you to get to the domain,
3 if accepted prompted to reboot.
4 after reboot get on with user credentials.

What I get when try to connect to the domain having been on a different windows Server 2003 controlled domain.
1 Select the domain in the Windows box -
2 get challenged for credentials that allow you to get to the SME domain,
3 accepted, prompted to reboot
4 find that any log on indicates that the domain controller is not available (errors show up the SME server log for that domain)

No network settings were changed in that 20 minutes, all other machines are currently happy on the SME domain.

If I understand you correctly you want to join one PC two two domains and than switch between domains, which AFAIK is impossible as Windows machines can only have a trust with one domain.

[StuC]

Almost.
Having joined a second domain as a temporary test, to try and track down a problem with some antivirus software I now want to rejoin the fist domain.

I.E.
XP workstation is on "DOMAIN1"
leaves it to authenticate against "DOMAIN2" (without any problem)
finds this test does not sort the AV roll-out problem so just want to switch back from "DOMAIN2" to "DOMAIN1"
Can seem to do this (as far as being challenged for admin user, "welcome to" message and reboot)
but after reboot cannot authenticate against the "DOMAIN1" this the ONLY domain I want to now authenticate against.

[mmccarn]

Here's a quick list of suggested steps if you're having trouble connecting a workstation to a domain: http://bugs.contribs.org/show_bug.cgi?id=1836#c14

And here's a Samba doc on the same topic: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id301631

(Credit to snoble for both)

[StuC]

Thanks I should have looked in the bug tracker (and I have often tutted at people who don't do enough looking before posting),
will follow that up.

I did look at the Samba documentation to some extent and some other net resources but from what I read I maybe incorrectly decided it was based around "machine" authentication so would be a well known - "Remove key X from XP registry"

---

Just ran the commands from the bug tracker, all fine now.
Thank both for your assistance.