Clients Unable to Log On to Domain in the Absence of Domain Controllers (263108)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows NT Server 4.0
This article was previously published under Q263108

SYMPTOMS

Using a Microsoft Windows 2000 client, you may be unable to log on to a domain with Microsoft Windows NT 4.0 domain controllers after the demotion of the last remaining Windows 2000 Active Directory domain controller. When you attempt to log on, you may receive the following error message:
The system cannot log you on to this domain because the system's machine account in its primary domain is missing or the password on that account is incorrect.

CAUSE

This behavior can occur because after a Windows 2000 client has been a member of a Windows 2000 Active Directory domain, it cannot be authenticated by a Windows NT 4.0 domain controller.

RESOLUTION

To resolve this behavior, remove and readd the Windows 2000 Professional client to the Windows NT 4.0 domain. To remove the Windows 2000 Professional client from the domain to a workgroup, follow these steps:
  1. Click Start, point to Settings, click Control Panel, and then double-click System.
  2. On the Network Identification tab, click Properties.
  3. Under Member Of, click Workgroup, type the name of a workgroup to join, and then click OK.
  4. Click OK again.
  5. Restart the computer.
To add the Windows 2000 Professional client back to the domain, follow these steps:
  1. Navigate to Properties.
  2. Under Member Of, click Domain, type the name of the domain that you want to join, and then click OK.

    You are prompted to provide a user name and user password to join the computer to the domain.
  3. Restart the computer.
You can also use the Netdom 2.0 utility from the Windows 2000 Support Tools to reset Windows 2000 computer accounts in the domain. For more information, consult the Windows 2000 Support Tools Help file.

MORE INFORMATION

Windows 2000 sets up the secure channel to the domain using Kerberos as its default authentication protocol as long as there are Windows 2000 domain controllers. After there are no remaining Windows 2000 domain controllers, Windows 2000 Professional can no longer set up a secure channel to the remaining Windows NT 4.0 domain controllers because it cannot revert Windows NT LAN Manager authentication for the secure channel. Uninstalling Windows 2000 from the domain and reinstalling it causes the workstation to attempt to set up a secure channel using Windows NT LAN Manager, because Kerberos fails.
Modification Type:MinorLast Reviewed:1/25/2006
Keywords:kbenv kbnetwork kbprb KB263108
©2004 Microsoft Corporation. All rights reserved.