SYMPTOMS
You may have problems logging on to your Windows NT domain from a Windows
NT Workstation or Server computer that is a member of a domain and receive
the following logon message:
The system cannot log you on to this domain because the system's
computer account in its primary domain is missing or the password on
that account is incorrect.
The following event may be logged in Event Viewer.
Event ID 5721:
The session setup to the Windows NT Domain Controller <Unknown> for the
domain <Domain Name> failed because the Windows NT Domain Controller
does not have an account for the computer <computername>.
CAUSE
The Netlogon service may fail to start and Event 5721 will be logged if one
of the following conditions are true:
- The computer account has been removed.
- The computer name has been changed.
- The computer account password has changed because another Windows NT
system with the same computername has joined the domain.
- The domain is not synchronized.
In order for a Windows NT system to log on to a domain, it must establish a
secure channel with a domain controller for the purpose of pass-thru
authentication. The netlogon service uses the computer account and an
associated password to establish the secure channel.
RESOLUTION
You should first verify that an account has been created in Server Manager
for the computer. You can do this by select "Show Domain Members" from the
View menu. If an account does not exist start from Step 3, below.
You should also verify that domain synchronization is successful. For more
information, please refer to the following Microsoft Knowledge Base
article:
ARTICLE-ID: 149664
TITLE : Verifying Domain Netlogon Synchronization
If the above conditions have been met and you are still receiving the Event
ID 5721, the computer account should be recreated and the Windows NT System
should rejoin the domain.
If you cannot log on to the domain, you can log on to the local computer by
selecting the local computer name in the From field and specifying a local
user name and password. To do this, perform the following steps:
- From Server Manager, select the computer name from the list of
computers in the domain.
- From the Computer menu, select Remove from Domain and click Yes
when prompted to confirm the removal.
- From the Computer menu, select Add to Domain.
- Select Windows NT Workstation or Server, type the appropriate computer
name, and then click the Add button.
- Click the Close button.
- Select the primary domain controller (PDC) from the list of computers in
the domain.
- From the Computer menu, select Synchronize the Entire Domain.
- Click Yes twice.
- Click the OK button.
- From the Windows NT Workstation or Server computer, double-click the
Control Panel Network icon.
- Click Change.
- Select Workgroup, and then click OK.
- Click Yes, then click OK twice.
- Click Restart Now.
- After the computer has restarted, log on as an administrator
of the local computer, by selecting the computer name in the From
Field.
- From the Control Panel Network tool, click Change next to the
Workgroup name.
- Select Domain and type the appropriate domain name.
- Click OK, then click Yes.
- Click OK twice.
- Click Restart Now.
If you are an administrator of the domain, you can skip steps 1-9. When
joining the domain, click the Create Computer Account in Domain box and
specify a valid administrator name and password.
The above instructions do not apply to Backup Domain Controllers (BDC).
For related information on BDCs, please refer to the following Microsoft
Knowledge Base article:
ARTICLE-ID: 153719
TITLE : How to Re-Sync PDC/BDC Trust After Event IDs 3210 and 7023