"System Cannot Log You On to This Domain" Error Message When You Try to Log On to a Windows NT 4.0 Domain (810497)


The information in this article applies to:

  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows NT Server 4.0 SP6a
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you try to log on to a Windows NT 4.0 domain from a Windows XP-based computer, you may receive the following error message:
The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect.
You can log on locally to your computer and map drives to the Windows NT 4.0 Server-based computer by using your user domain credentials, and you can log on to the domain by using the same user account from a Windows NT 4.0-based computer.

CAUSE

This behavior may occur if the password for the computer account and the local security authority (LSA) secret are not synchronized.

RESOLUTION

To troubleshoot and resolve this behavior, use the following procedures, as appropriate for your situation:
  • Reset the secure channel between the Windows XP-based client computer and the domain controller.

    You can use either the Nltest.exe or Netdom.exe command-line utilities to reset the secure channel. Both these tools are located on the in the Support\Tools folder of the Windows XP CD-ROM. To install these tools, run Setup.exe or extract the files from the Support.cab file.
    • To use the Nltest.exe command-line utility or to query and reset the secure channel, type the following lines at the at the command prompt, pressing ENTER after each line:

      nltest /sc_query
      nltest /sc_reset

    • To use the Netdom.exe command-line utility to reset the secure channel, type the following lines at the at the command prompt, pressing ENTER after each line:

      netdom reset ComputerName /domain:DomainName

      Note Make sure that you use the version of Netdom.exe that is included with Windows XP. For additional information about how to use Netdom.exe to reset the secure channel , click the following article number to view the article in the Microsoft Knowledge Base:

      216393 Resetting Computer Accounts in Windows 2000 and Windows XP

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  • Check the event logs on both the PDC and Windows XP client computer.

    For example, you may see the event messages similar to the following event message in Event Viewer:

    Event ID 5721

    The session setup to the Windows NT Domain Controller <Unknown> for the domain <DomainName> failed because the Windows NT Domain Controller does not have an account for the computer <ComputerName>Event ID 5722

    The session setup from the computer DOMAINBDC failed to authenticate. The name of the account referenced in the security database is DOMAINBDC$. The following error occurred:

    Access is denied.

    For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

    160324 Event ID 5721 after Deleting Computer Account

    150518 NetLogon Service Fails When Secure Channel Not Functioning

  • Verify that the computer account exists in the domain. To do so:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Server Manager.
    2. On the View menu, click Show Domain Members.
    If the computer is not listed, either manually add the computer account on the PDC, or join the domain from the client computer.
  • Make sure that NetBIOS over TCP/IP (NetBT) is enabled on the client computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    314366 Cannot Join Windows XP Client to a Windows NT Domain

  • If the following registry entries are configured on the Windows XP client and on the domain controller, make sure that their values are set to 0 (zero):

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilitylevel

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous

    For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    239869 How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT

  • On the Windows XP client computer, verify that the Network Security: LAN Manager Authentication level Group Policy setting is configured to use the Send LM & NTLM responses option. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type gpedit.msc, and then click OK.
    3. Expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
    4. In the right pane, double-click Network Security: LAN Manager Authentication level.
    5. Make sure that the Send LM & NTLM responses option is set, and then click OK.
  • Investigate possible name resolution issues.
  • Investigate possible trust relationship issues by using the Netdiag.exe command-line utility.
  • Re-create the computer account, join a workgroup, and then rejoin the domain.
  • On the Windows XP client computer, turn on logging for the Netlogon service to capture and view NTLM logon events. For additional information about how to do so, click the following article number to view the article in the Microsoft Knowledge Base:

    109626 Enabling Debug Logging for the Netlogon Service

  • Use Network Monitor to perform a network trace and analyze Remote Procedure Call (RPC) traffic.

MORE INFORMATION

For additional information about how to troubleshoot related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:

318266 A Windows XP Client Cannot Log On to a Windows NT 4.0 Domain

314462 Err Msg Joining Windows XP Computer to Windows 2000 Domain

314366 Cannot Join Windows XP Client to Windows NT Domain

294355 Netdom.exe Cannot Join a Windows XP Professional-Based Computer to a Domain

For additional information Netlogon behavior in Window NT 4.0, click the following article number to view the article in the Microsoft Knowledge Base:

266729 Netlogon Behavior in Windows NT 4.0

175024 Resetting Domain Member Secure Channel

250877 Changing Domains Without Rebooting Within 10 Minutes Causes Secure Channel Problem

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:

162797 Trust Relationship Between Workstation and Domain Fails 

147706 How to Disable LM Authentication on Windows NT
Modification Type:MinorLast Reviewed:1/27/2005
Keywords:kbprb kbinfo kberrmsg KB810497 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.