I have a windows 2000 server which can't browse on to either domain
controller.

When i do gpresult i see the error LookupAccountSid failed with 1789.
throughout the result.

I've seen http://support.microsoft.com/kb/262958
http://support.microsoft.com/kb/246108 and have checked:

My DNS is set to the two domain controllers and i can use nslookup and it
confirms i am using the domain controllers for dns.

The computer config in gpo above is set correctly.

Furthermore i can see inthe Eventlog:
Windows cannot access the file gpt.ini for GPO The file must be present
at the location <>. (). Group Policy processing aborted.

It seems very much like this member server can't access either domain
controller. It can talk to C$ share on other member servers /
workstations when using valid domain credentials.

Domain Controllers are 2003 SBS 32 bit and 2003 64bit R2.

There are other physical and virtual 2000 member servers which work fine.

If i connect to \\domaincontroller\C$ (or other share on the domain
controllers), i get the username/password box popup. When i enter valid
domain creditentials, they are not accepted and the username/password box
reappears.

Help!

Z.



--
Please remove my_pants when replying by email.

Zonky <zonky@my_pants.surfy.net> wrote in
news:Xns9A1F5FB08ECF2zonkysurfynet@194.177.96.26:

> I have a windows 2000 server which can't browse on to either domain
> controller.
>
> When i do gpresult i see the error LookupAccountSid failed with 1789.
> throughout the result.
>
> I've seen http://support.microsoft.com/kb/262958
> http://support.microsoft.com/kb/246108 and have checked:
>
> My DNS is set to the two domain controllers and i can use nslookup and
> it confirms i am using the domain controllers for dns.
>
> The computer config in gpo above is set correctly.
>
> Furthermore i can see inthe Eventlog:
> Windows cannot access the file gpt.ini for GPO The file must be
> present at the location <>. (). Group Policy processing aborted.
>
> It seems very much like this member server can't access either domain
> controller. It can talk to C$ share on other member servers /
> workstations when using valid domain credentials.
>
> Domain Controllers are 2003 SBS 32 bit and 2003 64bit R2.
>
> There are other physical and virtual 2000 member servers which work
> fine.
>
> If i connect to \\domaincontroller\C$ (or other share on the domain
> controllers), i get the username/password box popup. When i enter
> valid domain creditentials, they are not accepted and the
> username/password box reappears.
>
> Help!
>
> Z.

I'd like to clarify: No firewalls present, software or otherwise, and i
can ping the two servers with reply.

The netlogon service on the member server is working correctly..

I suspect it is some kind of authentication/encyption problem causing
failing of communication between the two, but i'm not really sure how to
troubleshoot further.

Z.



--
Please remove my_pants when replying by email.

Zonky <zonky@my_pants.surfy.net> wrote in
news:Xns9A1F5FB08ECF2zonkysurfynet@194.177.96.26:

> I have a windows 2000 server which can't browse on to either domain
> controller.
>
> When i do gpresult i see the error LookupAccountSid failed with 1789.
> throughout the result.
>
> I've seen http://support.microsoft.com/kb/262958
> http://support.microsoft.com/kb/246108 and have checked:
>
> My DNS is set to the two domain controllers and i can use nslookup and
> it confirms i am using the domain controllers for dns.
>
> The computer config in gpo above is set correctly.
>
> Furthermore i can see inthe Eventlog:
> Windows cannot access the file gpt.ini for GPO The file must be
> present at the location <>. (). Group Policy processing aborted.
>
> It seems very much like this member server can't access either domain
> controller. It can talk to C$ share on other member servers /
> workstations when using valid domain credentials.
>
> Domain Controllers are 2003 SBS 32 bit and 2003 64bit R2.
>
> There are other physical and virtual 2000 member servers which work
> fine.
>
> If i connect to \\domaincontroller\C$ (or other share on the domain
> controllers), i get the username/password box popup. When i enter
> valid domain creditentials, they are not accepted and the
> username/password box reappears.
>
> Help!
>
> Z.

I'd like to clarify: No firewalls present, software or otherwise, and i
can ping the two servers with reply.

The netlogon service on the member server is working correctly..

I suspect it is some kind of authentication/encyption problem causing
failing of communication between the two, but i'm not really sure how to
troubleshoot further.

Z.



--
Please remove my_pants when replying by email.

Zonky <zonky@my_pants.surfy.net> wrote in
news:Xns9A1F60E082AB2zonkysurfynet@194.177.96.26:

>
> I suspect it is some kind of authentication/encyption problem causing
> failing of communication between the two, but i'm not really sure how to
> troubleshoot further.
>
> Z.
>
>

Further to this, i can see that the problem lies in local security policy.

For some reason,

Digitally sign client commucation (where possible) is disabled
Digitally sign server commucation (always) is disabled
Digitally sign client commucation (where possible) is disabled.

I can change these on the local settings, but the effective setting remains
disable, i assume to what the server thinks is a group policy override.

Of course, since i can't connect to the Group Policy par tof Actgive
Directory, i can't force it to refresh the correct settings!

This is a bit of a catch 22 - any ideas how to solve?

Z.






--
Please remove my_pants when replying by email.

Zonky <zonky@my_pants.surfy.net> wrote in
news:Xns9A1F60E082AB2zonkysurfynet@194.177.96.26:

>
> I suspect it is some kind of authentication/encyption problem causing
> failing of communication between the two, but i'm not really sure how to
> troubleshoot further.
>
> Z.
>
>

Further to this, i can see that the problem lies in local security policy.

For some reason,

Digitally sign client commucation (where possible) is disabled
Digitally sign server commucation (always) is disabled
Digitally sign client commucation (where possible) is disabled.

I can change these on the local settings, but the effective setting remains
disable, i assume to what the server thinks is a group policy override.

Of course, since i can't connect to the Group Policy par tof Actgive
Directory, i can't force it to refresh the correct settings!

This is a bit of a catch 22 - any ideas how to solve?

Z.






--
Please remove my_pants when replying by email.

Zonky <zonky@my_pants.surfy.net> wrote in
news:Xns9A1F90D6ABF29zonkysurfynet@194.177.96.26:

>
> This is a bit of a catch 22 - any ideas how to solve?
>
> Z.

Solved!

I found this document http://support.microsoft.com/kb/887429

I enabled the workstation signing in the registry

( Registry values associated with Group Policy configuration for Windows
Server 2003, Windows XP, and Windows 2000
Client
In Windows Server 2003 and Windows XP, the "Microsoft network client:
Digitally sign communications (if server agrees)" Group Policy, and in
Windows 2000, the "Digitally sign client communication (when possible)"
Group Policy map to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanManWorkstation
\Parameters
Value Name: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable) )

And then restarted the workstation service.

I logged back in as a domain account, and can now reach my domain
controllers.


Z.




--
Please remove my_pants when replying by email.

Zonky <zonky@my_pants.surfy.net> wrote in
news:Xns9A1F90D6ABF29zonkysurfynet@194.177.96.26:

>
> This is a bit of a catch 22 - any ideas how to solve?
>
> Z.

Solved!

I found this document http://support.microsoft.com/kb/887429

I enabled the workstation signing in the registry

( Registry values associated with Group Policy configuration for Windows
Server 2003, Windows XP, and Windows 2000
Client
In Windows Server 2003 and Windows XP, the "Microsoft network client:
Digitally sign communications (if server agrees)" Group Policy, and in
Windows 2000, the "Digitally sign client communication (when possible)"
Group Policy map to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanManWorkstation
\Parameters
Value Name: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable) )

And then restarted the workstation service.

I logged back in as a domain account, and can now reach my domain
controllers.


Z.




--
Please remove my_pants when replying by email.

Thank you for sharing your experience with us.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Zonky" <zonky@my_pants.surfy.net> wrote in message
news:Xns9A1F92CACA100zonkysurfynet@194.177.96.26.. .
> Zonky <zonky@my_pants.surfy.net> wrote in
> news:Xns9A1F90D6ABF29zonkysurfynet@194.177.96.26:
>
>>
>> This is a bit of a catch 22 - any ideas how to solve?
>>
>> Z.
>
> Solved!
>
> I found this document http://support.microsoft.com/kb/887429
>
> I enabled the workstation signing in the registry
>
> ( Registry values associated with Group Policy configuration for Windows
> Server 2003, Windows XP, and Windows 2000
> Client
> In Windows Server 2003 and Windows XP, the "Microsoft network client:
> Digitally sign communications (if server agrees)" Group Policy, and in
> Windows 2000, the "Digitally sign client communication (when possible)"
> Group Policy map to the following registry subkey:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanManWorkstation
> \Parameters
> Value Name: EnableSecuritySignature
> Data Type: REG_DWORD
> Data: 0 (disable), 1 (enable) )
>
> And then restarted the workstation service.
>
> I logged back in as a domain account, and can now reach my domain
> controllers.
>
>
> Z.
>
>
>
>
> --
> Please remove my_pants when replying by email.
>
>

Thank you for sharing your experience with us.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com


"Zonky" <zonky@my_pants.surfy.net> wrote in message
news:Xns9A1F92CACA100zonkysurfynet@194.177.96.26.. .
> Zonky <zonky@my_pants.surfy.net> wrote in
> news:Xns9A1F90D6ABF29zonkysurfynet@194.177.96.26:
>
>>
>> This is a bit of a catch 22 - any ideas how to solve?
>>
>> Z.
>
> Solved!
>
> I found this document http://support.microsoft.com/kb/887429
>
> I enabled the workstation signing in the registry
>
> ( Registry values associated with Group Policy configuration for Windows
> Server 2003, Windows XP, and Windows 2000
> Client
> In Windows Server 2003 and Windows XP, the "Microsoft network client:
> Digitally sign communications (if server agrees)" Group Policy, and in
> Windows 2000, the "Digitally sign client communication (when possible)"
> Group Policy map to the following registry subkey:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanManWorkstation
> \Parameters
> Value Name: EnableSecuritySignature
> Data Type: REG_DWORD
> Data: 0 (disable), 1 (enable) )
>
> And then restarted the workstation service.
>
> I logged back in as a domain account, and can now reach my domain
> controllers.
>
>
> Z.
>
>
>
>
> --
> Please remove my_pants when replying by email.
>
>