System Unable to Connect to Domain

On Sunday, July 23, 2006 I replaced a disk drive in a Dell Optiplex GX260 system running Windows XP Professional Service Pack 2. I could not restore the last Norton Ghost 2003 image backup I had of the system's disk drive to the new drive due to a problem with a file in that backup. I had another image backup from March 2006, so Monday evening I used that backup and then restored the user's files from a separate backup of the contents of her folder under "documents and settings". Early Tuesday morning, I reconnected the PC to the network. The PC is part of a domain with a Windows Small Business Server (SBS) 2003 domain controller.

When I attempted to login under the user's account or the domain administrator's account, I kept getting the following error message:

Logon Message
Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.

 OK 

I rebooted the system and even rebooted the domain controller, but the results were the same. If I logged into the system using its local administrator account, I could see all of the systems in the domain listed even the affected one when I used the command net view /domain:solutions. Wwhen I tried to view the shared folders on the system, D, from the domain controller, I got an "access denied" error message.

C:\Documents and Settings\Administrator>net view \\d
System error 5 has occurred.

Access is denied.

When I tried to mount drive C on the affected system as drive W on the domain controller, I got the error message below.

C:\Documents and Settings\Administratori>net use w: \\d\c$
System error 1789 has occurred.

The trust relationship between this workstation and the primary domain failed.

But I could mount it, if I specified that I wanted to use the local administrator account on D, i.e. using net use w: \\d\c$ /user:d\administrator.

I could ping the system from the domain controller and vice versa, so network connectivity between the server and the system seemed to be ok. I removed the system from the domain and then added the system, which is named D, back to the domain using the command net computer \\d /add. The results were the same. The computer was listed in the domain, solutions, when I used net view /domain:solutions, but I couldn't login to the system using a domain account.

When I looked in the system's event logs, the first error entry I saw in the system log for the day, which appeared shortly after those related to the system restarting, was as shown below. The time must have been set incorrectly on the system, since it is showing the time as 4:40 PM, whereas I plugged the system into the network shortly after 8:00 AM.

Event Type:	Error
Event Source:	NETLOGON
Event Category:	None
Event ID:	5719
Date:		7/25/2006
Time:		4:40:07 PM
User:		N/A
Computer:	D
Description:
No Domain Controller is available for domain solutions due to the following: 
There are currently no logon servers available to service the logon request. . 
Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..    

A warning entry that seemed to be related to the same problem appeared about a minute later.

Event Type:	Warning
Event Source:	DnsApi
Event Category:	None
Event ID:	11197
Date:		7/25/2006
Time:		4:41:00 PM
User:		N/A
Computer:	D
Description:
The system failed to update and remove host (A) resource records 
(RRs) for network adapter
with settings:

   Adapter Name : {B0E52B4A-8C98-4F6E-8DFC-299728BA4DF7}
   Host Name : D
   Primary Domain Suffix : altered1.com
   DNS server list :
     	192.168.0.3, 66.159.80.160
   Sent update to server : <?>
   IP Address(es) :
     192.168.0.8

 The reason the update request failed was because of a system
problem. For specific error code, see the record data displayed below.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 51 27 00 00               Q'..    

The next error entry appeared at 4:43:44 PM. It was the same event id 5719 error as before. The only difference was the time change. It appeared about 3 1/2 minutes after the prior event id 5719 error message.

Looking at the information entry that appeared immediately preceding the 4:43:44 event id 5719 error entry, I saw the following:

Event Type:	Information
Event Source:	Tcpip
Event Category:	None
Event ID:	4202
Date:		7/25/2006
Time:		4:43:43 PM
User:		N/A
Computer:	D
Description:
The system detected that network adapter \DEVICE\TCPIP_{B0E52B4A-
8C98-4F6E-8DFC-299728BA4DF7} was disconnected from the network,
and the adapter's network configuration has been released. If the network 
adapter was not disconnected, this may indicate that it has malfunctioned. 
Please contact your vendor for updated drivers.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00   ......P.
0008: 00 00 00 00 6a 10 00 40   ....j..@
0010: 02 00 00 00 00 00 00 00   ........
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........

The first entry I saw in the application log for July 25, when I plugged the system back into the network was as follows:

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1054
Date:		7/25/2006
Time:		4:40:07 PM
User:		NT AUTHORITY\SYSTEM
Computer:	D
Description:
Windows cannot obtain the domain controller name for your computer 
network. (A socket operation was attempted to an unreachable host. ).
Group Policy processing aborted. 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

About a minute afterwards, the entry below appeared in the application log:

Event Type:	Error
Event Source:	AutoEnrollment
Event Category:	None
Event ID:	15
Date:		7/25/2006
Time:		4:41:10 PM
User:		N/A
Computer:	D
Description:
Automatic certificate enrollment for local system failed to contact the active
directory (0x8007054b).  The specified domain either does not exist or
could not be contacted.
  Enrollment will not be performed.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Another event id 1054 error entry appeared in the application log at 4:43:44. It was the same as the first one, except for the time change. Microsoft has an article Event ID 1054 is logged in the application event log, which suggests one should check the DNS settings, but I never changed those and when I checked the servers listed for the DNS servers, they are correct, with the first entry pointing to the internal DNS server, which is the domain controller. And I can ping the domain controller from the system.

None of the other systems in the domain were having any problem. So I logged into another system in the domain that no one was using at the time intending to copy the user's "My Documents" files, "Desktop", and "Favorites" to that system, since I could access the affected system over the network by connecting to it using its local administrator account. While I was in the process of doing that I checked the affected system, D, again, and found the problem had gone away. The problem had lasted about an hour. I only expected to drop off the system and leave and had no time to do any further checking on what might have caused the problem. I thought perhaps some process on the server that runs on a periodic basis might have run and properly accepted the system into the domain at that time.

The system appeared to work fine Tuesday and Wednesday; at least the user did not have any problems. The user didn't work on Thursday, but when she came back to work Friday morning, the problem was there again and she had to work on another system in the office again. When I checked on the problem Friday evening, it appeared to be the same situation as before.

Looking back through the system logs on Saturday morning, I found that though the user didn't seem to have problems later Tuesday or while she worked Wednesday, July 26, I did find error entries appearing in the log files starting the morning of July 26 (I'm assuming that the system's time was synchronized with that of the domain controller by then, so the times are now correct). I did not see a recurrence of the event id 1054 entry in the application log after July 25.

An application log error entry for Wednesday morning is shown below:

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1053
Date:		7/26/2006
Time:		8:15:02 AM
User:		NT AUTHORITY\SYSTEM
Computer:	D
Description:
Windows cannot determine the user or computer name. (Access is denied.
 ). Group Policy processing aborted. 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

It was followed immediately by another error entry.

Event Type:	Error
Event Source:	AutoEnrollment
Event Category:	None
Event ID:	15
Date:		7/26/2006
Time:		8:16:08 AM
User:		N/A
Computer:	D
Description:
Automatic certificate enrollment for local system failed to contact the active 
directory (0x8007052b).  Unable to update the password. The value 
provided as the current password is incorrect.
  Enrollment will not be performed.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

That error entry was followed by a warning entry:

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date:		7/26/2006
Time:		8:17:59 AM
User:		NT AUTHORITY\SYSTEM
Computer:	D
Description:
Windows saved user D\Administrator registry while an application or
service was still using the registry during log off. The memory used by
the user's registry has not been freed. The registry will be unloaded
when it is no longer in use. 

This is often caused by services running as a user account, try
configuring the services to run in either the LocalService or
NetworkService account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Looking in the system event log for Wednesday, July 26, the first error entry I found was as follows:

Event Type:	Error
Event Source:	Dhcp
Event Category:	None
Event ID:	1002
Date:		7/26/2006
Time:		8:14:35 AM
User:		N/A
Computer:	D
Description:
The IP address lease 192.168.1.102 for the Network Card with network
address 001111A89CB0 has been denied by the DHCP server 
192.168.0.1 (The DHCP Server sent a DHCPNACK message).

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I had the system plugged into another network after I restored it from a backup so I could download and install all of the bug fixes and security updates from Microsoft since the time I made the image backup. I had it set to get its IP address by DHCP then. But before plugging it back into the network from which I had taken it, I set it back to its fixed IP values, with an address of 192.168.0.8. It was apparently still trying to renew a leased IP address, 192.168.1.102 from the DHCP server on the network where I had plugged it in temporarily. A DHCP server, 192.168.0.1 on its permanent network rejected that lease renewal. I don't understand why it was trying to renew the lease, since I had changed it to a static IP address and DNS servers before plugging it back into its permanent network. But this error entry may not be related to the problems with the system authenticating with the domain controller. It was followed immediately by another error entry.

Event Type:	Error
Event Source:	NETLOGON
Event Category:	None
Event ID:	3210
Date:		7/26/2006
Time:		8:14:49 AM
User:		N/A
Computer:	D
Description:
This computer could not authenticate with \\S.altered1.com, a Windows
domain controller for domain solutions, and therefore this computer
might deny logon requests. This inability to authenticate might be caused by
another computer on the same network using the same name or the
password for this computer account is not recognized. If this message
appears again, contact your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0               "..    

Searching for information on the problem, I found an Title: XP users cannot see domain or register connestions in DNS entry on the problem at Experts Exchange. A response by nyck6623 to someone reporting the problem provides the following information:

PRB: Cannot Connect to Domain Controller and Cannot Apply Group Policy with Gigabit Ethernet Devices
View products that this article applies to.
This article was previously published under Q326152
SYMPTOMS
Windows XP-based systems that use Gigabit Ethernet devices may not be able to join an Active Directory domain, which aborts the Group Policy download process. When this occurs, a series of events are written to the event log. For example:

Event ID: 1054
Source: NT AUTHORITY/SYSTEM
Type: Error

Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or exist or could not be contacted). Group Policy processing aborted.

Data: (unavailable)

CAUSE The problem occurs because link status fluctuates as the network adapter (also known as the network interface card, or NIC) driver initializes and as the network adapter hardware negotiates a link with the network infrastructure. The Group Policy application stack executes before the negotiation process is completed and can fail because of the absence of a valid link.
WORKAROUND
You may be able to work around this problem by disabling the "Media Sensing" feature in Windows. For additional information about how to disable Media Sense, click the following article number to view the article in the Microsoft Knowledge Base:
239924 How to Disable Media Sense for TCP/IP in Windows

If you disable Media Sense, and if you cannot join an Active Directory domain or download group policies, make sure that you are running the most current drivers for your network adapter. If you are already running the most current drivers for your network adapter, the only workaround currently available is to switch to a different network adapter.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article.
Network adapter manufacturers may implement workarounds for this problem in their drivers. Microsoft has confirmed that some of these workarounds can cause network adapters to incorrectly report their link speed. As a result, programs that perform downloads from the network, monitor network performance, or do load balancing and packet scheduling (QoS) may not work as expected.

An 7243 Windows XP logs Event ID 1054, 'The specified domain either does not exist or exist or could not be contacted'? article at the JSI FAQ site, also indicates disabling media sense may resolve the problem, if you are using a Gigabit Ethernet network adapter.

The response indicated this information applies to problems with Gigabit Ethernet adapters. The system has a 10/100 Mbs Ethernet adapter, an Intel Pro/100 VE adapter rather than a Gigabit Ethernet adapter, but when I installed the updates from Microsoft for the operating system, one of those I installed was "Intel Corporation - Networking - Intel(R) PRO/100 VE Network Connection" an Intel network software update released on June 13 2005. I thought the later drive might be causing the problem, since it was likely not on the system before the disk drive problem occurred. Rather than changing the media sensing configuration, I thought I would first try rolling back to the previous driver. So I took the following steps to roll back the driver.

  1. Click on Start.
  2. Select Control Panel.
  3. Select Performance and Maintenance
  4. Select Performance and Maintenance
  5. Select System
  6. Select the Hardware tab on the "System Properties" window.
  7. Click on the Device Manger button.
  8. Click on the "+" sign next to Network Adapters to expand the entry.
  9. Right-click on the network adapter and select Properties.
  10. Click on the Driver tab.
  11. Click on the Roll Back Driver button.
  12. When asked about whether you are sure you want to roll back to the previous driver, click on the Yes button.

I rebooted the system after rolling back the network adapter driver to its previous state. However, that did not resolve the problem. Nor did another reboot of the domain controller.

On the affected computer, I then right-clicked on "My Computer", chose Properties, then Computer Name, clicked on the Change button changed the Member of setting from "domain" to "workgroup" and typed in "temp" for the workgroup name. I rebooted, then changed the setting back to the domain "solutions" and rebooted again. This time, I was successfully able to log into the computer using the domain administrator account.

Switching from the domain to a workgroup and back resolved my problem. For anyone who may have a similar problem, for which the solution that worked for me doesn't work, there are lots of other causes and suggested solutions listed at Event ID: 1054 on EventID.Net, a resource for information on various Windows event IDs. Some people have encountered this problem due to a firewall blocking communications between the system and the domain controller. One of the posters on that webpage resolved the problem by "disjoining the domain, then re-joining the domain" as I did.

References:

  1. Event ID 1054 is logged in the application event log
    May 5, 2004
    Microsoft Help and Support
  2. Title: XP users cannot see domain or register connestions in DNS
    July 29, 2004
    Experts Exchange
  3. 7243 Windows XP logs Event ID 1054, 'The specified domain either does not exist or exist or could not be contacted'?
    September 25, 2003
    JSI FAQ
  4. Event ID: 1054
    EventID.Net