Article ID: 810497
Article Last Modified on 1/27/2005
APPLIES TO
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
- Microsoft Windows NT 4.0 Service Pack 6a
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
When you try to log on to a Windows NT 4.0 domain from a Windows XP-based computer, you may receive the following error message:
You can log on locally to your computer and map drives to the Windows NT 4.0 Server-based computer by using your user domain credentials, and you can log on to the domain by using the same user account from a Windows NT 4.0-based computer.
CAUSE
This behavior may occur if the password for the computer account and the local security authority (LSA) secret are not synchronized.
RESOLUTION
To troubleshoot and resolve this behavior, use the following procedures, as appropriate for your situation:
- Reset the secure channel between the Windows XP-based client computer and the domain controller.
You can use either the Nltest.exe or Netdom.exe command-line utilities to reset the secure channel. Both these tools are located on the in the Support\Tools folder of the Windows XP CD-ROM. To install these tools, run Setup.exe or extract the files from the Support.cab file.- To use the Nltest.exe command-line utility or to query and reset the secure channel, type the following lines at the at the command prompt, pressing ENTER after each line:
nltest /sc_query
nltest /sc_reset - To use the Netdom.exe command-line utility to reset the secure channel, type the following lines at the at the command prompt, pressing ENTER after each line:
netdom reset
ComputerName
/domain:DomainName
Note Make sure that you use the version of Netdom.exe that is included with Windows XP. For additional information about how to use Netdom.exe to reset the secure channel , click the following article number to view the article in the Microsoft Knowledge Base:
216393 Resetting Computer Accounts in Windows 2000 and Windows XP
- To use the Nltest.exe command-line utility or to query and reset the secure channel, type the following lines at the at the command prompt, pressing ENTER after each line:
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
- Check the event logs on both the PDC and Windows XP client computer.
For example, you may see the event messages similar to the following event message in Event Viewer:Event ID 5721
The session setup to the Windows NT Domain Controller <Unknown> for the domain <DomainName> failed because the Windows NT Domain Controller does not have an account for the computer <ComputerName>Event ID 5722
The session setup from the computer DOMAINBDC failed to authenticate. The name of the account referenced in the security database is DOMAINBDC$. The following error occurred:
Access is denied.For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
160324 Event ID 5721 after Deleting Computer Account
150518 NetLogon Service Fails When Secure Channel Not Functioning
- Verify that the computer account exists in the domain. To do so:
- Click Start, point to Programs, point to Administrative Tools, and then click Server Manager.
- On the View menu, click Show Domain Members.
- Make sure that NetBIOS over TCP/IP (NetBT) is enabled on the client computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
314366 Cannot Join Windows XP Client to a Windows NT Domain
- If the following registry entries are configured on the Windows XP client and on the domain controller, make sure that their values are set to 0 (zero):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMcompatibilitylevel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
239869 How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT
- On the Windows XP client computer, verify that the Network Security: LAN Manager Authentication level Group Policy setting is configured to use the Send LM & NTLM responses option. To do so:
- Click Start, and then click Run.
- In the Open box, type gpedit.msc, and then click OK.
- Expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
- In the right pane, double-click Network Security: LAN Manager Authentication level.
- Make sure that the Send LM & NTLM responses option is set, and then click OK.
- Investigate possible name resolution issues.
- Investigate possible trust relationship issues by using the Netdiag.exe command-line utility.
- Re-create the computer account, join a workgroup, and then rejoin the domain.
- On the Windows XP client computer, turn on logging for the Netlogon service to capture and view NTLM logon events. For additional information about how to do so, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling Debug Logging for the Netlogon Service
- Use Network Monitor to perform a network trace and analyze Remote Procedure Call (RPC) traffic.
MORE INFORMATION
For additional information about how to troubleshoot related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:
318266 A Windows XP Client Cannot Log On to a Windows NT 4.0 Domain
314462 Err Msg Joining Windows XP Computer to Windows 2000 Domain
314366 Cannot Join Windows XP Client to Windows NT Domain
294355 Netdom.exe Cannot Join a Windows XP Professional-Based Computer to a Domain
For additional information Netlogon behavior in Window NT 4.0, click the following article number to view the article in the Microsoft Knowledge Base:
266729 Netlogon Behavior in Windows NT 4.0
175024 Resetting Domain Member Secure Channel
250877 Changing Domains Without Rebooting Within 10 Minutes Causes Secure Channel Problem
For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base:
162797 Trust Relationship Between Workstation and Domain Fails
147706 How to Disable LM Authentication on Windows NT
Keywords: kberrmsg kbinfo kbprb KB810497