Troubleshoot login issues

Brien M. Posey

Network administration - Logging in to a computer is so routine that people don't think it's a process. However, there are many problems that can and sometimes occur when users log on to Windows. This article will introduce some of the causes of login errors in an Active Directory environment.

Before start

Before we get started, we want to quickly mention some issues to provide you with useful information, but will avoid talking about the causes of login errors. Recognizing that before you start the troubleshooting process, you have checked and made sure that the user has access to the correct password and that the user's password is not expired, without any problems. What basic communication between the workstation and domain controller.

Clock system

It may seem odd, but the workstation clock may cause a login error. Since the clock is more than 5 minutes away from the time on your domain controllers, the login will fail.

Starting the authentication process, the user enters their username and password. The client then sends the Kerberos Authentication Server Request to the Key Distribution Server. Kerberos Authentication Server Request will contain some information such as:

1. User identification.

2. The name of the service requested by the user (in this case it is the Ticket Getting Service).

3. Verification is encrypted with the user's master key. This user's master key is distributed by encrypting the user's password with a one-way function.

When the Key Distribution Server receives the request, it will look up the user's Active Directory account. They will then calculate their master key and use it to decode the authentication (also known as pre-authentication data).

When the user's workstation has created pre-authentication data, it places a time stamp inside the encrypted file. When the Key Distribution Server encrypts this file, it compares this time stamp with the current time on its own clock. If this time stamp and the current time vary by less than 5 minutes, then the Kerberos Authentication Server Request is validated, then the authentication process will continue. If the time stamp and the current time are different for more than 5 minutes, Kerberos acknowledges that the request is a replay of the previously captured package and therefore denies the login request. When this happens, the following message will be displayed:

The system cannot login due to the following error: There is a time difference between the server and the client. Please perform the login again or contact the system administrator.

The solution to solving this problem is very simple; Just set the workstation clock to match the domain controller's clock.

Global Catalog Server errors

Another cause of logon problems is a global catalog server error. The Global catalog server is a domain controller that is configured to perform its role. These servers include a presentation that searches for objects in the domains of the entire forest.

When the forest is first created, the first domain controller that you put into operation is automatically configured to act as a global catalog server. The problem is, however, that the server may become an error, because Windows does not automatically assign other domain controllers to act as a global catalog server. If the global catalog server has an error, then only domain administrators will be able to log into Active Directory.

Knowing the importance of global servers, you need to take measures to prevent them from failing. Fortunately, you can specify any or all of your domain controllers to act as global catalog servers. Also note that you only have to configure all domain controllers to act as global catalog servers if your forest includes a single domain. Having multiple global catalog servers is a better solution for forests with multiple domains, but figuring out which domain controllers will play the role of global catalog servers is an issue to keep in mind.

If your global catalog server has failed and no one can log in, then the best you can do is go back to the global catalog server's practical state. There is a way that users can log in even if the global catalog server has an error, but there are security risks related to this issue.

If the Active Directory is active in native mode, the global server will be responsible for checking the universal user group of the user. If you allow users to log in during the error process, universal group members will not be checked. If you have assigned specific restrictions to members of certain universal groups, these restrictions will not take effect until the global catalog server becomes active again.

If you decide that you must allow users to log in, you must edit the registry on each domain controller. Note that editing the registry is very dangerous, if you make a mistake, it could endanger the Windows operating system. So create a full system backup before you do these edits.

Open Registry Editor and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa .
Create a new DWORD value called IgnoreGCFailures, and set the value to 1. You must restart the domain controller after making this change.

DNS Server error

If you ever find that no user has logged in to the network and your domain controllers and global catalog servers are still working, then it may be due to a DNS server error. The Active Directory is entirely dependent on DNS services.

The DNS server contains master configuration logs for each computer on the network. The computers in your network use these configuration logs to compare computer names with IP addresses. If the DNS server error occurs, this host name operation will also fail and affect the login process.

There are two issues here you need to know about DNS errors related to troubleshooting login issues. The first is that the login errors may not happen immediately. The Windows operating system keeps a DNS cache that includes the results of previous DNS queries. This cache prevents workstations from flooding DNS servers because name queries for consecutive objects appear.

In many cases, workstations will save the IP addresses of domain controllers and global catalog servers. However, the entries in the DNS cache perform expired operations and will need to be refreshed. You will see login issues when the saved host logs begin to expire.

Another thing you need to know about DNS server errors is that there are many other symptoms besides login errors. Unless the computers on your network are configured to use the secondary DNS server in the event that the primary DNS server fails, the entire Active Directory environment will stop. Although there are exceptions, generally the lack of DNS servers in the Active Directory network often involves interrupting communications.

Conclude

Although we have discussed some of the main causes of logon errors in Active Directory networks, an important part of the troubleshooting process is to look at how this issue spreads. For example, if only one host on a large network is having login problems, you can rule out DNS or global catalog errors. If a DNS error or a global catalog error occurs, the problem will have to be much wider. If isolated in a single machine, the problem may only be related to the configuration, connection of the machine or user account.