Server 2003 Event ID 529 and Windows XP event id 1521

Hi,

My network has a weird problem. We have an active directory forest
that has a one way transitive trust with another forest using
kerberos.

Our users log on using the trust domain but almost always receive the
error

" Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the
profile will not be copied to the server when you logoff. Possible
causes of this error include network problems or insufficient security
rights. If this problem persists, contact your network
administrator.

DETAIL - Logon failure: unknown user name or bad password. "

followed by "Windows cannot find the local profile and is logging you
on with a temporary profile. Changes you make to this profile will be
lost when you log off."


They can still log on and get their network drives but for some reason
their profile is never saved/loaded.

If they log on using our domain, this problem never occurs. Their
profile is loaded and they can save it and retrieve in future logons.

I checked the event logs and it is saved under 529 in the windows 2003
domain controller and event id 1521 in the windows xp client machine

Event id 529: Logon Failure:
Reason: Unknown user name or bad password
User Name: abc123
Domain: EXEL
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: STALFOS
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -

Event id 1521: Windows cannot locate the server copy of your roaming
profile and is attempting to log you on with your local profile.
Changes to the profile will not be copied to the server when you
logoff. Possible causes of this error include network problems or
insufficient security rights. If this problem persists, contact your
network administrator.

DETAIL - Logon failure: unknown user name or bad password.

Event id 1511: Windows cannot find the local profile and is logging
you on with a temporary profile. Changes you make to this profile will
be lost when you log off.


I observed that it is using NTLM authentication in the event id 529
but I don't know how to force kerberos authentication.

Any thoughts?

It is telling you the location of where the profile resides is not
reachable. Try accessing the network profile once the user is logged on (As
this user) and I'm betting you get an access denied.

It is not clear which way the authentication is flowing. Based on the fact
that you say your domain is OK and the other isn't, and you don't indicate
the number of domains in each forest or the relationship, but you do say
that the logon succeeds, albeit using NTLM, this suggests that you have a
DNS issue somewhere.

Can both the client workstation and the file server successfully locate the
KDC in the file server's domain using SRV records?

e.g.
nltest /dsgetdc:domain-name.com

or
nslookup -type=srv _kerberos._tcp.dc._msdcs.domain-name.com.


Can you please provide some additional info. on number of domains, which
forest they're in, where the file server is, how DNS is configured, etc.?

Can you run the above command(s) for the domain in question, as well as
other domains?

[RicRegier]

Hi I'm having about the same problems with several pc's on my domain, I tried the nslookup on this pc and found;

"Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\rregier.INT>nltest /dsgetdc:domain-name.com
'nltest' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\rregier.INT>nslookup -test=serv_kerberos._tcp.dc._msdc
s.domain-name.com
*** Invalid option: test=serv_kerberos._tcp.dc._msdcs.domain-name.com
*** Can't find server name for address 10.144.168.5: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 10.144.168.5

Now I'm logged into the server and running everything I believe, I can see all networking drives this ip is my server01 with the AD and terminal server running...

Now to let you know something first, about 6mo ago our old IBM eserver crashed... We bought two servers’ one running winserver 08 and the other winserver 03 the first as I said running the AD, TS and then the other used as a file server... Both of them seem to be running good very little problems, however each of the PC in the domain are or have had a lot of problem logging in some times have to be rebooted to get on to the domain have that roaming profile problem we have none set to roaming...
Could this problem be the fault of the pc's having the old server info in the reg's if I was to redo the pc's as new then attach them to the domain would this correct the problem? I've done a lot of work to get them working correctly and seem like the same old thing happens... Help!