Troubleshooting Netlogon Service Problems

• Microsoft LAN Manager, versions 2.0, 2.1, 2.1a, 2.2

SUMMARY

This article lists some common items to check if the Netlogon service is not working properly.

MORE INFORMATION

1. What is the accounts security setting in NET ADMIN?
   
   Netlogon does not operate on servers that declare themselves as STANDALONE.



2. Is there a group called SERVERS?
   
   The group must be called SERVERS; there is no choice.



3. If this is the primary domain controller, is there already a domain controller for this domain?
   
   Check this by doing a NET WHO, which searches for a domain controller. A domain can have only ONE domain controller.



4. If this is not the primary, be careful. On the primary, the group SERVERS must contain every server that participates in the domain That means adding an account for each server with the server's name and password (not required). Also, each member and backup machine must add the primary's name and its own name to the group SERVERS.
   
   IMPORTANT NOTE: The password that was used at the primary for the primary's account and each member account must be the SAME password used on each member and backup machine. Even though Netlogon works within OS/2 LAN Manager, it uses passwords for its validation schemes. In fact, Netlogon changes the passwords for the backup, member, and primary about once a week for an extra layer of security. Therefore, it is NOT recommended that you use your machine account as your own personal account because the password is frequently changed.
   
   Example
   
   On the primary, enter these commands:

   net user Primary_machine password /add
   net user Member_machine newpass /add
   net user Backup_machine raquelpass /add
   net group servers /add
   net group servers Primary_machine Member_machine Backup_machine /add

   On the backup, enter these commands:

   net user Primary_machine password /add
   net user Backup_machine raquelpass /add
   net group servers /add
   net group servers Primary_machine Backup_machine /add

   On the member, enter these commands:

   net user Primary_machine password /add
   net user Member_machine newpass /add
   net group servers /add
   net group servers Primary_machine Member_machine /add




5. Check the times between the primary and the rest of the domain. Netlogon does not propagate the NET.ACC file if the machines have a time difference of more than 10 minutes.
   
   This item is not necessary under LAN Manager 2.1A and later.



6. If none of these solutions works, rename the NET.ACC file and use the MAKEACC utility to create new user accounts. The syntax for MAKEACC is:

   MAKEACC <number of users> <lanman root>

   where <number of users> is the maximum number of users for which you are able to create accounts, and <lanman root> is the path where your OS/2 LAN Manager software resides (for example, C:\LANMAN).
   
   Please note that MAKEACC is available only to OEMs, so it is not included on packaged product disks.



7. Another way to create a new NET.ACC file is to install OS/2 LAN Manager from scratch. Please note that it is dangerous to simply copy a new NET.ACC file onto a server, since security information also resides in local ACLs. You need to use the BACKACC and RESTACC utilities to periodically back up and restore the NET.ACC file, since these utilities also handle ACLs that exist on files. See the "Microsoft Operating System /2 LAN Manager Administrator's Guide" for more information on how to use these utilities.
   
   You can also look n the \LANMAN\ACCOUNTS directory for the NETACC.BAK file---an older copy of your NET.ACC file. You can rename this file to NET.ACC and use it for the NETLOGON service.
   
   It is more convenient than the original NET.ACC on the diskette as it probably contains most of your UAS.

Additional query words: 2.00 2.10 2.10a 2.20

Keywords :
Version : :2.0,2.1,2.1a,2.2
Platform :
Issue type :