2

We have a Windows 7 laptop which was recently joined to our SBS 2003 domain. While connected to the network everything works perfectly, but when the network cable is removed we start to have problems.

Most accounts logged in after a delay of around 40-60 seconds. Is this normal for logging on with cached credentials? I was expecting it to be much faster.

Worse still, a couple of domain user accounts behaved as though their credentials were not cached, with the following error appearing after attempting to sign in:

enter image description here

I read on other similar questions titled "There are currently no logon servers available to service the logon request" that removing a PC from the domain then rejoining can sometimes work, but was wondering if anyone could a) explain the underlying problem here and b) come up with alternative solutions which might permanently resolve the issue (we cannot afford to have staff locked out of this device when using it off-site).

Austin ''Danger'' Powers
  • 1,180
  • 6
  • 21
  • 51
  • `SBS 2003 domain` Wow. Time to upgrade... long past time to upgrade. Anyway, how do you know your clients are caching credentials? They might behave like they're not, because they're not. – HopelessN00b Mar 09 '14 at 17:40
  • I'd love to upgrade but it's a small non-profit organization which can't really justify the expense at the moment. I know we have cached credentials as most users can log in despite the network cable being disconnected... and even the ones who get the "no logon servers" error get cached credentials again if we log on once with the network cable attached (unfortunately it doesn't stay fixed forever though and the error eventually returns). – Austin ''Danger'' Powers Mar 09 '14 at 17:47
  • 2
    Well, non-profit or not, [parts of SBS 2003 are already out of extended support, with most of the rest not far behind](http://blogs.technet.com/b/sbs/archive/2013/09/25/information-about-sbs-2003-product-support-lifecycle.aspx)... so things are only going to get worse with time. Having said that, check the credential caching settings on your client computers (and domain-GPO) and make sure you have enough previous logons cached: `Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\ ` If it's set, bump the number up and see if it helps. – HopelessN00b Mar 09 '14 at 18:00
  • @Austin''Danger''Powers: Are the accounts logging on with domain\username? – Greg Askew Mar 09 '14 at 18:02
  • @HopelessN00b the credential caching setting was still on its default of 10. We have 17 users who will be borrowing this laptop, so this must have been the issue as it wouldn't have been able to cache 7 of the 17 at any given time. I have just changed the default GPO and increased this to 50 so all of our current users (and any future ones) can log in when the DC is not contactable. Testing so far suggests this has resolved the issue. Thanks for the tip. – Austin ''Danger'' Powers Mar 09 '14 at 19:13
  • @GregAskew yes (the domain is shown already, so users don't need to type it themselves... only their username). – Austin ''Danger'' Powers Mar 09 '14 at 19:21

1 Answers1

2

As the comments suggest, your problem is that you have more users logging on than you have credentials being cached, so some of those credentials you want cached are being overwritten by more recent logins.

Up the number of cached credentials and the problem should go away. This can be controlled by GPO on the domain, or local security policy. Either way, you open up the policy editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and edit Interactive logon: Number of previous logons to cache (in case domain controller is not available).

By default, it's 10, set to at least the number of accounts you'll have logging on, and that should take care of the problem.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209