Sangfor online behavior-failure to log on to a single node in the new domain creation mode

Failure to log on to the new domain in single-point mode

650) this. width = 650; "style =" border-right-0px; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "width =" 558 "height =" 320 "src =" http://www.bkjia.com/uploads/allimg/131227/0QR16412-0.png "/>

The entire process of Domain Single-point logon can be analyzed in the following stages:

Phase 1: PCRequest region.

Before using the new Single Sign-On component mode, the PC itself is logged on to the domain for authentication, this process is generally not a problem, but if the PC is an offline region, or a connection to the Internet exists in the PC region, which may cause single-point logon failure.

In this case,We recommend that you enable the domain group policy "computer is always waiting for the Network to start or log on". The command for updating the Group Policy on the Domain Server is “gpupdate.exe/force ".

650) this. width = 650; "style =" background-image: none; border-right-0px; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "width =" 558 "height =" 169 "src =" http://www.bkjia.com/uploads/allimg/131227/0QR15261-1.png "/>

Stage 2:After the domain authentication is successfulExecute logon.exeScript.

After the PC passes the domain authentication, the logon.exe script will be executed. The following factors may cause single-point logon failure in the domain:

1) is the Single Sign-On Script correctly added and configured on the domain server?

2) whether the domain group policy is successfully delivered to the PC

3. After the pc.exe policies are configured, you have the right to execute the logon.exe script.

Based on these possible factors, we need to perform the following troubleshooting tasks:

1) check whether the Group Policy settings on the Domain Server are associated with the corresponding domain account.

2) run the "gpresult" or "rsop. msc" command on the tested PC to check whether the Group Policy obtained on the PC is consistent with that set on the domain.

Gpresult is displayed on the command line, and rsop. msc is displayed on a graphical basis.

3rd, manually execute the logon.exe script on the PC to check whether the execution is successful.

Stage 3: PCRun logon.exeAfter successfulLocal CDisk sharing directory C: \ Documents ents and Settings \Generate logon.txtLog File, and report the success message to the AC.

In this process, the following factors may cause the domain single-point logon Failure:

1) The domain account used by the PC region does not have the write permission for the shared directory of drive C.

2) the IP address, port, and key of the AC single-point logon set by the domain group policy are incorrect.

3) The PC itself and the AC cannot communicate with each other.

Based on these possible factors, we need to troubleshoot the problem as follows:

1) Make sure that the domain account has the write permission for the shared directory of drive C. You can manually create a file for verification under the shared directory of drive C.

2) check that the logon.txt file is generated under "C: \ Documents ents and Settings \ domain USERNAME \ Users.

If the logon.txt file is not generated because the directory has write permission, you must check whether the local firewall or anti-virus software of the PC protects and prevents log files from being written. You can shut down the built-in software firewall and log on to the domain to check whether the logon.txt file is generated.

If the logon.txt file is generated and the domain cannot be accessed at a single point, you can copy the content in the logon.txt file to check whether the single-point login fails due to configuration problems, or the request sent to the AC by the PC does not respond.

32.16if the logon.txt file shows that the PC has sent a successful message to the AC, but the AC does not respond, you need to check whether the communication between the PC and the AC is normal, whether other network devices intercept data packets, the most direct method is to capture packets on the AC to see if the AC can receive the Single Sign-On data packets sent from the PC.

Stage 4: ACPC receivedThe Single Sign-On authentication information sent to the online user list.

In this phase, the single-point logon failure is generally caused by the fact that the IP/MAC of the PC has been bound by other users in the AC organizational structure.

In addition to the above three processes, the system configuration of the PC may also cause single-point logon failure.

1) The Net Logon Service on the PC must be enabled.

650) this. width = 650; "style =" background-image: none; border-right-0px; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "width =" 558 "height =" 43 "src =" http://www.bkjia.com/uploads/allimg/131227/0QR11033-2.png "/>

If the Net Logon Service is disabled and cannot be started manually, check whether the workstation Service is started. The two services are dependent.

650) this. width = 650; "style =" background-image: none; border-right-0px; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "width =" 306 "height =" 142 "src =" http://www.bkjia.com/uploads/allimg/131227/0QR15T1-3.png "/>

At the same time, services that affect the activities in the domain are as follows to ensure that these services are in the starting status:

DNS Client

DHCP Client

Remote Procedure Call (RPC)

TCP/IP NetBIOS Helper

2) on the Domain Server, if an account with multiple security groups and greater permissions, including (Domain user group, Administrators group, etc.) cannot successfully log on to the Domain Server by single point, the Domain User group must be added to the ID. By default, only Authenticated Users are added.

650) this. width = 650; "style =" background-image: none; border-right-0px; padding-left: 0px; padding-right: 0px; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px "title =" image "border =" 0 "alt =" image "width =" 558 "height =" 301 "src =" http://www.bkjia.com/uploads/allimg/131227/0QR15106-4.png "/>

This article is from the "Criss" blog and will not be reposted!