Troubleshooting the logon server

You can use these methods to resolve problems with iSeries™ NetServer™ and the logon server.

Cannot find the logon server

If your PC cannot contact the logon server, you might see a message similar to one of the following messages:

• No domain server was available to validate your password.

• The system could not log you on now because the domain X is not available.

This might occur for various reasons:

• The client cannot resolve to the logon server. This is the most common reason and there can be a variety of causes, depending on how the network is configured. The client PC must be able to get the IP address of the logon server based on the domain name. If the client and logon server are located on different TCP/IP subnets, then typically broadcast queries are not sent across. There are three solution strategies:

  • Microsoft^® Browsing protocol

    You can use the domain discovery support of the Microsoft Browsing protocol. The i5/OS^® browsing support is discussed in Browsing support. The basic idea is that if at least one browser server for the domain exists in the subnet from which the PC will log on and that Local Master Browser (LMB) has knowledge of the Domain Master Browser (DMB), then the client can ask it for the name of the logon server, after which normal name resolution can proceed (DNS, and so on.). However, there is not always an LMB available to service these requests, and in that case, one of the following backup solutions should be put in place.

  • Windows^® Internet Name Service (WINS)

    WINS is the general solution and recommended for complex TCP/IP networks because computers and the services they render are matched with IP. It requires at least one WINS server running on a computer with that capability somewhere on the network. Then, each computer needing the service should be configured with the IP address of the WINS server.

  • LMHOSTS configuration file

    You can also make use of the static LMHOSTS configuration file on the PC. Host lines can be appended with #PRE and #DOM:domain directives to preload domain controllers into the name cache.

    Notes:

    • LMHOSTS files can include files on systems so that this solution can still be centrally administered.

    • The Logon support provided by iSeries NetServer is for clients in the same TCP/IP network segment as the server. If your client is in a different segment or subnet, then these resolution strategies might not work. However, a trick that often works for Windows 2000 or Windows XP clients is to change the workgroup of the client system to one that is different from the domain name assigned to iSeries NetServer.

• iSeries NetServer is not started or it does not start as a logon server for the domain in question. Check whether it is properly configured as a logon server and make sure that there are no conflict messages in the QSYSOPR message queue. If you see message CPIB687, read the detailed description for more information about the exact nature of the conflict.

User name cannot be found

This message normally indicates that the user attempting to log on does not have a user profile on the i5/OS logon server. A guest user might not be able to sign on to an i5/OS domain. In extreme cases where the logon server is busy or slow, the logon information might not be cached quickly enough by the iSeries NetServer. If this is the case, you might need to try to log on again.

Password incorrect

You are likely to see the following messages when attempting to log on in this situation:

• The domain password you supplied is incorrect or access to the Logon Server has been denied.

• The Logon attempt was unsuccessful. Select Help for possible causes and suggested actions.

Here are the possible causes for these messages and resolutions:

• The password you sign on to the domain with does not match the password in your i5/OS user profile. Use your i5/OS password and try again.

• The password in your i5/OS profile has expired. Unfortunately, you cannot change your i5/OS password through Windows, so this must be directly done to your profile.

• Your i5/OS user profile is disabled. The administrator must enable it.

• You are disabled for iSeries NetServer access. The iSeries NetServer administrator can check this condition and reenable you from iSeries Navigator.

• Although you are typing the correct password, Windows 98 is using an old cached password. The boot drive on the client PC needs to be scanned for a user.pwl file and then remove this file.

• For Windows 2000 and Windows XP, it is possible that the wrong system is being resolved to. Preface the user name with the domain name in the logon prompt like this: domain\user, where user is the user name and domain is the domain name.

For Windows 2000 and Windows XP, your password also has to match the password stored in the local profile if you have a local profile. If these do not match, you will see a message indicating that the system cannot log you on. Your network account and password are correct, but your local account password is out of synchronization. Contact your administrator.

Cannot find the iSeries NetServer domain through My Network Places

Assume that you have configured iSeries NetServer as a logon server for domain X, but X does not show up in the Microsoft Windows Network of domains. Here are some possibilities:

• iSeries NetServer failed to come up as the DMB because of a conflict with another computer. Check for message CPIB687 (RC=2) in QSYSOPR.

• iSeries NetServer is not configured for WINS if WINS is in use.

• The client PC is not properly configured for WINS.

• There is no browser in the local subnet of the PC that is a member of domain X.

Can log on but cannot see my home drive mapped for Windows 2000 or Windows XP clients even though the share name exists

The typical problem is that although the share was created successfully from the client, the path name does not actually exist on the server. When you create a user profile on the i5/OS operating system, a default home directory path is put in the profile (/home/user). However, the actual user directory in home is not created automatically. You need to do this manually. For example, enter the CRTDIR '/home/USER1' command.

I want to use a roaming profile from Windows 2000 or Windows XP, but the option to change it from Local to Roaming is disabled

You must be logged onto the target domain with an administrator profile (not the profile you want to change to roaming) in order for the option to be available. iSeries NetServer is able to map longer Windows user names to truncated i5/OS profile names. Thus, you can do the following tasks:

1. Create the user profile ADMINISTRA on the i5/OS operating system.

2. Give ADMINISTRA a password that matches the password for administrator on the client.

3. Log onto the i5/OS domain with the administrator profile.

4. Open Control Panel, and then open System.

5. Click the User Profiles tab and make the appropriate changes.

My profile is listed as Roaming, but changes to my settings (or desktop, and so on) do not get saved

The settings get saved to the locally cached copy of your profile, but they are not being updated on the server. This might be the problem if you try to log on from a different workstation and you do not see the updates. This problem can occur when the Windows client cannot access the user profile directory where the user profile is to be stored. Check for the following items:

• Make sure that the appropriate access rights are set on each part of the path on the logon server.

• Make sure that the path is spelled correctly if it is being specified in the user profile settings on the workstation.

• Check that unsupported environment variables are not being used. Some environment variables are not active or usable until the logon succeeds. For example, if you specify %logonserver%\profiles\%username% as the Profile path in User Manager on a Win NT workstation with a service pack less than 3, then the client is unable to resolve the %logonserver% environment variable. Try using \\servername\profiles\username instead.

• Preferably, start with a locally cached profile that is copied to the logon server.

Locally stored profile is newer than that on the server

When you log on, a dialog box is displayed to ask if you want to use your local copy instead. Normally, you can respond with Yes to this invalid message. In this way, you can reduce the network traffic, or you will repeatedly receive this message after logging off from the same workstation. For example, looking at the time stamps on the two profiles, the remote one is 2 seconds older (for example) than the locally cached one, which indicates that Windows did a final update to the local profile after it copied the profile to the logon server. Ensure that the client's time is synchronized with the server's time.

Incorrect authentication method used

The following message is generally received when a user attempts to log in using a different authentication method than what the server is currently configured to use.

There are currently no logon servers available to service the logon request.

iSeries NetServer cannot be a logon server and have Kerberos authentication enabled as well. This message is typically received when a user attempts to sign onto an i5/OS operating system using a traditional password, when the iSeries NetServer has Kerberos authentication enabled.

Parent topic: