[ActiveDir] Attempted downgrade attack

[Barber, Thomas]

We have been experiencing some issues with several client computers.  Most of the time 
the issues revolve around users not being able to log in, with the message coming back 
as "Account has been disabled."  This seems to happen more on Windows XP Pro than 
Windows 2000.
 
Our environment:
 
Native mode AD
Windows 2000 Servers, no windows 2003 servers.
 
When we take a client off of the domain, then add them back on they work for a 
variable amount of time, then go right back to the same message.
 
I am getting System event messages as follows:
 
Category: SPNEGO (Negotiator)
Event ID: 40960
 
Description:
The Security System detected an attempted downgrade attack for server DOMAIN\DC1$.  
The failure code from authentication protocol Kerberos was "The referenced account is 
currently disabled and may not be logged on to. (0xc0000072)".
 
The accounts I am using to log in with are NOT disabled.  I have verified this time 
and again.
 
After researching on the net, I have heard that some of the issue may be FRS.  Also, I 
have not seen these machines pull down new group policy in the last day or two.
 
Has any had this issue?  Any thoughts on how to resolve?  Not all client machines have 
the problem...just some of them.
 
Also, the above messages are usually listed three to five in a row, with each message 
going to a different domain controller.
 
Any help would be greatly appreciated.  Thanks.
 
-Tom
��b��!���0i�b��b����f��X��f.+-!���0i�b��b����X�����ً��Z��b��m����
&j)Z��b��(����+�v*��f���-��+�