active directory problems

A few days ago, our pdc went down with bad memory.  The pdc is the primary dns server and dhcp server for the network.  While we were waiting for the part.  I made one of the other DCs a dhcp server and primary dns server, just to get people working.  That seemed to work fine.  When we got the pdc back up, I disabled the DNS and DHCP roles on the other DC to try and get everything back to normal.  Well now we cant get the pdc to replicate with the other DCs.
the error is:

"target principal name is incorrect"

 We cant access shared resources by the PDCs name.  We get the error:

"login failure: target account name is incorrect"

But i can map drives and printers by IP address of the PDC. In event viewer, there are a bunch of Kerberos errors:

event id 5 ....something about time out of sync
event id 4 on the other DC, account name mismatch

Any help or guidance would be much appreciated. Thanks
smartlurchAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rickiswpgCommented:
Can you post the actual errors please?

From what you described Look here for the first error:
http://support.moonpoint.com/os/windows/domain/clocks-skewed.html

Could you also run dcdiag on both DCs (the one you made the temporary dhcp server) and the one that went down?

Thanks,

0
smartlurchAuthor Commented:
these are errors on PDC:
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      5
Date:            1/30/2008
Time:            5:30:34 PM
User:            N/A
Computer:      MASTER
Description:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server host/pfx_svr.wdcocitrix.wdco.biz.  This indicates that the ticket used against that server is not yet valid (in relationship to that server time).  Contact your system administrator  to make sure the client and server times are in sync, and that the KDC in realm WDCOCITRIX.WDCO.BIZ is  in sync with the KDC in the client realm.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      DhcpServer
Event Category:      None
Event ID:      1059
Date:            1/29/2008
Time:            7:02:06 PM
User:            N/A
Computer:      MASTER
Description:
The DHCP service failed to see a directory server for authorization.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 3a 20 00 00               : ..    


Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      17
Date:            1/29/2008
Time:            7:01:23 PM
User:            N/A
Computer:      MASTER
Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'us.pool.ntp.org,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            1/29/2008
Time:            7:01:01 PM
User:            N/A
Computer:      MASTER
Description:
The Security System detected an authentication error for the server LDAP/MASTER.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À    

DCDIAG on PDC:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Southshore\MASTER
      Starting test: Connectivity
         ......................... MASTER passed test Connectivity

Doing primary tests
   
   Testing server: Southshore\MASTER
      Starting test: Replications
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         ......................... MASTER passed test Replications
      Starting test: NCSecDesc
         ......................... MASTER passed test NCSecDesc
      Starting test: NetLogons
         ......................... MASTER passed test NetLogons
      Starting test: Advertising
         ......................... MASTER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... MASTER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... MASTER passed test RidManager
      Starting test: MachineAccount
         * The current DC is not in the domain controller's OU
         ......................... MASTER failed test MachineAccount
      Starting test: Services
         ......................... MASTER passed test Services
      Starting test: ObjectsReplicated
         ......................... MASTER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... MASTER passed test frssysvol
      Starting test: frsevent
         ......................... MASTER passed test frsevent
      Starting test: kccevent
         ......................... MASTER passed test kccevent
      Starting test: systemlog
         ......................... MASTER passed test systemlog
      Starting test: VerifyReferences
         ......................... MASTER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : wdcocitrix
      Starting test: CrossRefValidation
         ......................... wdcocitrix passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... wdcocitrix passed test CheckSDRefDom
   
   Running enterprise tests on : wdcocitrix.wdco.biz
      Starting test: Intersite
         ......................... wdcocitrix.wdco.biz passed test Intersite
      Starting test: FsmoCheck
         ......................... wdcocitrix.wdco.biz passed test FsmoCheck
0
smartlurchAuthor Commented:
DCDIAG on temp dhcp DC:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Southshore\MASTER
      Starting test: Connectivity
         ......................... MASTER passed test Connectivity

Doing primary tests
   
   Testing server: Southshore\MASTER
      Starting test: Replications
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         ......................... MASTER passed test Replications
      Starting test: NCSecDesc
         ......................... MASTER passed test NCSecDesc
      Starting test: NetLogons
         ......................... MASTER passed test NetLogons
      Starting test: Advertising
         ......................... MASTER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... MASTER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... MASTER passed test RidManager
      Starting test: MachineAccount
         * The current DC is not in the domain controller's OU
         ......................... MASTER failed test MachineAccount
      Starting test: Services
         ......................... MASTER passed test Services
      Starting test: ObjectsReplicated
         ......................... MASTER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... MASTER passed test frssysvol
      Starting test: frsevent
         ......................... MASTER passed test frsevent
      Starting test: kccevent
         ......................... MASTER passed test kccevent
      Starting test: systemlog
         ......................... MASTER passed test systemlog
      Starting test: VerifyReferences
         ......................... MASTER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : wdcocitrix
      Starting test: CrossRefValidation
         ......................... wdcocitrix passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... wdcocitrix passed test CheckSDRefDom
   
   Running enterprise tests on : wdcocitrix.wdco.biz
      Starting test: Intersite
         ......................... wdcocitrix.wdco.biz passed test Intersite
      Starting test: FsmoCheck
         ......................... wdcocitrix.wdco.biz passed test FsmoCheck


errors on temp dhcp DC:
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            11:54:27 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was ldap/72792296-4aa6-4f13-af36-0ce3f0e9aac0._msdcs.wdcocitrix.wdco.biz. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            11:16:44 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            10:54:40 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was LDAP/72792296-4aa6-4f13-af36-0ce3f0e9aac0._msdcs.wdcocitrix.wdco.biz. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            10:16:44 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

rickiswpgCommented:
I'd check the time on both of these servers and see if they are far off... check the timezones as well
It sounds like they are off and that can cause some issues.

Run cmd.exe on the both
net time - this should return the local time and possible NTP time source
net time /DOMAIN:domainname - checks the time on the domain
net time /querysntp -returns your network time server if any is configured

you can try the following as well
net time /DOMAIN:domainname /set /y

That hopefully will fix the time problems

The other errors I'm not sure about but found this and it maight be helpful
http://www.petri.co.il/forums/showthread.php?t=10487

hope that helps! if not let us know.
0
smartlurchAuthor Commented:
when i run net time on the pdc i get a command completed successfully message but when i run it on the temp dhcp DC i get a "system error 5 has occurred...access is denied" error.  

the domain time is the same on both except for the server listed:
the pdc lists itself
the temp dhcp lists itself

time zone is the same on both

the querysntp option:
on the pdc returns: time.windows.com
on the temp dhcp DC returns: this computer is not currenty configured to use a specific sntp server

workstations act the same as the temp Dhcp DC

any suggestions? and thanks for your help so far
0
rickiswpgCommented:
I'd set the temp dhcp dc to the same sntp server. See if the time service is running on both as well. It should be running on the old DC but it doesn't sound like it's running on the temp DC

Try demoting and promoting the temp dhcp server, it might help it re-synch.

Here's a link to trouble shooting the system error 5
http://support.microsoft.com/kb/555644

Also, run gpresult.exe on the temp dhcp and the main DC as well as a random workstation.
See if the policies are being pulled from the main DC.

Hope this helps, let us know.
0
smartlurchAuthor Commented:
hey thanks for the help ....i havent got to run dcpromo yet on the temp dhcp ..i plan on doing it this weekend...clients and other servers are starting to behave normally...however the temp dhcp DC cant replicate anymore. I couldn't remote into it and i found that the netlogon service was paused.  I resumed it but still could not remote into it. luckily i was still logged in at the terminal.  When i tried restarting the netlogon service it fails starting with the following error:

"error 31: a device in the system is not functioning"

as a result, the temp dhcp server cannot access any of the other servers on the network.

I dont know what to do...I'm thinking i should at least demote it to a member server so that local login will still work.....staff members are still accessing shared drives and programs running off this dc and i'm trying not to totally kick them out during the work week. thanks for your help.
0
rickiswpgCommented:
Sounds like it needs a good old fashioned reboot. Definately try demoting and promoting it.

Let us know how it goes over the weekend! Best of luck.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rickiswpgCommented:
Did it work? Did you find a different solution?
0
smartlurchAuthor Commented:
restarting it seemed to make it work so i didnt go any further ..thanks for all you help
0
rickiswpgCommented:
No problem

next time give me an A ;)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.