[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1528
  • Last Modified:

active directory problems

A few days ago, our pdc went down with bad memory.  The pdc is the primary dns server and dhcp server for the network.  While we were waiting for the part.  I made one of the other DCs a dhcp server and primary dns server, just to get people working.  That seemed to work fine.  When we got the pdc back up, I disabled the DNS and DHCP roles on the other DC to try and get everything back to normal.  Well now we cant get the pdc to replicate with the other DCs.
the error is:

"target principal name is incorrect"

 We cant access shared resources by the PDCs name.  We get the error:

"login failure: target account name is incorrect"

But i can map drives and printers by IP address of the PDC. In event viewer, there are a bunch of Kerberos errors:

event id 5 ....something about time out of sync
event id 4 on the other DC, account name mismatch

Any help or guidance would be much appreciated. Thanks
0
smartlurch
Asked:
smartlurch
  • 6
  • 5
1 Solution
 
rickiswpgCommented:
Can you post the actual errors please?

From what you described Look here for the first error:
http://support.moonpoint.com/os/windows/domain/clocks-skewed.html

Could you also run dcdiag on both DCs (the one you made the temporary dhcp server) and the one that went down?

Thanks,

0
 
smartlurchAuthor Commented:
these are errors on PDC:
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      5
Date:            1/30/2008
Time:            5:30:34 PM
User:            N/A
Computer:      MASTER
Description:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server host/pfx_svr.wdcocitrix.wdco.biz.  This indicates that the ticket used against that server is not yet valid (in relationship to that server time).  Contact your system administrator  to make sure the client and server times are in sync, and that the KDC in realm WDCOCITRIX.WDCO.BIZ is  in sync with the KDC in the client realm.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      DhcpServer
Event Category:      None
Event ID:      1059
Date:            1/29/2008
Time:            7:02:06 PM
User:            N/A
Computer:      MASTER
Description:
The DHCP service failed to see a directory server for authorization.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 3a 20 00 00               : ..    


Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      17
Date:            1/29/2008
Time:            7:01:23 PM
User:            N/A
Computer:      MASTER
Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'us.pool.ntp.org,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No such service is known. The service cannot be found in the specified name space. (0x8007277C)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            1/29/2008
Time:            7:01:01 PM
User:            N/A
Computer:      MASTER
Description:
The Security System detected an authentication error for the server LDAP/MASTER.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À    

DCDIAG on PDC:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Southshore\MASTER
      Starting test: Connectivity
         ......................... MASTER passed test Connectivity

Doing primary tests
   
   Testing server: Southshore\MASTER
      Starting test: Replications
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         ......................... MASTER passed test Replications
      Starting test: NCSecDesc
         ......................... MASTER passed test NCSecDesc
      Starting test: NetLogons
         ......................... MASTER passed test NetLogons
      Starting test: Advertising
         ......................... MASTER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... MASTER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... MASTER passed test RidManager
      Starting test: MachineAccount
         * The current DC is not in the domain controller's OU
         ......................... MASTER failed test MachineAccount
      Starting test: Services
         ......................... MASTER passed test Services
      Starting test: ObjectsReplicated
         ......................... MASTER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... MASTER passed test frssysvol
      Starting test: frsevent
         ......................... MASTER passed test frsevent
      Starting test: kccevent
         ......................... MASTER passed test kccevent
      Starting test: systemlog
         ......................... MASTER passed test systemlog
      Starting test: VerifyReferences
         ......................... MASTER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : wdcocitrix
      Starting test: CrossRefValidation
         ......................... wdcocitrix passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... wdcocitrix passed test CheckSDRefDom
   
   Running enterprise tests on : wdcocitrix.wdco.biz
      Starting test: Intersite
         ......................... wdcocitrix.wdco.biz passed test Intersite
      Starting test: FsmoCheck
         ......................... wdcocitrix.wdco.biz passed test FsmoCheck
0
 
smartlurchAuthor Commented:
DCDIAG on temp dhcp DC:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Southshore\MASTER
      Starting test: Connectivity
         ......................... MASTER passed test Connectivity

Doing primary tests
   
   Testing server: Southshore\MASTER
      Starting test: Replications
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         REPLICATION LATENCY WARNING
         ERROR: Expected notification link is missing.
         Source PFX_SVR
         Replication of new changes along this path will be delayed.
         This problem should self-correct on the next periodic sync.
         ......................... MASTER passed test Replications
      Starting test: NCSecDesc
         ......................... MASTER passed test NCSecDesc
      Starting test: NetLogons
         ......................... MASTER passed test NetLogons
      Starting test: Advertising
         ......................... MASTER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... MASTER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... MASTER passed test RidManager
      Starting test: MachineAccount
         * The current DC is not in the domain controller's OU
         ......................... MASTER failed test MachineAccount
      Starting test: Services
         ......................... MASTER passed test Services
      Starting test: ObjectsReplicated
         ......................... MASTER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... MASTER passed test frssysvol
      Starting test: frsevent
         ......................... MASTER passed test frsevent
      Starting test: kccevent
         ......................... MASTER passed test kccevent
      Starting test: systemlog
         ......................... MASTER passed test systemlog
      Starting test: VerifyReferences
         ......................... MASTER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : wdcocitrix
      Starting test: CrossRefValidation
         ......................... wdcocitrix passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... wdcocitrix passed test CheckSDRefDom
   
   Running enterprise tests on : wdcocitrix.wdco.biz
      Starting test: Intersite
         ......................... wdcocitrix.wdco.biz passed test Intersite
      Starting test: FsmoCheck
         ......................... wdcocitrix.wdco.biz passed test FsmoCheck


errors on temp dhcp DC:
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            11:54:27 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was ldap/72792296-4aa6-4f13-af36-0ce3f0e9aac0._msdcs.wdcocitrix.wdco.biz. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            11:16:44 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            10:54:40 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was LDAP/72792296-4aa6-4f13-af36-0ce3f0e9aac0._msdcs.wdcocitrix.wdco.biz. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            1/31/2008
Time:            10:16:44 AM
User:            N/A
Computer:      PFX_SVR
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/master.wdcocitrix.wdco.biz.  The target name used was . This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (WDCOCITRIX.WDCO.BIZ), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
rickiswpgCommented:
I'd check the time on both of these servers and see if they are far off... check the timezones as well
It sounds like they are off and that can cause some issues.

Run cmd.exe on the both
net time - this should return the local time and possible NTP time source
net time /DOMAIN:domainname - checks the time on the domain
net time /querysntp -returns your network time server if any is configured

you can try the following as well
net time /DOMAIN:domainname /set /y

That hopefully will fix the time problems

The other errors I'm not sure about but found this and it maight be helpful
http://www.petri.co.il/forums/showthread.php?t=10487

hope that helps! if not let us know.
0
 
smartlurchAuthor Commented:
when i run net time on the pdc i get a command completed successfully message but when i run it on the temp dhcp DC i get a "system error 5 has occurred...access is denied" error.  

the domain time is the same on both except for the server listed:
the pdc lists itself
the temp dhcp lists itself

time zone is the same on both

the querysntp option:
on the pdc returns: time.windows.com
on the temp dhcp DC returns: this computer is not currenty configured to use a specific sntp server

workstations act the same as the temp Dhcp DC

any suggestions? and thanks for your help so far
0
 
rickiswpgCommented:
I'd set the temp dhcp dc to the same sntp server. See if the time service is running on both as well. It should be running on the old DC but it doesn't sound like it's running on the temp DC

Try demoting and promoting the temp dhcp server, it might help it re-synch.

Here's a link to trouble shooting the system error 5
http://support.microsoft.com/kb/555644

Also, run gpresult.exe on the temp dhcp and the main DC as well as a random workstation.
See if the policies are being pulled from the main DC.

Hope this helps, let us know.
0
 
smartlurchAuthor Commented:
hey thanks for the help ....i havent got to run dcpromo yet on the temp dhcp ..i plan on doing it this weekend...clients and other servers are starting to behave normally...however the temp dhcp DC cant replicate anymore. I couldn't remote into it and i found that the netlogon service was paused.  I resumed it but still could not remote into it. luckily i was still logged in at the terminal.  When i tried restarting the netlogon service it fails starting with the following error:

"error 31: a device in the system is not functioning"

as a result, the temp dhcp server cannot access any of the other servers on the network.

I dont know what to do...I'm thinking i should at least demote it to a member server so that local login will still work.....staff members are still accessing shared drives and programs running off this dc and i'm trying not to totally kick them out during the work week. thanks for your help.
0
 
rickiswpgCommented:
Sounds like it needs a good old fashioned reboot. Definately try demoting and promoting it.

Let us know how it goes over the weekend! Best of luck.
0
 
rickiswpgCommented:
Did it work? Did you find a different solution?
0
 
smartlurchAuthor Commented:
restarting it seemed to make it work so i didnt go any further ..thanks for all you help
0
 
rickiswpgCommented:
No problem

next time give me an A ;)
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now