Solved

can't ping the host name but can ping the ip

Posted on 2009-05-19
21
829 Views
Last Modified: 2012-05-07
HI,
I am running a w2k server in native mode and yesterday we had a problem with access to the domain controller wasn't accepting any account log on's. We then did a restore from backups and was able to logon to the domain. This morning some users were able to logon but weren't able to access the main dc (server1) by typing in the address "\\server1" but are able to type in the ip address.
The event viewer has this under system

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server1.<domain>.  The target name used was DNS/server1.<domain>. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (<domain>), and the client realm.   Please contact your system administrator.

Although dc diag reported that everything was in sync with the other dc (server2) can't even log onto the users and computers.

I am in a bit of spot so any help or suggestion would be appreciated
0
Comment
Question by:ddhcrow
  • 8
  • 8
  • 5
21 Comments
 
LVL 6

Accepted Solution

by:
Krisdeep earned 500 total points
ID: 24420157
It looks like the Key might be DC password might be corrupted you might have to use net dom

http://support.microsoft.com/kb/260575
 
0
 
LVL 6

Expert Comment

by:Krisdeep
ID: 24420160
Meant to say it looks like the DC password might be corrupted.
0
 
LVL 1

Author Comment

by:ddhcrow
ID: 24420250
tried that and got this error.

The machine account password for the local machine could not be reset.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed Disconnect all the previous connections to the server or shred resource and try again.

I have confirmed that there aren't other administrator connection on the server. There are how ever users currently connected to the server. Will I need them to log off?
0
 
LVL 6

Expert Comment

by:Krisdeep
ID: 24420272
I would say so, Give it a try after hours when no resources is being used on the DC.Please do keep us informed. In the mean time im looking if there is anything else i can think off
0
 
LVL 6

Expert Comment

by:Krisdeep
ID: 24420289
But mostly likely its the Password that needs to be reset.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24420406
How old was your backup?

Can you resolve the DC from a host with nslookup?

Also make sure the DNS records are correct on your DC.

ipconfig /flushdns
ipconfig /registerdns (to register the DC's A-record)
restart the netlogon service (to register the SRV records)
netdiag /fix (to update the domain GUID on your DC)

If this don't resolve your problem it might be the secret channel between the DC and your hosts that are broken. The easiest way is to let the host re-join the domain. Another way is to try to reset the channel with nltest (from the suport tools).


SG
0
 
LVL 1

Author Comment

by:ddhcrow
ID: 24420646
the backup was three weeks old.

On some it can but on the ones that reported the target name error don't resolve the name but can still ping the ip address.

netdiag results:
it picked up the mail server <server1> and then on the DNS test it failed. DNS test . . . . . . . . . . . . . : Failed
    [FATAL] Failed to fix: DC DNS entry gc._msdcs.<domain>. re-registeration on DNS server '172.16.1.1' failed.
DNS Error code: 0x00002339
    [FATAL] Failed to fix: DC DNS entry TAPI3Directory.<domain>. re-registeration on DNS server '172.16.1.1' failed.
DNS Error code: 0x00002339
    [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries for this DC on DNS server '172.16.1.1'.
    [FATAL] No DNS servers have the DNS records for this DC registered.

LDAP test. . . . . . . . . . . . . : Failed
    [FATAL] Cannot do Negotiate authenticated ldap_bind to 'server1.<domain>': Local Error.
    [FATAL] Cannot do Negotiate authenticated ldap_bind to 'server1.<domain>': Local Error.
    [FATAL] No LDAP servers work in the domain '<DOMAIN>'.

I also ran thye nltest /DCNAME command it points the <server1>
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24420688
I would re-join the domain on a problem host. Every 60 day the password for the secure channel is changed. This channel is used by computer object to authenticate in the domain and is used ie. when Computer GPO's are processed.

When you restored the DC there might be some outdated passwords in the domain, so give it a shot on one host to see if a re-join fixes your problem.


SG
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24420694
Those errors you provided, did you get them with running a "netdiag"?

SG
0
 
LVL 6

Expert Comment

by:Krisdeep
ID: 24420718
In the error code it is stating" kerberos service ticket" to reset that you have to use net dom as mentioned below in the link its not referring to outdated passwords in the domain.

Its a domain controller you can take it off the domain and rejoin it unless you DCPROMO

http://support.microsoft.com/kb/260575
0
 
LVL 1

Author Comment

by:ddhcrow
ID: 24420789
snusgubben:I have already tried removing and re adding the users machine's back to the domain to            recreate the authenticate with the domain
                      yes the errors were created by the command netdiag /q /fix

Krisdeep you are right and the last thing I want to do is a dcpromo as it is the only working dc in the domain

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24420860
Run "dcdiag /test:dns /v" on a DC. Plz. post.

Krisdeep: You can use netdom to reset the computer object password, but this is handled by the computer object itself, and not the DC. When you re-join a domain the computer object change it own password.

If you want to delete/recreate a kerberos ticket you go with "klist.exe".
0
 
LVL 1

Author Comment

by:ddhcrow
ID: 24421055

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine <server1>, is a DC.
   * Connecting to directory service on server <server1>.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site\<server1>
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... <server1> passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site\<server1>
      Test omitted by user request: Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: NCSecDesc
      Test omitted by user request: NetLogons
      Test omitted by user request: Advertising
      Test omitted by user request: KnowsOfRoleHolders
      Test omitted by user request: RidManager
      Test omitted by user request: MachineAccount
      Test omitted by user request: Services
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: ObjectsReplicated
      Test omitted by user request: frssysvol
      Test omitted by user request: frsevent
      Test omitted by user request: kccevent
      Test omitted by user request: systemlog
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

DNS Tests are running and not hung. Please wait a few minutes...
   
   Running partition tests on : TAPI3Directory
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : ForestDnsZones
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : Schema
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : Configuration
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running partition tests on : sauonline
      Test omitted by user request: CrossRefValidation
      Test omitted by user request: CheckSDRefDom
   
   Running enterprise tests on : <domain>
      Test omitted by user request: Intersite
      Test omitted by user request: FsmoCheck
      Starting test: DNS
         Test results for domain controllers:
           
            DC: <server1>.<domain>
            Domain: <domain>

                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                   Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported
                  NETLOGON service is running
                  Error: kdc service is not running
                  [Error details: 1062 (Type: Win32 - Description: The service has not been started.)]
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
                     MAC address is 00:04:23:AF:A7:62
                     IP address is static
                     IP address: 172.16.1.1
                     DNS servers:
                        172.16.1.1 (<name unavailable>) [Valid]
                        Warning: 168.210.1.41 (<name unavailable>) [Invalid (unreachable)]
                        Warning: 172.16.1.42 (<name unavailable>) [Invalid]
                  The A record for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found (primary)
                  Root zone on this DC/DNS server was not found
                 
               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders are not configured on this DNS server
                  Root hint Information:
                     Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
                 
               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server
                 
               TEST: Dynamic update (Dyn)
                  Dynamic update is enabled on the zone <domain>.
                  Warning: Failed to add the test record _dcdiag_test_record in zone <domain>.
                  [Error details: 9005 (Type: Win32 - Description: DNS operation refused.)]
                  Test record _dcdiag_test_record deleted successfully in zone <domain>.
                 
               TEST: Records registration (RReg)
                  Network Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
                     Matching A record found at DNS server 172.16.1.1:
                     <server1>.<domain>

                     Matching CNAME record found at DNS server 172.16.1.1:
                     0f16ae7e-ec4c-4c13-bad2-9dee01322cc4._msdcs.<domain>

                     Matching DC SRV record found at DNS server 172.16.1.1:
                     _ldap._tcp.dc._msdcs.<domain>

                     Matching GC SRV record found at DNS server 172.16.1.1:
                     _ldap._tcp.gc._msdcs.<domain>

                     Matching PDC SRV record found at DNS server 172.16.1.1:
                     _ldap._tcp.pdc._msdcs.<domain>

                     Error: Missing A record at DNS server 172.16.1.42 :
                     <server1>.<domain>
                     [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                     
                     Error: Missing CNAME record at DNS server 172.16.1.42 :
                     0f16ae7e-ec4c-4c13-bad2-9dee01322cc4._msdcs.<domain>
                     [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                     
                     Error: Missing DC SRV record at DNS server 172.16.1.42 :
                     _ldap._tcp.dc._msdcs.<domain>
                     [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                     
                     Error: Missing GC SRV record at DNS server 172.16.1.42 :
                     _ldap._tcp.gc._msdcs.<domain>
                     [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                     
                     Error: Missing PDC SRV record at DNS server 172.16.1.42 :
                     _ldap._tcp.pdc._msdcs.<domain>
                     [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
                     
               Error: Record registrations cannot be found for all the network adapters
         
         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 168.210.1.41 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 168.210.1.41
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.<domain>. failed on the DNS server 168.210.1.41
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               
            DNS server: 172.16.1.42 (<name unavailable>)
               1 test failure on this DNS server
               This is a valid DNS server
               Name resolution is not functional. _ldap._tcp.<domain>. failed on the DNS server 172.16.1.42
               [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)]
               
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
               
            DNS server: 172.16.1.1 (<name unavailable>)
               All tests passed on this DNS server
               This is a valid DNS server
               Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
               
         Summary of DNS test results:
         
                                            Auth Basc Forw Del  Dyn  RReg Ext  
               ________________________________________________________________
            Domain: <domain>
               <server1>                    PASS FAIL FAIL PASS WARN FAIL n/a  
         
         ......................... <domain> failed test DNS
0
 
LVL 1

Author Comment

by:ddhcrow
ID: 24421273
out of interest I ran the klist tickets command and this is the out come.

   Server: krbtgt/<domain>@<domain>
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 5/19/2009 20:12:18
      Renew Time: 5/26/2009 10:12:18


   Server: krbtgt/<domain>@<domain>
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 5/19/2009 20:12:18
      Renew Time: 5/26/2009 10:12:18


   Server: ldap/<server2>.<domain>@<DOMAIN>
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 5/19/2009 20:12:18
      Renew Time: 5/26/2009 10:12:18


   Server: cifs/<server2>.<domain>@<DOMAIN>
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 5/19/2009 20:12:18
      Renew Time: 5/26/2009 10:12:18

no entry for the server1 only the server 2 .... Should i add and entry here?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24422473
You don't add Kerberos tickets. If a host is missing or have an expiret ticket it will request a new ticket automatic.


 Error: kdc service is not running
                  [Error details: 1062 (Type: Win32 - Description: The service has not been started.)]

Check if the KDC service is stopped.


What are these DNS servers?

168.210.1.41 and 172.16.1.42

These are listed as additional DNS servers on your DC.



0
 
LVL 1

Author Comment

by:ddhcrow
ID: 24422756
It was stopped and I have restarted it.

The other dns server are the external dns server from the ISP
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24429027
You should never ever use a external DNS internal in your domain. Not even as secondary.

Here how you should set it up:

Domain Controllers should point to themself as prefered DNS. Use the IP of the DC, not the loop back address (127.0.0.1). If you got another DC with DNS, this is your alternative DNS on your first DC.

Your domain clients should use your DC(s) as DNS. Never external DNS sources!!

This is because when a client tries to resolve something, lets say a Global Catalog servers SRV record, it's not any automatic that the client should use his prefered DNS. If a alternative DNS respond quicker the client will use the alternative DNS. This DNS do not know of any SRV records or anything else in your domain.

Is your DNS AD integrated?

Is 172.16.1.42 your other DC? What gateway do your use. Plz. post a "ipconfig /all" from both DCs.


SG
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24429064
Forgot to say: Your internal DNS server should forward DNS queries that is external (zones) to ie. your ISP's DNS server.
0
 
LVL 1

Author Closing Comment

by:ddhcrow
ID: 31582918
Krisdeep - no sure why last night but I decided to try you first response again and when we ran the command again it reset the password, one reboot later and the machines on the network could access the dc again. thanks for the help everyone
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24439102
How did you fix your problem?
0
 
LVL 1

Author Comment

by:ddhcrow
ID: 24439132
the suggestion that krisdeep gave me didn't work the first time but when we did it last night it work and then the dc's started to talk again and the users computer could access the dc by the dns address. You gotta make sure no one is connected to the server at all for this to work

Here is the link again.

http://support.microsoft.com/kb/260575
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now