• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1326
  • Last Modified:

Login Failure: the target account name is incorrect

Hello,

I'm having an issue with my domain controller.  The office is running windows server 2003 AD DC with DNS, DHCP and file sharing with about 30 workstations connected to it.  I got called in because the office was complaining about problems losing network shares randomly.  Sometimes, they will reboot and it will be ok, other times, it continues to act up.  I got here and checked it out and found several computers that when I tried to access network drives, got the error: Login Failure: the target account name is incorrect.  After rebooting the computers, most of them are working, but not all of them.  I even rebooted the server.  Still nothing.  I've been doing research on this forum and ran many diagnosis tools but i still can't find the problem.  

On the computer I"m having most trouble with, I removed it from the domain and rejoined the domain but it still doesn't work.  Then i tried to change the computer name and i got the same error: (login failure...). So then I removed the computer from the domain and changed the computer name no problem.  But when i tried to rejoin the domain, I was unable to join and got the same error (login failure...).  I've tried removing the computer from the list of active directory users and computers and it deleted just fine.  But when i tried to add the computer back to the list I get this error: "MMC has detected an error in  a snapin.  It is recommended that you shut down and restart MMC".  I'm to the point where i need to ask for help.  Please help!!

Steve
0
broncbuster
Asked:
broncbuster
  • 8
  • 7
  • 2
2 Solutions
 
dicconbCommented:
The "the target account name is incorrect" error means that the client is connecting to a different computer than the one it expected. eg Client tries to connect to \\server01\share, but because of a name resolution problem, gets directed to server02. When negotiating authentication with server02, the target computer account name (server01) doesn't match.

Troubleshooting steps:

On a workstation that's experiencing the problem, run "nslookup servername", and check that the IP address that is returned is correct

If the IP address is incorrect, check that the client has the correct DNS server address.
0
 
jar3817Commented:
Make sure only the domain controllers are listed as the nameserver for the clients. If there are outside server (ISP nameservers) remove them.
0
 
dicconbCommented:
Hope you managed to get this sorted.  If you're still having trouble let me know and we'll troubleshoot further.

Cheers,

D
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
broncbusterAuthor Commented:
Hi...thanks for the responses.  I've not  been out to the client's office since i posted the question.  It will be this week early.  One thing i forgot to mention is that they have 2 DC's on the network, but only should have 1.  Second server should have been setup as only a file server, but whoever set it up, did it as a DC.  
0
 
dicconbCommented:
OK, good luck!  Shouldn't be a problem that the 2nd server is  DC, unless it's somehow been misconfigured.  If necessary should be easy enough to run DCPROMO and revert to just a file server.

Looking back through the symptoms, I would also check for duplicate IP addresses on the network and/or a DHCP pool that overlaps with statically assigned IP addresses.
0
 
jar3817Commented:
Also check that other DC to see if it has the DNS service running on it. If it doesn't and that server is listed as a DNS server in the DHCP options that would cause problems.
0
 
broncbusterAuthor Commented:
Ok, this is what I get when i do nslookup "servername"
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup mainserver
*** Can't find server name for address 10.1.10.200: Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  10.1.10.200

Name:    mainserver.adc.pri
Addresses:  10.1.10.200, 192.168.0.1


C:\Documents and Settings\Administrator>
0
 
broncbusterAuthor Commented:
Ok, I looked up the nslookup error and found the Microsoft document on adding reverse lookup zones and setting a PTR.  So I did it and tried nslookup again and got this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup mainserver
Server:  mainserver
Address:  10.1.10.200

Name:    mainserver.adc.pri
Addresses:  10.1.10.200, 192.168.0.1


C:\Documents and Settings\Administrator>

However, I still get my same "Login Failure...:"error when trying to join the domain.  Also, I tried to demote the second DC using DCPromo, but on that computer, I get the same error: Login failure: target accont ....
0
 
broncbusterAuthor Commented:
Also, I checked the DNS Event viewer and found a warning from today:
Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4521
Date:            12/23/2009
Time:            9:21:49 AM
User:            N/A
Computer:      MAINSERVER
Description:
The DNS server encountered error 32 attempting to load zone 10.1.10.in-addr.arpa from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
dicconbCommented:
On the 1st DC, please could you run "dcdiag /c /q" and post the output here?

Cheers,

D
0
 
broncbusterAuthor Commented:
Ok, here you go.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Temp>dcdiag /c /q
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAINSERVER failed test frsevent
         [MAINSERVER] No security related replication errors were found on this
DC!  To target the connection to a specific source DC use /ReplSource:<DC>.

DNS Tests are running and not hung. Please wait a few minutes...
         Test results for domain controllers:

            DC: mainserver.adc.pri
            Domain: adc.pri


               TEST: Basic (Basc)
                  Warning: adapter [00000007] Broadcom BCM5708C NetXtreme II Gig
E (NDIS VBD Client) has invalid DNS server: 10.1.10.1 (<name unavailable>)
                  Error: The A record for this DC was not found

               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 10.1.10.1 (<name
 unavailable>)

               TEST: Records registration (RReg)
                  Network Adapter [00000007] Broadcom BCM5708C NetXtreme II GigE
 (NDIS VBD Client):
                     Error: Missing A record at DNS server 10.1.10.1 :
                     mainserver.adc.pri

                     Error: Missing CNAME record at DNS server 10.1.10.1 :
                     ef5d0124-0c00-4eba-b38e-f5d72861044d._msdcs.adc.pri

                     Error: Missing DC SRV record at DNS server 10.1.10.1 :
                     _ldap._tcp.dc._msdcs.adc.pri

                     Error: Missing GC SRV record at DNS server 10.1.10.1 :
                     _ldap._tcp.gc._msdcs.adc.pri

                     Error: Missing PDC SRV record at DNS server 10.1.10.1 :
                     _ldap._tcp.pdc._msdcs.adc.pri

               Error: Record registrations cannot be found for all the network a
dapters

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 10.1.10.1 (<name unavailable>)
               2 test failures on this DNS server
               Name resolution is not functional. _ldap._tcp.adc.pri. failed on
the DNS server 10.1.10.1

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: adc.pri
               mainserver                   PASS FAIL FAIL PASS PASS FAIL n/a

         ......................... adc.pri failed test DNS

C:\Temp>
0
 
dicconbCommented:
Hi broncbuster 

The DCDIAG output indicates 3 problems

1) Invalid forwarder: 10.1.10.1
Impact: possible delay (5 seconds) on all first-time external DNS lookups
Remedy: Remove 10.1.10.1 from Forewarders list on MAINSERVER. If there are no other forwarders in the list, add your ISP's recursive DNS server, OpenDNS (208.67.222.222) or Google Public DNS (8.8.8.8) to the list
2) invalid DNS server address (10.1.10.1) on MAINSERVER's NIC
Impact: Could prevent MAINSERVER from resolving IP addresses of clients on network or external hosts
Remedy: Reconfigure TCP/IP settings on all network cards on MAINSERVER so that Primary DNS server is 10.1.10.200, and Secondary DNS server is blank  
3) DNS records for AD domain not properly registered in DNS
Impact: Clients on network are not able to locate DNS server, causing Domain Logon, Domain join and browsing network shares to fail
Remedy: Once steps 1 and 2 are completed, Restart the Netlogon service on MAINSERVER to automatically create the necessary DNS records.

Let me know if you need instructions on any of these steps, or if you have any questions before going ahead.

Cheers,

D  
0
 
broncbusterAuthor Commented:
Thanks for the response!  

I applied all the changes and re-ran the dcdiag /c /q and this is what i got.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd \

C:\>cd temp

C:\Temp>dcdiag /c /q
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAINSERVER failed test frsevent
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   21:43:40
            (Event String could not be retrieved)
         ......................... MAINSERVER failed test systemlog
         [MAINSERVER] No security related replication errors were found on this
DC!  To target the connection to a specific source DC use /ReplSource:<DC>.

DNS Tests are running and not hung. Please wait a few minutes...

C:\Temp>
0
 
broncbusterAuthor Commented:
Ok...Here's what i've done.

I noticed that I was getting a lot of kerberos errors from the second DC, So I did a forceful demote and then removed the servername from the list of DC's on the primary DC.  Then I was able to join the domain with the previous DC no problem.  Then the Kerberos Errors stopped occuring in the system event viewer.  I am unable to test it on a workstation as I am not on site, but I will do this next week Monday.  Things are looking up and I thank you for your advice.  Please advise if there is anything else I need to be doing here.  

Steve
0
 
dicconbCommented:
Hi broncbuster,

that's great news! DCDIAG now looks clear - the frsevent and eventlog errors will continue to pop up for a while as they look back at the previous 24 hours of event logs. Hopefully they should clear up soon.

If you are still having trouble on any workstations, check they have the correct primary DNS server, and give them a reboot.

Have a good Christmas and let me know how things go on Monday.

Cheers,

D
0
 
broncbusterAuthor Commented:
You are Freakin Awesome!  How do you know so much?  
0
 
dicconbCommented:
You're too kind broncbuster! Thanks for the points,

D
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 8
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now