Link to home
Start Free TrialLog in
Avatar of broncbuster
broncbusterFlag for United States of America

asked on

Login Failure: the target account name is incorrect

Hello,

I'm having an issue with my domain controller.  The office is running windows server 2003 AD DC with DNS, DHCP and file sharing with about 30 workstations connected to it.  I got called in because the office was complaining about problems losing network shares randomly.  Sometimes, they will reboot and it will be ok, other times, it continues to act up.  I got here and checked it out and found several computers that when I tried to access network drives, got the error: Login Failure: the target account name is incorrect.  After rebooting the computers, most of them are working, but not all of them.  I even rebooted the server.  Still nothing.  I've been doing research on this forum and ran many diagnosis tools but i still can't find the problem.  

On the computer I"m having most trouble with, I removed it from the domain and rejoined the domain but it still doesn't work.  Then i tried to change the computer name and i got the same error: (login failure...). So then I removed the computer from the domain and changed the computer name no problem.  But when i tried to rejoin the domain, I was unable to join and got the same error (login failure...).  I've tried removing the computer from the list of active directory users and computers and it deleted just fine.  But when i tried to add the computer back to the list I get this error: "MMC has detected an error in  a snapin.  It is recommended that you shut down and restart MMC".  I'm to the point where i need to ask for help.  Please help!!

Steve
Avatar of dicconb
dicconb
Flag of United Kingdom of Great Britain and Northern Ireland image

The "the target account name is incorrect" error means that the client is connecting to a different computer than the one it expected. eg Client tries to connect to \\server01\share, but because of a name resolution problem, gets directed to server02. When negotiating authentication with server02, the target computer account name (server01) doesn't match.

Troubleshooting steps:

On a workstation that's experiencing the problem, run "nslookup servername", and check that the IP address that is returned is correct

If the IP address is incorrect, check that the client has the correct DNS server address.
Avatar of jar3817
jar3817

Make sure only the domain controllers are listed as the nameserver for the clients. If there are outside server (ISP nameservers) remove them.
Hope you managed to get this sorted.  If you're still having trouble let me know and we'll troubleshoot further.

Cheers,

D
Avatar of broncbuster

ASKER

Hi...thanks for the responses.  I've not  been out to the client's office since i posted the question.  It will be this week early.  One thing i forgot to mention is that they have 2 DC's on the network, but only should have 1.  Second server should have been setup as only a file server, but whoever set it up, did it as a DC.  
OK, good luck!  Shouldn't be a problem that the 2nd server is  DC, unless it's somehow been misconfigured.  If necessary should be easy enough to run DCPROMO and revert to just a file server.

Looking back through the symptoms, I would also check for duplicate IP addresses on the network and/or a DHCP pool that overlaps with statically assigned IP addresses.
Also check that other DC to see if it has the DNS service running on it. If it doesn't and that server is listed as a DNS server in the DHCP options that would cause problems.
Ok, this is what I get when i do nslookup "servername"
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup mainserver
*** Can't find server name for address 10.1.10.200: Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  10.1.10.200

Name:    mainserver.adc.pri
Addresses:  10.1.10.200, 192.168.0.1


C:\Documents and Settings\Administrator>
Ok, I looked up the nslookup error and found the Microsoft document on adding reverse lookup zones and setting a PTR.  So I did it and tried nslookup again and got this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup mainserver
Server:  mainserver
Address:  10.1.10.200

Name:    mainserver.adc.pri
Addresses:  10.1.10.200, 192.168.0.1


C:\Documents and Settings\Administrator>

However, I still get my same "Login Failure...:"error when trying to join the domain.  Also, I tried to demote the second DC using DCPromo, but on that computer, I get the same error: Login failure: target accont ....
Also, I checked the DNS Event viewer and found a warning from today:
Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4521
Date:            12/23/2009
Time:            9:21:49 AM
User:            N/A
Computer:      MAINSERVER
Description:
The DNS server encountered error 32 attempting to load zone 10.1.10.in-addr.arpa from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
SOLUTION
Avatar of dicconb
dicconb
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok, here you go.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Temp>dcdiag /c /q
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAINSERVER failed test frsevent
         [MAINSERVER] No security related replication errors were found on this
DC!  To target the connection to a specific source DC use /ReplSource:<DC>.

DNS Tests are running and not hung. Please wait a few minutes...
         Test results for domain controllers:

            DC: mainserver.adc.pri
            Domain: adc.pri


               TEST: Basic (Basc)
                  Warning: adapter [00000007] Broadcom BCM5708C NetXtreme II Gig
E (NDIS VBD Client) has invalid DNS server: 10.1.10.1 (<name unavailable>)
                  Error: The A record for this DC was not found

               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 10.1.10.1 (<name
 unavailable>)

               TEST: Records registration (RReg)
                  Network Adapter [00000007] Broadcom BCM5708C NetXtreme II GigE
 (NDIS VBD Client):
                     Error: Missing A record at DNS server 10.1.10.1 :
                     mainserver.adc.pri

                     Error: Missing CNAME record at DNS server 10.1.10.1 :
                     ef5d0124-0c00-4eba-b38e-f5d72861044d._msdcs.adc.pri

                     Error: Missing DC SRV record at DNS server 10.1.10.1 :
                     _ldap._tcp.dc._msdcs.adc.pri

                     Error: Missing GC SRV record at DNS server 10.1.10.1 :
                     _ldap._tcp.gc._msdcs.adc.pri

                     Error: Missing PDC SRV record at DNS server 10.1.10.1 :
                     _ldap._tcp.pdc._msdcs.adc.pri

               Error: Record registrations cannot be found for all the network a
dapters

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 10.1.10.1 (<name unavailable>)
               2 test failures on this DNS server
               Name resolution is not functional. _ldap._tcp.adc.pri. failed on
the DNS server 10.1.10.1

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: adc.pri
               mainserver                   PASS FAIL FAIL PASS PASS FAIL n/a

         ......................... adc.pri failed test DNS

C:\Temp>
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the response!  

I applied all the changes and re-ran the dcdiag /c /q and this is what i got.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd \

C:\>cd temp

C:\Temp>dcdiag /c /q
         ** Did not run Outbound Secure Channels test
         because /testdomain: was not entered
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... MAINSERVER failed test frsevent
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 12/23/2009   21:43:40
            (Event String could not be retrieved)
         ......................... MAINSERVER failed test systemlog
         [MAINSERVER] No security related replication errors were found on this
DC!  To target the connection to a specific source DC use /ReplSource:<DC>.

DNS Tests are running and not hung. Please wait a few minutes...

C:\Temp>
Ok...Here's what i've done.

I noticed that I was getting a lot of kerberos errors from the second DC, So I did a forceful demote and then removed the servername from the list of DC's on the primary DC.  Then I was able to join the domain with the previous DC no problem.  Then the Kerberos Errors stopped occuring in the system event viewer.  I am unable to test it on a workstation as I am not on site, but I will do this next week Monday.  Things are looking up and I thank you for your advice.  Please advise if there is anything else I need to be doing here.  

Steve
Hi broncbuster,

that's great news! DCDIAG now looks clear - the frsevent and eventlog errors will continue to pop up for a while as they look back at the previous 24 hours of event logs. Hopefully they should clear up soon.

If you are still having trouble on any workstations, check they have the correct primary DNS server, and give them a reboot.

Have a good Christmas and let me know how things go on Monday.

Cheers,

D
You are Freakin Awesome!  How do you know so much?  
You're too kind broncbuster! Thanks for the points,

D