Event log error messages

HilltownHealthCenter used Ask the Experts™
I am seeing a large number of warnings of the type below, from the DC for the subnet. This machine was removed from service for a time, and the subnet was reassigned to the Primary DC in AD Sites and Services. Then the machine was restored and the subnet was reassigned to it. IT seems to be working, and some users complain that they are not getting their network shares. The users are using correct passwords.

User HILLTOWN\nrosenberg was denied access.
 Fully-Qualified-User-Name = Hilltown.Local/Staff/Naomi Rosenberg
 NAS-IP-Address =
 NAS-Identifier = WLC2106-01
 Called-Station-Identifier = 00-26-99-b9-16-10:hchc-secure
 Calling-Station-Identifier = 00-1f-3b-d7-f2-07
 Client-Friendly-Name = WLC2601-02
 Client-IP-Address =
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 1
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Secure Wireless
 Authentication-Type = PEAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Did you deleted the machine account from AD when you retired the machine from service?
Try to put the machine in a workgroup, then rejoin it in the domain. That can solve the machine account problem if any.


You can also try resetting their computer account. If that doesn't help, i would suggest Dan's answer.
Here is what I have discovered. The problem only affects Cisco wireless connections, and is resolved if the Wireless controller is pointed to the Primary DC in a different subnet. Authentication works fine for user logins in the subnet, using the local DC. Most interesting is what I find if I compare the properties of the AD groups between the two DCs.

I am attaching a screen composite of the properties of the working DC (server01) and the failing DC. Notice that Object and Security tabs are missing from the properties on the failing AD. This is true of other AD object properties as well. What would account for the missing tabs? I don't see any other glaring differences between the DCs.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Lets make this worthwhile...
are you sure the DNS are correctly replicating between DCs ? See the forwarding and cross zone tabs in DNS configuration...
Tabs found (advanced view needed).
Roads_Roads: Exactly how do I get to the forwarding and cross zone tabs?
run the dns management on 1st and 2nd DC
sorry for the image but english is not my native and i'd rather show you that in english
enter the "other" DCs ip in that tab (forwarding)

sorry, not cross transfer but zone transfer
and add cross reference
on DC1 to DC2 ip address
on DC2 to DC1 ip address
Each DC references itself and  the other in the local domain lookup.

I think the errors are related to the line:

"Authentication-Server = <undetermined> "

in the error report (part of initial question). Where should this point?
This is looking like an issue with RADIUS authentication. The system consultants who installed the controllers and authentication components are going to check the configuration on their wireless controllers, so we might as well close the question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial