HilltownHealthCenter
asked on
Event log error messages
I am seeing a large number of warnings of the type below, from the DC for the subnet. This machine was removed from service for a time, and the subnet was reassigned to the Primary DC in AD Sites and Services. Then the machine was restored and the subnet was reassigned to it. IT seems to be working, and some users complain that they are not getting their network shares. The users are using correct passwords.
User HILLTOWN\nrosenberg was denied access.
Fully-Qualified-User-Name = Hilltown.Local/Staff/Naomi
NAS-IP-Address = 172.20.2.247
NAS-Identifier = WLC2106-01
Called-Station-Identifier = 00-26-99-b9-16-10:hchc-sec
Calling-Station-Identifier
Client-Friendly-Name = WLC2601-02
Client-IP-Address = 172.20.2.247
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Secure Wireless
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
User HILLTOWN\nrosenberg was denied access.
Fully-Qualified-User-Name = Hilltown.Local/Staff/Naomi
NAS-IP-Address = 172.20.2.247
NAS-Identifier = WLC2106-01
Called-Station-Identifier = 00-26-99-b9-16-10:hchc-sec
Calling-Station-Identifier
Client-Friendly-Name = WLC2601-02
Client-IP-Address = 172.20.2.247
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Secure Wireless
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
You can also try resetting their computer account. If that doesn't help, i would suggest Dan's answer.
ASKER
Here is what I have discovered. The problem only affects Cisco wireless connections, and is resolved if the Wireless controller is pointed to the Primary DC in a different subnet. Authentication works fine for user logins in the subnet, using the local DC. Most interesting is what I find if I compare the properties of the AD groups between the two DCs.
I am attaching a screen composite of the properties of the working DC (server01) and the failing DC. Notice that Object and Security tabs are missing from the properties on the failing AD. This is true of other AD object properties as well. What would account for the missing tabs? I don't see any other glaring differences between the DCs.
AD-Compare.JPG
I am attaching a screen composite of the properties of the working DC (server01) and the failing DC. Notice that Object and Security tabs are missing from the properties on the failing AD. This is true of other AD object properties as well. What would account for the missing tabs? I don't see any other glaring differences between the DCs.
AD-Compare.JPG
ASKER
Lets make this worthwhile...
are you sure the DNS are correctly replicating between DCs ? See the forwarding and cross zone tabs in DNS configuration...
ASKER
Tabs found (advanced view needed).
Roads_Roads: Exactly how do I get to the forwarding and cross zone tabs?
Roads_Roads: Exactly how do I get to the forwarding and cross zone tabs?
run the dns management on 1st and 2nd DC
sorry for the image but english is not my native and i'd rather show you that in english
http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding/DNS_mngmt.JPG
enter the "other" DCs ip in that tab (forwarding)
sorry, not cross transfer but zone transfer
http://www.windowsecurity.com/img/upl/image0021183034634088.jpg
and add cross reference
on DC1 to DC2 ip address
on DC2 to DC1 ip address
sorry for the image but english is not my native and i'd rather show you that in english
http://www.elmajdal.net/ISAServer/Internal_DNS_Forwarding/DNS_mngmt.JPG
enter the "other" DCs ip in that tab (forwarding)
sorry, not cross transfer but zone transfer
http://www.windowsecurity.com/img/upl/image0021183034634088.jpg
and add cross reference
on DC1 to DC2 ip address
on DC2 to DC1 ip address
also take a look here
http://www.eventid.net/display.asp?eventid=2&eventno=1376&source=IAS&phase=1
http://www.eventid.net/display.asp?eventid=2&eventno=1376&source=IAS&phase=1
ASKER
Each DC references itself and the other in the local domain lookup.
I think the errors are related to the line:
"Authentication-Server = <undetermined> "
in the error report (part of initial question). Where should this point?
I think the errors are related to the line:
"Authentication-Server = <undetermined> "
in the error report (part of initial question). Where should this point?
try the hotfix
http://support.microsoft.com/kb/883659
http://support.microsoft.com/kb/883659
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you deleted the machine account from AD when you retired the machine from service?
Try to put the machine in a workgroup, then rejoin it in the domain. That can solve the machine account problem if any.
Dan