Solved

Logon failure: the target account name is incorrect and Event 4 KRB_AP_ERR_MODIFIED  - Windows Server 2008 and Server 2003

Posted on 2010-09-01
13
2,002 Views
Last Modified: 2012-05-10
Hi Everyone,
                      We have primary DC windows server 2008 standard with exchange server 2007 (DC1.domain.co.uk) which was migrated from Windows server 2003 (Server01.domain.co.uk). We also have a backup domain controller (daserver.domain.co.uk). The Issues which we are having is

1.      Client computers sometimes cannot access server share in DC1.domain.co.uk by \\dc1 or \\dc.domain.co.uk (They can access server share by IP) and error they get is- Logon failure: the target account name is incorrect and they also get kerberos event 4 error KRB_AP_ERR_MODIFIED Error on event viewer. Outlook is disconnected from exchange as well. Sometimes when they reboot computer they can access DC1 and outlook is connected to exchange as well. Other thing if I look at backup domain controller Daserver system logs I see KDC error event 27 (while processing a TGS request for a target server….). I don’t see that errors on main DC1 system logs.

So here is what I have done so fix this but failed

1.      Deleted the old server server01 computer account from active directory, DNS. (That server had been shut off after migration). Can there still be traces of Server01, If there is how can I remove it?

2.      Reset the computer account in Active directory from the client computer which was having issue and rejoined to domain. Still after few days they have same issue.

3.      Delete client computer account from AD and also delete dns record.  Take client computer off domain, Change the computer name and joined back to domain. Still after few days same issue.

4.                 Check Netbios on Servers and Client Computers, Its fine.

5.                  Checked All Client computers have DC1 ipaddress as main dns server.

 What else you can suggest me so I sort this Problem out.

2.      It may be Backup  Domain controller Daserver which is the cause of this issue ( Its giving KDC error event 27and cannot access dc1 Share) and Since we don’t need backup domain controller,I was going to demote it but When I do DCPROMO I get the error target account name is incorrect . I was thinking to do DCPROMO/forceremoval but read somewhere that people can’t login to windows sometimes after doing it. The phone system software is running on it and don’t want any downtime after doing this.
Any advice on this issue.
0
Comment
Question by:Sovit_83
  • 6
  • 5
  • 2
13 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 33578839
For #1  When you say you delete your server how did you do that.  Did  you do the metadata cleanup http://www.petri.co.il/delete_failed_dcs_from_ad.htm
You do want to have two DCs -- second has a full writable copy though.
A forceremoval will put it in a workgroup; you can then clean out the metadata usin the link above.
Join the machine back to the domain and promote it again.
Thanks
Mike
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33578846
First thing go through run metadata cleanup to remove any lingering objects from the failed DC. You should never just delete the Computer account of a DC you should demote it running dcpromo http://www.petri.co.il/delete_failed_dcs_from_ad.htm.

After doing the above run dcdiag the post results.

You should be only pointing to existing DCs in your TCP\IP settings for DNS
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33578902
Just realized something after reading your zones again.  Was the DC (one that was  having issues)  2008 or 2003?  If you are running 2008 deleting the object will also do the metadata cleanup for you.  Jon has some good links about that here:
http://policelli.com/blog/?p=436
....ntdsutil method still also works
 
0
 

Author Comment

by:Sovit_83
ID: 33579059
DC1 is server 2008 which was migrated from server01 server 2003. So I deleted server01 from domain controller OU active directory from DC1. That means I don't need to do metadata cleanup?.

What about the backup domain controller server01 showing KDC event 27 errors (while processing a TGS request for a target server… )but primary DC1 doesn't show it. Also can't access DC1 from DAserver which gives target account is incorrect then gives KRB_AP_ERR_MODIFIED on event viewer at Daserver. If it can access DC1.domain.co.uk then i can demote it without DCPROMO force removal. Can i do anything to sort this Or I just demote it using force removal switch and delete it from DC1 active directory.

Do you think doing this will solve the main issue in which client computers sometimes couldn't access DC1 by name and disconnecting of outlook. giving target account name incorrect and KRB_AP_ERR_MODIFIED error?
0
 

Author Comment

by:Sovit_83
ID: 33579074
Sorry forgot to tell you  Backup domain controller Daserver  is server 2003 standard.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33579610
Your forest and domain needs to be running at Windows 2008 server functional level before the ability to just delete from the DC OU to run a metadata cleanup.

Post dcdiag. Make sure clients and DCs are only pointing to internal DNS servers in their TCP\IP properties
0
 

Author Comment

by:Sovit_83
ID: 33581434
Here is the DCDIAG from DC1

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Advertising
         ......................... DC1 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may caus
         Group Policy problems.
         ......................... DC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC1 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC1 passed test Replications
      Starting test: RidManager
         ......................... DC1 passed test RidManager
      Starting test: Services
         ......................... DC1 passed test Services
      Starting test: SystemLog
         ......................... DC1 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidatio

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test
         CrossRefValidation

   Running enterprise tests on : domain.co.uk
      Starting test: LocatorCheck
         ......................... domain.co.uk passed test
         LocatorCheck
      Starting test: Intersite
         ......................... domain.co.uk passed test Intersite

Other thing I notice is DNS records  on backup domain controller Daserver is different that DNS records in main server  DC1. DNS records is really old in daserver, It seems it is not syncronizing.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33586171
Do you have AD integrated DNS zones? Seems like you were failing replication but passing now.

Run replmon /syncall
0
 

Author Comment

by:Sovit_83
ID: 33586938
Yes DNS zones are AD integrated.  Replmon /syncall didn't work in DC1 (server 2008), Came with error not recognized.
Backup domain controller Daserver ( windows server 2003 ) has old active directory and dns records. When I reset machine account in DC1, Daserver will still have red cross on machine even afer it has been rejoined.( I think this is the root of all problem with some clients getting the target account name is incorrect, cannot find domain, username password wrong, kerberos ticket error )
I went to AD sites and services. Daserver ntds and try to replicate from DC1 to daserver it gives the target principal name is incorrect. How can I make AD and DNS sync from DC1 to Daserver.
Also when i try to access DC1 from Daserver it gives target account  name is incorrect and also KRBKRB_AP_ERR_MODIFIED on event viewer at Daserver. I think probably we need to reset computer account on Backup domain controller Daserver with Netdom command. If I am right how do i do it.



0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 250 total points
ID: 33587021
What you can do which might be easier is to demote the Daserver then running metadata cleanup on AD to remove any lingering objects. Delete all DNS records for this DC. Remove DNS. You can then promote the server again this will make sure you are getting a clean copy of AD.
0
 

Author Comment

by:Sovit_83
ID: 33587558
As i mentioned before in question Daserver has some Avaya telephone software ( wallboard switch ) is running on it. I need to find out whether removing from domain then rejoining Daserver (with or without renaming it) effect the phone system softare. I am working remotely on server and person ( IT manager) who I deal in that company is on holidays. That;s why I was thinking If I can make DC1 sync to Dasever without  rejoining it to domain. Otherwise I have to wait a week or two to have it demoted with force removal switch.


0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33589291
Well you shouldn't have any issues demoting then repromoting the server with the software but if you want to hold off then you can. You will not have a problem not being able to log into the system either after force removing you should be ok.

Have you went through this yet?

http://support.microsoft.com/kb/837513

Have you ran metadata cleanup to remove Server1?
0
 

Author Comment

by:Sovit_83
ID: 33594827
DC1 (Server2008) doesn't have any traces of server-01 (server 2003) after i deleted account . Ntdsutil showed clean. I did metadata clean up on Daserver and removed traces of server01. I am going through the link that you posted. I will see if that helps.Any way thanks for your help.
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now