Logon failure: the target account name is incorrect and Event 4 KRB_AP_ERR_MODIFIED - Windows Server 2008 and Server 2003
Posted on 2010-09-01
We have primary DC windows server 2008 standard with exchange server 2007 (DC1.domain.co.uk) which was migrated from Windows server 2003 (Server01.domain.co.uk). We also have a backup domain controller (daserver.domain.co.uk). The Issues which we are having is
1. Client computers sometimes cannot access server share in DC1.domain.co.uk by \\dc1 or \\dc.domain.co.uk (They can access server share by IP) and error they get is- Logon failure: the target account name is incorrect and they also get kerberos event 4 error KRB_AP_ERR_MODIFIED Error on event viewer. Outlook is disconnected from exchange as well. Sometimes when they reboot computer they can access DC1 and outlook is connected to exchange as well. Other thing if I look at backup domain controller Daserver system logs I see KDC error event 27 (while processing a TGS request for a target server….). I don’t see that errors on main DC1 system logs.
So here is what I have done so fix this but failed
1. Deleted the old server server01 computer account from active directory, DNS. (That server had been shut off after migration). Can there still be traces of Server01, If there is how can I remove it?
2. Reset the computer account in Active directory from the client computer which was having issue and rejoined to domain. Still after few days they have same issue.
3. Delete client computer account from AD and also delete dns record. Take client computer off domain, Change the computer name and joined back to domain. Still after few days same issue.
4. Check Netbios on Servers and Client Computers, Its fine.
5. Checked All Client computers have DC1 ipaddress as main dns server.
What else you can suggest me so I sort this Problem out.
2. It may be Backup Domain controller Daserver which is the cause of this issue ( Its giving KDC error event 27and cannot access dc1 Share) and Since we don’t need backup domain controller,I was going to demote it but When I do DCPROMO I get the error target account name is incorrect . I was thinking to do DCPROMO/forceremoval but read somewhere that people can’t login to windows sometimes after doing it. The phone system software is running on it and don’t want any downtime after doing this.
Any advice on this issue.