Solved

Authentication problems on Windows 2003 Domain

Posted on 2011-03-01
17
842 Views
Last Modified: 2012-06-21
We are experiencing intermittent authentication problem on this windows 2003 domain.
It used to have a BDC located offsite and connected through a VPN but this has been discontinued, We have removed the record of the BDC from the Active Directory Domain Controllers folder

since then we are having varied problems across the network.

Outlook suddenly ask for username and password, cannot see the content of a shared folder.
Rebooting the machine usually fix the problem.

Eventviewer shows these errors :
Event ID 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/dc.domain.com.  This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.COM), and the client realm.   Please contact your system administrator.

Event ID : 1054 Windows cannot obtain the doamin controller name for you computer network (An unexpected network error occured). Group policy processing aborted

Lately we had a workstation not able to logon to the domain with this error :

The trust relationship between the primary domain and the trusted domain failed.
We had to rejoin the domain to resolve the issue.

Today our development server is not accessible except responds to pings and RDC.

Event ID: 3210, source Netlogon
this computer could not authenticate with \\OLDBDC.domain.com, a Windows doamin controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be cause by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appear again contact your system administrator
and
Event ID: 5719 Source : Netlogon
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persist, please contact your system adminitrator

The old BDC record seem to stay somehwere on the other servers and workstations even though it was removed from the Active Directory and DNS server.
Any ideas ?
0
Comment
Question by:djrc
  • 8
  • 5
  • 3
  • +1
17 Comments
 
LVL 4

Accepted Solution

by:
loki_loki earned 500 total points
Comment Utility
when you say removed, do you mean just deleted?  You need to remove the dc gracefully to avoid issues like this.

If you just deleted it then you will have to manually clean up active directrory, using ntdsutil.

http://www.petri.co.il/delete_failed_dcs_from_ad.htm
0
 
LVL 6

Expert Comment

by:Draxonic
Comment Utility
You might need to do a metadata cleanup:
http://support.microsoft.com/kb/216498

...but the most likely culprit is that you still have DNS records that point to the discontinued DC.
0
 

Author Comment

by:djrc
Comment Utility
@ Draxonic
That is correct there was still a DNS record lying about for
oldbdc.domain.com
That's now been removed

I will check on loki loki suggested cleanup using ntdsutil as well as metadata cleanup suggested by Draxonic and loki and report back

Thanks for quick answers
0
 
LVL 9

Expert Comment

by:Ahmed786
Comment Utility
NT BDCs simply hold a read-only copy of the database; they can simply be
powered off, and their associated objects deleted.


Note. In some cases people have trouble deleting the objects from dsa.msc.
In this case, use ADSIEdit.msc to delete these objects.
0
 

Author Comment

by:djrc
Comment Utility
Following the article : http://www.petri.co.il/delete_failed_dcs_from_ad.htm
I get a problem running the command connect to server currentdc

server connections: connect to server bggicc99
Binding to bggicc99 ...
DsBindW error 0x6ba(The RPC server is unavailable.)
server connections:
0
 

Author Comment

by:djrc
Comment Utility
sorry ignore last post typo error
0
 

Author Comment

by:djrc
Comment Utility
OK metadata cleanup done, DNS cleanup done, will see how it goes.
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
You definitely binding to a working dc, not the dead one?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
ignore that :)
0
 
LVL 6

Expert Comment

by:Draxonic
Comment Utility
Make sure you check for records for the old DC in the _msdcs.;domainname DNS stub zone as well.
0
 

Author Comment

by:djrc
Comment Utility
Argh I'm still get events logged in the eventviewer even though no workstation has reported any problems yet.

Event ID : 5723 Source Netlogon
The session setup from computer 'OLDBDC' failed because the security database does not contain a trust account 'OLDBDC$' referenced by the specified computer.  

USER ACTION  
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:  

If 'OLDBDC$' is a legitimate machine account for the computer 'OLDBDC', then 'OLDBDC' should be rejoined to the domain.  

If 'OLDBDC$' is a legitimate interdomain trust account, then the trust should be recreated.  


and

Event ID : 5805 Source : Netlogon
The session setup from the computer OLDBDC failed to authenticate. The following error occurred:
Access is denied.
0
 

Author Comment

by:djrc
Comment Utility
also a warning about DNS that might have something to do with it :

Event ID : 5773 Source Netlogon
The following DNS server that is authoritative for the DNS domain controller locator records of this domain controller does not support dynamic DNS updates:  

DNS server IP address: x.x.x.x
Returned Response Code (RCODE): 4
Returned Status Code: 9004  

USER ACTION  
Configure the DNS server to allow dynamic DNS updates or manually add the DNS records from the file '%SystemRoot%\System32\Config\Netlogon.dns' to the DNS database.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:djrc
Comment Utility
No more ideas guys ?
0
 
LVL 6

Expert Comment

by:Draxonic
Comment Utility
Event ID : 5723 Source Netlogon
The session setup from computer 'OLDBDC' failed because the security database does not contain a trust account 'OLDBDC$' referenced by the specified computer.  


Err... that makes it sound like that old DC is still connected.
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
have you checked in dns for any old records of the odbdc?
Any old shares that are mapped to the oldbdc?
Any GPO's still referencing it?
Is it still showing in Active Directory Sites and Services?
If you have carried out the metadata cleanup correctly then you can delete these manually.
0
 

Author Comment

by:djrc
Comment Utility
@ Draxonic
I'm not in control of the OLDBPC and I thought the same, it looks like it's still active and trying to connect.
I will find out for sure what is going on there.

@loki loki
I've cleaned the whole DNS tree of the oldbdc
It was still showing in Active Directory Sites and Services
It was Default-First-Site-Name - Servers
I had to delete it's subfolder before I could delete the object and the connection under MAINDC
Can't see any reference to it in the GPO's
No mapped shares.

0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
are you still having the issues after deleting it from sites and services?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now