Logon Failure: The target account name is incorrect.

Posted on 2011-03-17
Medium Priority
Last Modified: 2013-12-24
Hi Experts,
      I have a Windows 2003 domain with two sites and two domain controllers.  Recently, at one of the sites I started getting the following error when trying to add a computer to the domain "Logon Failure: The target account name is incorrect."  I've also noticed that from a number of computers (not from all) in the same site, that I cannot browse file shares - I get the same error message.  

Examining the error logs on the local DC (at the site with the problems) - I have a number of error events.  

In the application log I have a high occurrence of Event 1053:
Windows cannot determine the user or computer name. (The target principal name is incorrect. ). Group Policy processing aborted.

In the system log I have a high occurrence of Event 4:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/eagle.detect.local.  The target name used was cifs/eagle.detect.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DETECT.LOCAL), and the client realm.   Please contact your system administrator.

(The server and target name change often - host/ cifs/ dns/ ldap/ and I get it for both of my servers, falcon and eagle both with and without FQDN)

In the Directory Service Log I have a high occurrence of events 1865, 1311, and 1566:

Event 1865:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

Event 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

and Event 1566
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Directory partition:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=detect,DC=local

I have been experiencing some WAN slowness over the last couple of days but not sure if this is causing part of the problem.  I also recently had a power outage at the failing site.  I have sustained these failures in the past and didn't have these problems.

I can ping all of the involved machines to and from each other.  I can browse files by IP but not by name or FQDN.  I can also RDP to and from these servers (by name) with no problems.

In doing some searching here on EE and also Google, Microsoft, etc.  It sounded like I might have multiple SPN entries for the server(s).  I ran setspn -L on both DC's and I guess I'm not sure what I'm looking at to see if there is a problem - they look "normal" to me. (I can send results on request)

One suggestion was to dis-join the failing DC and re-join but I don't really want to do that If I can avoid it.

Does anyone out there have some suggestions or know where the root cause might be?

Many thanks in advance,

Question by:matuse

Expert Comment

ID: 35162371
are both your DC communicating correctly.
if all is well id say that really good backup you have form just before this. you may want to look into that

Accepted Solution

temores earned 750 total points
ID: 35162387
this is caused by a duplicated spn, that spn could be attached to other object on the domain to find it you'll need ldp.exe

1.open ldp.exe
2.connection -bind - ok
3. modify - search
4. base Dn = your domain.
5. filter = (serviceprincipalname=host/eagle.detect.local)
6. click options - on attributes type  *
7. on scope click subtree
8. this should give you the list of objects that contain the SPN, one of them should point to your domain controller computer object the other(s) are the duplicated one(s).
9.once you have the name of the object you should use the following command:
SETSPN -D host/eagle.detect.local duplicatedcomputer
10. repeat the same steps for the cifs/eagle.detect.local SPN.

note: if the duplicatedcomputer is no longer in use you just need to delete the object from ad.

the other errors you're reporting could be caused by network latency but this duplicated SPN issue could have something to do with replication issues.


Author Comment

ID: 35162543
     I would like to avoid restoring from backup as this is a bit of a process on a remote machine that I can't put my hands on directly.  If there is a way to fix it remotely, I'll try that first as I can still RDP to this machine.

     I played around with this ldp tool earlier today but not with those same filter criteria - again, didn't know exactly what I was looking for either.  I guess I still don't.  Here is the output from the command you recommend - I ran this on the DC that is having the problem (eagle), I wonder if I should be running this on the working DC (falcon)?  I'm not sure which entries i should delete (if any) and where I should perform this operation (falcon or eagle).  I appreciate your help.


ldap_search_s(ld, "DC=detect,DC=local", 2, "(serviceprincipalname=host/eagle.detect.local)", attrList,  0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local
      5> objectClass: top; person; organizationalPerson; user; computer;
      1> cn: EAGLE;
      1> distinguishedName: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local;
      1> instanceType: 0x4 = ( IT_WRITE );
      1> whenCreated: 08/04/2010 14:28:46 Central Standard Time Central Daylight Time;
      1> whenChanged: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
      1> displayName: EAGLE$;
      1> uSNCreated: 7358;
      1> uSNChanged: 103607;
      1> name: EAGLE;
      1> objectGUID: 2b782a90-757f-48a3-a9fd-2cf527fee8cc;
      1> userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION );
      1> badPwdCount: 0;
      1> codePage: 0;
      1> countryCode: 0;
      1> badPasswordTime: 01/16/2011 17:23:41 Central Standard Time Central Daylight Time;
      1> lastLogon: 03/15/2011 23:10:32 Central Standard Time Central Daylight Time;
      1> localPolicyFlags: 0;
      1> pwdLastSet: 01/12/2011 17:02:25 Central Standard Time Central Daylight Time;
      1> primaryGroupID: 516;
      1> objectSid: S-1-5-21-3367107204-2815800557-769206258-1184;
      1> accountExpires: 09/14/30828 02:48:05 UNC ;
      1> logonCount: 73;
      1> sAMAccountName: EAGLE$;
      1> sAMAccountType: 805306369;
      1> operatingSystem: Windows Server 2003;
      1> operatingSystemVersion: 5.2 (3790);
      1> operatingSystemServicePack: Service Pack 2;
      1> serverReferenceBL: CN=EAGLE,CN=Servers,CN=PanamaCity,CN=Sites,CN=Configuration,DC=detect,DC=local;
      1> dNSHostName: eagle.detect.local;
      1> rIDSetReferences: CN=RID Set,CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local;
      16> servicePrincipalName: ldap/eagle.detect.local/DomainDnsZones.detect.local; ldap/eagle.detect.local/ForestDnsZones.detect.local; GC/eagle.detect.local/detect.local; HOST/eagle.detect.local/detect.local; HOST/eagle.detect.local/DETECT; ldap/518cc63c-0928-4d7f-b095-264e64c1ee9f._msdcs.detect.local; ldap/eagle.detect.local/DETECT; ldap/EAGLE; ldap/eagle.detect.local; ldap/eagle.detect.local/detect.local; DNS/eagle.detect.local; NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/eagle.detect.local; E3514235-4B06-11D1-AB04-00C04FC2DCD2/518cc63c-0928-4d7f-b095-264e64c1ee9f/detect.local; Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/eagle.detect.local; HOST/EAGLE; HOST/eagle.detect.local;
      1> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=detect,DC=local;
      1> isCriticalSystemObject: TRUE;
      2> frsComputerReferenceBL: CN={2b782a90-757f-48a3-a9fd-2cf527fee8cc},CN=Tech|Apps,CN=Tech,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=detect,DC=local; CN=EAGLE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=detect,DC=local;
      1> lastLogonTimestamp: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 12

Assisted Solution

Navdeep earned 750 total points
ID: 35164345

what is the operational difficulty that you are running into right now. I see you have multiple issues here.

Author Comment

ID: 35165429
    The operational difficulty is that I get the entitled error when attempting all sorts of operations.  The most notable of those being 1) adding computers to the domain 2) browsing files.  In my attempts to repair the situation by resetting the computer account password for example - I get the same error.

Hope this helps.
LVL 12

Expert Comment

ID: 35165756
Lets take them 1 by 1

So can you disjoint the computer, delete the computer account and rejoin the computer?
what error do you receive in that operations

Author Comment

ID: 35166860
I guess we need to be more specific - when you say "computer" are you talking about the domain controller having issues or just any computer in that site?  I have not tried to dis-join the domain controller.  I have been migrating computers from a local workgroup onto the domain.  This was working fine up until a few days ago when, regardless of the user credentials I supplied, I got the error "Logon Failure: The target account name is incorrect." and I am unable to join the domain.
LVL 12

Expert Comment

ID: 35167539
So u r unable to join client machines to the the domain and you get error target name is incorrect

What is ur client os
LVL 12

Expert Comment

ID: 35167540
So u r unable to join client machines to the the domain and you get error target name is incorrect

What is ur client os

Author Comment

ID: 35167856
I have tried with client os windows 7 professional and Windows XP professional.

Author Comment

ID: 35176683
ok folks, I have dis-joined eagle from the domain using dcpromo /forceremoval and deleted its computer account

I then did a dcpromo on it and joined it back up with the domain.  

I re-setup DNS zones, etc and the server seems much more happy at this point.  The errors in the log seem to have gone away at this point and I can browse files all over the place.  (something I was unable to do previously.)  I'll try adding some machines on Monday and we'll see how it goes.  I'll report back and let you know if this is really a complete fix.

Expert Comment

by:Suryanarayan Balakrishnan Iyer
ID: 35189112
Purge the tickets generated by KDC and then try to reset the password of the machine account -


Author Closing Comment

ID: 35207623
Although these solutions helped me troubleshoot the problem, they ultimately did not solve it.  I had to solve the problem on my own and I did so by dis-joining and re-joining the failing domain controller.  Points awarded to the two who put forth some effort.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question