Logon Failure: The target account name is incorrect.
Hi Experts,
I have a Windows 2003 domain with two sites and two domain controllers. Recently, at one of the sites I started getting the following error when trying to add a computer to the domain "Logon Failure: The target account name is incorrect." I've also noticed that from a number of computers (not from all) in the same site, that I cannot browse file shares - I get the same error message.
Examining the error logs on the local DC (at the site with the problems) - I have a number of error events.
In the application log I have a high occurrence of Event 1053:
Windows cannot determine the user or computer name. (The target principal name is incorrect. ). Group Policy processing aborted.
In the system log I have a high occurrence of Event 4:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/eagle.detect.local. The target name used was cifs/eagle.detect.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DETECT.LOCAL), and the client realm. Please contact your system administrator.
(The server and target name change often - host/ cifs/ dns/ ldap/ and I get it for both of my servers, falcon and eagle both with and without FQDN)
In the Directory Service Log I have a high occurrence of events 1865, 1311, and 1566:
Event 1865:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Longmont,CN=Sites,CN=Co
Event 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=detect
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
and Event 1566
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site:
CN=Longmont,CN=Sites,CN=Co
Directory partition:
CN=Configuration,DC=detect
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con
I have been experiencing some WAN slowness over the last couple of days but not sure if this is causing part of the problem. I also recently had a power outage at the failing site. I have sustained these failures in the past and didn't have these problems.
I can ping all of the involved machines to and from each other. I can browse files by IP but not by name or FQDN. I can also RDP to and from these servers (by name) with no problems.
In doing some searching here on EE and also Google, Microsoft, etc. It sounded like I might have multiple SPN entries for the server(s). I ran setspn -L on both DC's and I guess I'm not sure what I'm looking at to see if there is a problem - they look "normal" to me. (I can send results on request)
One suggestion was to dis-join the failing DC and re-join but I don't really want to do that If I can avoid it.
Does anyone out there have some suggestions or know where the root cause might be?
Many thanks in advance,
Matt
I have a Windows 2003 domain with two sites and two domain controllers. Recently, at one of the sites I started getting the following error when trying to add a computer to the domain "Logon Failure: The target account name is incorrect." I've also noticed that from a number of computers (not from all) in the same site, that I cannot browse file shares - I get the same error message.
Examining the error logs on the local DC (at the site with the problems) - I have a number of error events.
In the application log I have a high occurrence of Event 1053:
Windows cannot determine the user or computer name. (The target principal name is incorrect. ). Group Policy processing aborted.
In the system log I have a high occurrence of Event 4:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/eagle.detect.local. The target name used was cifs/eagle.detect.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DETECT.LOCAL), and the client realm. Please contact your system administrator.
(The server and target name change often - host/ cifs/ dns/ ldap/ and I get it for both of my servers, falcon and eagle both with and without FQDN)
In the Directory Service Log I have a high occurrence of events 1865, 1311, and 1566:
Event 1865:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=Longmont,CN=Sites,CN=Co
Event 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=detect
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
and Event 1566
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site:
CN=Longmont,CN=Sites,CN=Co
Directory partition:
CN=Configuration,DC=detect
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con
I have been experiencing some WAN slowness over the last couple of days but not sure if this is causing part of the problem. I also recently had a power outage at the failing site. I have sustained these failures in the past and didn't have these problems.
I can ping all of the involved machines to and from each other. I can browse files by IP but not by name or FQDN. I can also RDP to and from these servers (by name) with no problems.
In doing some searching here on EE and also Google, Microsoft, etc. It sounded like I might have multiple SPN entries for the server(s). I ran setspn -L on both DC's and I guess I'm not sure what I'm looking at to see if there is a problem - they look "normal" to me. (I can send results on request)
One suggestion was to dis-join the failing DC and re-join but I don't really want to do that If I can avoid it.
Does anyone out there have some suggestions or know where the root cause might be?
Many thanks in advance,
Matt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
armeniospinola:
I would like to avoid restoring from backup as this is a bit of a process on a remote machine that I can't put my hands on directly. If there is a way to fix it remotely, I'll try that first as I can still RDP to this machine.
Termores:
I played around with this ldp tool earlier today but not with those same filter criteria - again, didn't know exactly what I was looking for either. I guess I still don't. Here is the output from the command you recommend - I ran this on the DC that is having the problem (eagle), I wonder if I should be running this on the working DC (falcon)? I'm not sure which entries i should delete (if any) and where I should perform this operation (falcon or eagle). I appreciate your help.
Matt
***Searching...
ldap_search_s(ld, "DC=detect,DC=local", 2, "(serviceprincipalname=hos
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=l
5> objectClass: top; person; organizationalPerson; user; computer;
1> cn: EAGLE;
1> distinguishedName: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=l
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 08/04/2010 14:28:46 Central Standard Time Central Daylight Time;
1> whenChanged: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
1> displayName: EAGLE$;
1> uSNCreated: 7358;
1> uSNChanged: 103607;
1> name: EAGLE;
1> objectGUID: 2b782a90-757f-48a3-a9fd-2c
1> userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION );
1> badPwdCount: 0;
1> codePage: 0;
1> countryCode: 0;
1> badPasswordTime: 01/16/2011 17:23:41 Central Standard Time Central Daylight Time;
1> lastLogon: 03/15/2011 23:10:32 Central Standard Time Central Daylight Time;
1> localPolicyFlags: 0;
1> pwdLastSet: 01/12/2011 17:02:25 Central Standard Time Central Daylight Time;
1> primaryGroupID: 516;
1> objectSid: S-1-5-21-3367107204-281580
1> accountExpires: 09/14/30828 02:48:05 UNC ;
1> logonCount: 73;
1> sAMAccountName: EAGLE$;
1> sAMAccountType: 805306369;
1> operatingSystem: Windows Server 2003;
1> operatingSystemVersion: 5.2 (3790);
1> operatingSystemServicePack
1> serverReferenceBL: CN=EAGLE,CN=Servers,CN=Pan
1> dNSHostName: eagle.detect.local;
1> rIDSetReferences: CN=RID Set,CN=EAGLE,OU=Domain Controllers,DC=detect,DC=l
16> servicePrincipalName: ldap/eagle.detect.local/Do
1> objectCategory: CN=Computer,CN=Schema,CN=C
1> isCriticalSystemObject: TRUE;
2> frsComputerReferenceBL: CN={2b782a90-757f-48a3-a9f
1> lastLogonTimestamp: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
I would like to avoid restoring from backup as this is a bit of a process on a remote machine that I can't put my hands on directly. If there is a way to fix it remotely, I'll try that first as I can still RDP to this machine.
Termores:
I played around with this ldp tool earlier today but not with those same filter criteria - again, didn't know exactly what I was looking for either. I guess I still don't. Here is the output from the command you recommend - I ran this on the DC that is having the problem (eagle), I wonder if I should be running this on the working DC (falcon)? I'm not sure which entries i should delete (if any) and where I should perform this operation (falcon or eagle). I appreciate your help.
Matt
***Searching...
ldap_search_s(ld, "DC=detect,DC=local", 2, "(serviceprincipalname=hos
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=l
5> objectClass: top; person; organizationalPerson; user; computer;
1> cn: EAGLE;
1> distinguishedName: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=l
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 08/04/2010 14:28:46 Central Standard Time Central Daylight Time;
1> whenChanged: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
1> displayName: EAGLE$;
1> uSNCreated: 7358;
1> uSNChanged: 103607;
1> name: EAGLE;
1> objectGUID: 2b782a90-757f-48a3-a9fd-2c
1> userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION );
1> badPwdCount: 0;
1> codePage: 0;
1> countryCode: 0;
1> badPasswordTime: 01/16/2011 17:23:41 Central Standard Time Central Daylight Time;
1> lastLogon: 03/15/2011 23:10:32 Central Standard Time Central Daylight Time;
1> localPolicyFlags: 0;
1> pwdLastSet: 01/12/2011 17:02:25 Central Standard Time Central Daylight Time;
1> primaryGroupID: 516;
1> objectSid: S-1-5-21-3367107204-281580
1> accountExpires: 09/14/30828 02:48:05 UNC ;
1> logonCount: 73;
1> sAMAccountName: EAGLE$;
1> sAMAccountType: 805306369;
1> operatingSystem: Windows Server 2003;
1> operatingSystemVersion: 5.2 (3790);
1> operatingSystemServicePack
1> serverReferenceBL: CN=EAGLE,CN=Servers,CN=Pan
1> dNSHostName: eagle.detect.local;
1> rIDSetReferences: CN=RID Set,CN=EAGLE,OU=Domain Controllers,DC=detect,DC=l
16> servicePrincipalName: ldap/eagle.detect.local/Do
1> objectCategory: CN=Computer,CN=Schema,CN=C
1> isCriticalSystemObject: TRUE;
2> frsComputerReferenceBL: CN={2b782a90-757f-48a3-a9f
1> lastLogonTimestamp: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
V-2nas,
The operational difficulty is that I get the entitled error when attempting all sorts of operations. The most notable of those being 1) adding computers to the domain 2) browsing files. In my attempts to repair the situation by resetting the computer account password for example - I get the same error.
Hope this helps.
The operational difficulty is that I get the entitled error when attempting all sorts of operations. The most notable of those being 1) adding computers to the domain 2) browsing files. In my attempts to repair the situation by resetting the computer account password for example - I get the same error.
Hope this helps.
Lets take them 1 by 1
So can you disjoint the computer, delete the computer account and rejoin the computer?
what error do you receive in that operations
So can you disjoint the computer, delete the computer account and rejoin the computer?
what error do you receive in that operations
ASKER
v-2nas:
I guess we need to be more specific - when you say "computer" are you talking about the domain controller having issues or just any computer in that site? I have not tried to dis-join the domain controller. I have been migrating computers from a local workgroup onto the domain. This was working fine up until a few days ago when, regardless of the user credentials I supplied, I got the error "Logon Failure: The target account name is incorrect." and I am unable to join the domain.
I guess we need to be more specific - when you say "computer" are you talking about the domain controller having issues or just any computer in that site? I have not tried to dis-join the domain controller. I have been migrating computers from a local workgroup onto the domain. This was working fine up until a few days ago when, regardless of the user credentials I supplied, I got the error "Logon Failure: The target account name is incorrect." and I am unable to join the domain.
So u r unable to join client machines to the the domain and you get error target name is incorrect
What is ur client os
What is ur client os
So u r unable to join client machines to the the domain and you get error target name is incorrect
What is ur client os
What is ur client os
ASKER
I have tried with client os windows 7 professional and Windows XP professional.
ASKER
ok folks, I have dis-joined eagle from the domain using dcpromo /forceremoval and deleted its computer account
I then did a dcpromo on it and joined it back up with the domain.
I re-setup DNS zones, etc and the server seems much more happy at this point. The errors in the log seem to have gone away at this point and I can browse files all over the place. (something I was unable to do previously.) I'll try adding some machines on Monday and we'll see how it goes. I'll report back and let you know if this is really a complete fix.
I then did a dcpromo on it and joined it back up with the domain.
I re-setup DNS zones, etc and the server seems much more happy at this point. The errors in the log seem to have gone away at this point and I can browse files all over the place. (something I was unable to do previously.) I'll try adding some machines on Monday and we'll see how it goes. I'll report back and let you know if this is really a complete fix.
Purge the tickets generated by KDC and then try to reset the password of the machine account -
http://support.microsoft.com/kb/288167
http://support.microsoft.com/kb/288167
ASKER
Although these solutions helped me troubleshoot the problem, they ultimately did not solve it. I had to solve the problem on my own and I did so by dis-joining and re-joining the failing domain controller. Points awarded to the two who put forth some effort.
if all is well id say that really good backup you have form just before this. you may want to look into that