• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7935
  • Last Modified:

Logon Failure: The target account name is incorrect.

Hi Experts,
      I have a Windows 2003 domain with two sites and two domain controllers.  Recently, at one of the sites I started getting the following error when trying to add a computer to the domain "Logon Failure: The target account name is incorrect."  I've also noticed that from a number of computers (not from all) in the same site, that I cannot browse file shares - I get the same error message.  

Examining the error logs on the local DC (at the site with the problems) - I have a number of error events.  

In the application log I have a high occurrence of Event 1053:
Windows cannot determine the user or computer name. (The target principal name is incorrect. ). Group Policy processing aborted.

In the system log I have a high occurrence of Event 4:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/eagle.detect.local.  The target name used was cifs/eagle.detect.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DETECT.LOCAL), and the client realm.   Please contact your system administrator.

(The server and target name change often - host/ cifs/ dns/ ldap/ and I get it for both of my servers, falcon and eagle both with and without FQDN)

In the Directory Service Log I have a high occurrence of events 1865, 1311, and 1566:

Event 1865:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

Event 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

and Event 1566
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Directory partition:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=detect,DC=local

I have been experiencing some WAN slowness over the last couple of days but not sure if this is causing part of the problem.  I also recently had a power outage at the failing site.  I have sustained these failures in the past and didn't have these problems.

I can ping all of the involved machines to and from each other.  I can browse files by IP but not by name or FQDN.  I can also RDP to and from these servers (by name) with no problems.

In doing some searching here on EE and also Google, Microsoft, etc.  It sounded like I might have multiple SPN entries for the server(s).  I ran setspn -L on both DC's and I guess I'm not sure what I'm looking at to see if there is a problem - they look "normal" to me. (I can send results on request)

One suggestion was to dis-join the failing DC and re-join but I don't really want to do that If I can avoid it.

Does anyone out there have some suggestions or know where the root cause might be?

Many thanks in advance,

2 Solutions
are both your DC communicating correctly.
if all is well id say that really good backup you have form just before this. you may want to look into that
this is caused by a duplicated spn, that spn could be attached to other object on the domain to find it you'll need ldp.exe

1.open ldp.exe
2.connection -bind - ok
3. modify - search
4. base Dn = your domain.
5. filter = (serviceprincipalname=host/eagle.detect.local)
6. click options - on attributes type  *
7. on scope click subtree
8. this should give you the list of objects that contain the SPN, one of them should point to your domain controller computer object the other(s) are the duplicated one(s).
9.once you have the name of the object you should use the following command:
SETSPN -D host/eagle.detect.local duplicatedcomputer
10. repeat the same steps for the cifs/eagle.detect.local SPN.

note: if the duplicatedcomputer is no longer in use you just need to delete the object from ad.

the other errors you're reporting could be caused by network latency but this duplicated SPN issue could have something to do with replication issues.

matuseAuthor Commented:
     I would like to avoid restoring from backup as this is a bit of a process on a remote machine that I can't put my hands on directly.  If there is a way to fix it remotely, I'll try that first as I can still RDP to this machine.

     I played around with this ldp tool earlier today but not with those same filter criteria - again, didn't know exactly what I was looking for either.  I guess I still don't.  Here is the output from the command you recommend - I ran this on the DC that is having the problem (eagle), I wonder if I should be running this on the working DC (falcon)?  I'm not sure which entries i should delete (if any) and where I should perform this operation (falcon or eagle).  I appreciate your help.


ldap_search_s(ld, "DC=detect,DC=local", 2, "(serviceprincipalname=host/eagle.detect.local)", attrList,  0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local
      5> objectClass: top; person; organizationalPerson; user; computer;
      1> cn: EAGLE;
      1> distinguishedName: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local;
      1> instanceType: 0x4 = ( IT_WRITE );
      1> whenCreated: 08/04/2010 14:28:46 Central Standard Time Central Daylight Time;
      1> whenChanged: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
      1> displayName: EAGLE$;
      1> uSNCreated: 7358;
      1> uSNChanged: 103607;
      1> name: EAGLE;
      1> objectGUID: 2b782a90-757f-48a3-a9fd-2cf527fee8cc;
      1> userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION );
      1> badPwdCount: 0;
      1> codePage: 0;
      1> countryCode: 0;
      1> badPasswordTime: 01/16/2011 17:23:41 Central Standard Time Central Daylight Time;
      1> lastLogon: 03/15/2011 23:10:32 Central Standard Time Central Daylight Time;
      1> localPolicyFlags: 0;
      1> pwdLastSet: 01/12/2011 17:02:25 Central Standard Time Central Daylight Time;
      1> primaryGroupID: 516;
      1> objectSid: S-1-5-21-3367107204-2815800557-769206258-1184;
      1> accountExpires: 09/14/30828 02:48:05 UNC ;
      1> logonCount: 73;
      1> sAMAccountName: EAGLE$;
      1> sAMAccountType: 805306369;
      1> operatingSystem: Windows Server 2003;
      1> operatingSystemVersion: 5.2 (3790);
      1> operatingSystemServicePack: Service Pack 2;
      1> serverReferenceBL: CN=EAGLE,CN=Servers,CN=PanamaCity,CN=Sites,CN=Configuration,DC=detect,DC=local;
      1> dNSHostName: eagle.detect.local;
      1> rIDSetReferences: CN=RID Set,CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local;
      16> servicePrincipalName: ldap/eagle.detect.local/DomainDnsZones.detect.local; ldap/eagle.detect.local/ForestDnsZones.detect.local; GC/eagle.detect.local/detect.local; HOST/eagle.detect.local/detect.local; HOST/eagle.detect.local/DETECT; ldap/518cc63c-0928-4d7f-b095-264e64c1ee9f._msdcs.detect.local; ldap/eagle.detect.local/DETECT; ldap/EAGLE; ldap/eagle.detect.local; ldap/eagle.detect.local/detect.local; DNS/eagle.detect.local; NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/eagle.detect.local; E3514235-4B06-11D1-AB04-00C04FC2DCD2/518cc63c-0928-4d7f-b095-264e64c1ee9f/detect.local; Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/eagle.detect.local; HOST/EAGLE; HOST/eagle.detect.local;
      1> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=detect,DC=local;
      1> isCriticalSystemObject: TRUE;
      2> frsComputerReferenceBL: CN={2b782a90-757f-48a3-a9fd-2cf527fee8cc},CN=Tech|Apps,CN=Tech,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=detect,DC=local; CN=EAGLE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=detect,DC=local;
      1> lastLogonTimestamp: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.


what is the operational difficulty that you are running into right now. I see you have multiple issues here.
matuseAuthor Commented:
    The operational difficulty is that I get the entitled error when attempting all sorts of operations.  The most notable of those being 1) adding computers to the domain 2) browsing files.  In my attempts to repair the situation by resetting the computer account password for example - I get the same error.

Hope this helps.
Lets take them 1 by 1

So can you disjoint the computer, delete the computer account and rejoin the computer?
what error do you receive in that operations
matuseAuthor Commented:
I guess we need to be more specific - when you say "computer" are you talking about the domain controller having issues or just any computer in that site?  I have not tried to dis-join the domain controller.  I have been migrating computers from a local workgroup onto the domain.  This was working fine up until a few days ago when, regardless of the user credentials I supplied, I got the error "Logon Failure: The target account name is incorrect." and I am unable to join the domain.
So u r unable to join client machines to the the domain and you get error target name is incorrect

What is ur client os
So u r unable to join client machines to the the domain and you get error target name is incorrect

What is ur client os
matuseAuthor Commented:
I have tried with client os windows 7 professional and Windows XP professional.
matuseAuthor Commented:
ok folks, I have dis-joined eagle from the domain using dcpromo /forceremoval and deleted its computer account

I then did a dcpromo on it and joined it back up with the domain.  

I re-setup DNS zones, etc and the server seems much more happy at this point.  The errors in the log seem to have gone away at this point and I can browse files all over the place.  (something I was unable to do previously.)  I'll try adding some machines on Monday and we'll see how it goes.  I'll report back and let you know if this is really a complete fix.
Suryanarayan Balakrishnan IyerSenior ConsultantCommented:
Purge the tickets generated by KDC and then try to reset the password of the machine account -

matuseAuthor Commented:
Although these solutions helped me troubleshoot the problem, they ultimately did not solve it.  I had to solve the problem on my own and I did so by dis-joining and re-joining the failing domain controller.  Points awarded to the two who put forth some effort.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now