Solved

Logon Failure: The target account name is incorrect.

Posted on 2011-03-17
13
6,790 Views
Last Modified: 2013-12-24
Hi Experts,
      I have a Windows 2003 domain with two sites and two domain controllers.  Recently, at one of the sites I started getting the following error when trying to add a computer to the domain "Logon Failure: The target account name is incorrect."  I've also noticed that from a number of computers (not from all) in the same site, that I cannot browse file shares - I get the same error message.  

Examining the error logs on the local DC (at the site with the problems) - I have a number of error events.  

In the application log I have a high occurrence of Event 1053:
Windows cannot determine the user or computer name. (The target principal name is incorrect. ). Group Policy processing aborted.

In the system log I have a high occurrence of Event 4:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/eagle.detect.local.  The target name used was cifs/eagle.detect.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DETECT.LOCAL), and the client realm.   Please contact your system administrator.

(The server and target name change often - host/ cifs/ dns/ ldap/ and I get it for both of my servers, falcon and eagle both with and without FQDN)

In the Directory Service Log I have a high occurrence of events 1865, 1311, and 1566:

Event 1865:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
 
Sites:
CN=Longmont,CN=Sites,CN=Configuration,DC=detect,DC=local

Event 1311
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
 
Directory partition:
CN=Configuration,DC=detect,DC=local
 
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

and Event 1566
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
 
Site:
CN=Longmont,CN=Sites,CN=Configuration,DC=detect,DC=local
Directory partition:
CN=Configuration,DC=detect,DC=local
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=detect,DC=local


I have been experiencing some WAN slowness over the last couple of days but not sure if this is causing part of the problem.  I also recently had a power outage at the failing site.  I have sustained these failures in the past and didn't have these problems.

I can ping all of the involved machines to and from each other.  I can browse files by IP but not by name or FQDN.  I can also RDP to and from these servers (by name) with no problems.

In doing some searching here on EE and also Google, Microsoft, etc.  It sounded like I might have multiple SPN entries for the server(s).  I ran setspn -L on both DC's and I guess I'm not sure what I'm looking at to see if there is a problem - they look "normal" to me. (I can send results on request)

One suggestion was to dis-join the failing DC and re-join but I don't really want to do that If I can avoid it.

Does anyone out there have some suggestions or know where the root cause might be?

Many thanks in advance,

Matt
0
Comment
Question by:matuse
13 Comments
 
LVL 5

Expert Comment

by:Armenio
ID: 35162371
are both your DC communicating correctly.
if all is well id say that really good backup you have form just before this. you may want to look into that
0
 
LVL 2

Accepted Solution

by:
temores earned 250 total points
ID: 35162387
this is caused by a duplicated spn, that spn could be attached to other object on the domain to find it you'll need ldp.exe

1.open ldp.exe
2.connection -bind - ok
3. modify - search
4. base Dn = your domain.
5. filter = (serviceprincipalname=host/eagle.detect.local)
6. click options - on attributes type  *
7. on scope click subtree
8. this should give you the list of objects that contain the SPN, one of them should point to your domain controller computer object the other(s) are the duplicated one(s).
9.once you have the name of the object you should use the following command:
SETSPN -D host/eagle.detect.local duplicatedcomputer
10. repeat the same steps for the cifs/eagle.detect.local SPN.

note: if the duplicatedcomputer is no longer in use you just need to delete the object from ad.

the other errors you're reporting could be caused by network latency but this duplicated SPN issue could have something to do with replication issues.

cheers.
0
 
LVL 1

Author Comment

by:matuse
ID: 35162543
armeniospinola:
     I would like to avoid restoring from backup as this is a bit of a process on a remote machine that I can't put my hands on directly.  If there is a way to fix it remotely, I'll try that first as I can still RDP to this machine.

Termores:
     I played around with this ldp tool earlier today but not with those same filter criteria - again, didn't know exactly what I was looking for either.  I guess I still don't.  Here is the output from the command you recommend - I ran this on the DC that is having the problem (eagle), I wonder if I should be running this on the working DC (falcon)?  I'm not sure which entries i should delete (if any) and where I should perform this operation (falcon or eagle).  I appreciate your help.

Matt

***Searching...
ldap_search_s(ld, "DC=detect,DC=local", 2, "(serviceprincipalname=host/eagle.detect.local)", attrList,  0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local
      5> objectClass: top; person; organizationalPerson; user; computer;
      1> cn: EAGLE;
      1> distinguishedName: CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local;
      1> instanceType: 0x4 = ( IT_WRITE );
      1> whenCreated: 08/04/2010 14:28:46 Central Standard Time Central Daylight Time;
      1> whenChanged: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
      1> displayName: EAGLE$;
      1> uSNCreated: 7358;
      1> uSNChanged: 103607;
      1> name: EAGLE;
      1> objectGUID: 2b782a90-757f-48a3-a9fd-2cf527fee8cc;
      1> userAccountControl: 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION );
      1> badPwdCount: 0;
      1> codePage: 0;
      1> countryCode: 0;
      1> badPasswordTime: 01/16/2011 17:23:41 Central Standard Time Central Daylight Time;
      1> lastLogon: 03/15/2011 23:10:32 Central Standard Time Central Daylight Time;
      1> localPolicyFlags: 0;
      1> pwdLastSet: 01/12/2011 17:02:25 Central Standard Time Central Daylight Time;
      1> primaryGroupID: 516;
      1> objectSid: S-1-5-21-3367107204-2815800557-769206258-1184;
      1> accountExpires: 09/14/30828 02:48:05 UNC ;
      1> logonCount: 73;
      1> sAMAccountName: EAGLE$;
      1> sAMAccountType: 805306369;
      1> operatingSystem: Windows Server 2003;
      1> operatingSystemVersion: 5.2 (3790);
      1> operatingSystemServicePack: Service Pack 2;
      1> serverReferenceBL: CN=EAGLE,CN=Servers,CN=PanamaCity,CN=Sites,CN=Configuration,DC=detect,DC=local;
      1> dNSHostName: eagle.detect.local;
      1> rIDSetReferences: CN=RID Set,CN=EAGLE,OU=Domain Controllers,DC=detect,DC=local;
      16> servicePrincipalName: ldap/eagle.detect.local/DomainDnsZones.detect.local; ldap/eagle.detect.local/ForestDnsZones.detect.local; GC/eagle.detect.local/detect.local; HOST/eagle.detect.local/detect.local; HOST/eagle.detect.local/DETECT; ldap/518cc63c-0928-4d7f-b095-264e64c1ee9f._msdcs.detect.local; ldap/eagle.detect.local/DETECT; ldap/EAGLE; ldap/eagle.detect.local; ldap/eagle.detect.local/detect.local; DNS/eagle.detect.local; NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/eagle.detect.local; E3514235-4B06-11D1-AB04-00C04FC2DCD2/518cc63c-0928-4d7f-b095-264e64c1ee9f/detect.local; Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/eagle.detect.local; HOST/EAGLE; HOST/eagle.detect.local;
      1> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=detect,DC=local;
      1> isCriticalSystemObject: TRUE;
      2> frsComputerReferenceBL: CN={2b782a90-757f-48a3-a9fd-2cf527fee8cc},CN=Tech|Apps,CN=Tech,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=detect,DC=local; CN=EAGLE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=detect,DC=local;
      1> lastLogonTimestamp: 03/11/2011 13:35:04 Central Standard Time Central Daylight Time;
0
 
LVL 12

Assisted Solution

by:Navdeep
Navdeep earned 250 total points
ID: 35164345
Hi,

what is the operational difficulty that you are running into right now. I see you have multiple issues here.
0
 
LVL 1

Author Comment

by:matuse
ID: 35165429
V-2nas,
    The operational difficulty is that I get the entitled error when attempting all sorts of operations.  The most notable of those being 1) adding computers to the domain 2) browsing files.  In my attempts to repair the situation by resetting the computer account password for example - I get the same error.

Hope this helps.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35165756
Lets take them 1 by 1

So can you disjoint the computer, delete the computer account and rejoin the computer?
what error do you receive in that operations
0
 
LVL 1

Author Comment

by:matuse
ID: 35166860
v-2nas:
I guess we need to be more specific - when you say "computer" are you talking about the domain controller having issues or just any computer in that site?  I have not tried to dis-join the domain controller.  I have been migrating computers from a local workgroup onto the domain.  This was working fine up until a few days ago when, regardless of the user credentials I supplied, I got the error "Logon Failure: The target account name is incorrect." and I am unable to join the domain.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35167539
So u r unable to join client machines to the the domain and you get error target name is incorrect

What is ur client os
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35167540
So u r unable to join client machines to the the domain and you get error target name is incorrect

What is ur client os
0
 
LVL 1

Author Comment

by:matuse
ID: 35167856
I have tried with client os windows 7 professional and Windows XP professional.
0
 
LVL 1

Author Comment

by:matuse
ID: 35176683
ok folks, I have dis-joined eagle from the domain using dcpromo /forceremoval and deleted its computer account

I then did a dcpromo on it and joined it back up with the domain.  

I re-setup DNS zones, etc and the server seems much more happy at this point.  The errors in the log seem to have gone away at this point and I can browse files all over the place.  (something I was unable to do previously.)  I'll try adding some machines on Monday and we'll see how it goes.  I'll report back and let you know if this is really a complete fix.
0
 
LVL 3

Expert Comment

by:Suryanarayan Balakrishnan Iyer
ID: 35189112
Purge the tickets generated by KDC and then try to reset the password of the machine account -

http://support.microsoft.com/kb/288167
0
 
LVL 1

Author Closing Comment

by:matuse
ID: 35207623
Although these solutions helped me troubleshoot the problem, they ultimately did not solve it.  I had to solve the problem on my own and I did so by dis-joining and re-joining the failing domain controller.  Points awarded to the two who put forth some effort.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now