Urgent problem! - "kerberos subsystem encountered a PAC verification failure"
Hi there
I have 2 critically important Desktop PCs that er currently unable to get to network drives or print or perform any functions which require AD validation.
Dont know the cause but the error repeatedly in the event log is the one above.
Also get the following when trying to map a drive:
"No network provider accepted the given network path"
I've tried removing the PCs from the domain but now i can't rejoin. It says;
"the network location cannot be reached"
I can still map a drive to non-AD servers which is weird.
Any other ideas? I really need to get these 2 machines working again asap.
thanks
Windows XP Pro SP3 connecting to Windows 2003 AD
I have 2 critically important Desktop PCs that er currently unable to get to network drives or print or perform any functions which require AD validation.
Dont know the cause but the error repeatedly in the event log is the one above.
Also get the following when trying to map a drive:
"No network provider accepted the given network path"
I've tried removing the PCs from the domain but now i can't rejoin. It says;
"the network location cannot be reached"
I can still map a drive to non-AD servers which is weird.
Any other ideas? I really need to get these 2 machines working again asap.
thanks
Windows XP Pro SP3 connecting to Windows 2003 AD
Have you verified DNS functioning properly on your domain controlers and that you are using only the AD DNS servers?
I had similar type problems with users that I had adjusted some of the account settings for kerberos on the Active Directory User properties. For a version of besx, I had to adjust a setting (besx later resolved in an update), but my first windows 7 machines I joined with those users show kerberos errors and would not access the server.
So, check the settings on the user in active directory account tab. On a working user, all of my checkboxes are unchecked for account options.
So, check the settings on the user in active directory account tab. On a working user, all of my checkboxes are unchecked for account options.
ASKER
its not user account related - i had tried other user accounts but the problem is with the machines themselves. The same user account works fine on any other machines. We have other XP machines that do not have this problem. I thought it may be a windows update but i can't see the same update installing on both machines at a time near to when the problem began.
DNS is working fine and all other machines are able to use dns.
DNS is working fine and all other machines are able to use dns.
DNs as someone stated and aklso check that the Server, Workstation, and Netlogon services are started and automatic on the stations.
Check the time on the workstations you cannot rejoin, and it is not a question of whether they are able to use DNS, it is required that only the DNS server that has the AD domain zone be used, no routers of ISP DNS allowed.
ASKER
server, workstation are all automatic and running. Netlogon isnt used on windows xp. I did try enabling it and starting it but that makes no difference.
DNS is running fine as is the only DNS in the network.
I just tried removing microsoft client and repairing tcpip but still same problems.
DNS is running fine as is the only DNS in the network.
I just tried removing microsoft client and repairing tcpip but still same problems.
ASKER
also ran a netdiag winsock test and that passed with no errors
Check all domain controllers for those 3 services started as well as KDC service.
Do the machines have mutiple nics or a single nic?
Do the machines have mutiple nics or a single nic?
ASKER
just confirmed - there are 2 DCs and all three services are automatic and started. Kerberos is also automatic and started on both servers.
Both servers and workstations have single NICs.
Both servers and workstations have single NICs.
ASKER
If I go to Network Places on the 2 affected xp machines, I can see shares that exist on some other servers, but none that are on the 2 DCs. Basically the DCs are invisible to these windows xp desktops right now.
ASKER
thanks for the link. I tried that but the sc query returns expected results and the same as the other working xp PCs.
Can you ping the servers by name?
Try turning off firewalls (for testing only) on the workstation (3rd party and windows firewalls)
ASKER
yep, firewall and anti virus both turned off already on the workstation but no difference.
This is a real puzzler!
I really appreciate the help.
This message of 'no network provider accepted the given network path' really puzzles me - this is when i try to go to a share in the domain or map a drive
Lets see what else i can try....
This is a real puzzler!
I really appreciate the help.
This message of 'no network provider accepted the given network path' really puzzles me - this is when i try to go to a share in the domain or map a drive
Lets see what else i can try....
ASKER
yes, ping works fine - i can ping the short name and the fqdn of both DCs and both work.
Did you change workstation name after unjoining domain before rejoining domain?
ASKER
i did change the workstation name and on that workstation i am unable to rejoin the domain.
It just doesnt see the domain anymore.
So I currently have the 2 xp desktops with the issue, one of them is still in the domain but cant print or get to network folders etc and the other one is now in a separate workgroup and can't do anything useful at all.
It just doesnt see the domain anymore.
So I currently have the 2 xp desktops with the issue, one of them is still in the domain but cant print or get to network folders etc and the other one is now in a separate workgroup and can't do anything useful at all.
If you try to access the share by ip, do you get the same message?
Check on the network connection for file and print sharing enabled.
Try a restore point.
Try a restore point.
ASKER
yes, i can access a share by IP but on the machine that is now in a workgroup, i can't rejoin the domain using ip address so that one has me totallt stuck.
I tried a system restore on both machines from various dates but they both fail saying restore is incomplete and no changes have been made. I tried the restore from with safe mode but still same error and upon reading about ms system restore, it appears its very unstable at the best of times.
I tried a system restore on both machines from various dates but they both fail saying restore is incomplete and no changes have been made. I tried the restore from with safe mode but still same error and upon reading about ms system restore, it appears its very unstable at the best of times.
Did you check on network connection for file print sharing.
Try adding dns suffix to network connection manually.
Try adding fqdn to host file.
Try joining using full domain name.
Try adding dns suffix to network connection manually.
Try adding fqdn to host file.
Try joining using full domain name.
Do u see 'Microsoft Windows Network' in the providers when go into Network Connections -> Advanced -> Advanced Settings -> Provider Order. Also see if there is a third party provider. If yes, remove it. Move the Microsoft Windows Network to the top.
ASKER
linraf, tried those things, no luck so far.
certexpert, under advanced there is only Firewall so no providers to order.
Listed undder General is all the usual stuff:
Client for MS Networks
File and Printer Sharing
QOS Packet
Broadcom Advnced
Internet Protocol TCPIP
certexpert, under advanced there is only Firewall so no providers to order.
Listed undder General is all the usual stuff:
Client for MS Networks
File and Printer Sharing
QOS Packet
Broadcom Advnced
Internet Protocol TCPIP
Read this KB http://support.microsoft.com/kb/894564.
and I'm talking about this section:
The Provider Order tab lists the network providers for this computer. You can use the arrow buttons to change the order in which these providers are accessed. You can arrange the order in which the computer accesses information about the network. Providers and other connections are accessed in the order in which the providers and the connections are listed.
Also try to join the machine from safe mode with networking.
and I'm talking about this section:
The Provider Order tab lists the network providers for this computer. You can use the arrow buttons to change the order in which these providers are accessed. You can arrange the order in which the computer accesses information about the network. Providers and other connections are accessed in the order in which the providers and the connections are listed.
Also try to join the machine from safe mode with networking.
ASKER
i tried joining the network from safe mode with networking - same error.
Will take a look at provider order tab, thanks.
Will take a look at provider order tab, thanks.
On xp machine please go to:
Control panel
Administrative tools
local security policy
local policies
security options
please tel me the entries/settings that start with Network security:
Control panel
Administrative tools
local security policy
local policies
security options
please tel me the entries/settings that start with Network security:
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
couldnt resolve the problem and had to rebuild machine.
Can the same users login properly on another machine?