Solved

Getting error accessing Server shares  \\servername is not available

Posted on 2013-11-27
3
838 Views
Last Modified: 2013-11-27
Clients cannot access one of our server shares
Both servers are domain controllers 2008 Standard
the one they cannot access is the PDC (holds all roles)
Error from computers and the 2nd domain controller to this DC is:

\\Servername is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions
Logon Failure: the target account name is incorrect

Rebooted both servers-- still same error
I can access the shares on the PDC with IP address

Results from DCDIag on PDC

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = LKS-S1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\LKS-S1
      Starting test: Connectivity
         ......................... LKS-S1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\LKS-S1
      Starting test: Advertising
         ......................... LKS-S1 passed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... LKS-S1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... LKS-S1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... LKS-S1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... LKS-S1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LKS-S1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LKS-S1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LKS-S1 passed test NCSecDesc
      Starting test: NetLogons
         [LKS-S1] User credentials does not have permission to perform this
         operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... LKS-S1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LKS-S1 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,LKS-S1] DsReplicaGetInfo(PENDING_OPS, NULL)
         failed, error 0x2105 "Replication access was denied."
         ......................... LKS-S1 failed test Replications
      Starting test: RidManager
         ......................... LKS-S1 passed test RidManager
      Starting test: Services
            Could not open NTDS Service on LKS-S1, error 0x5
            "Access is denied."
         ......................... LKS-S1 failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000090
            Time Generated: 11/27/2013   11:50:00
            Event String:
            The time service has stopped advertising as a good time source.
         A warning event occurred.  EventID: 0x8000001D
            Time Generated: 11/27/2013   11:58:05
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/27/2013   11:58:29
            Event String:
            Name resolution for the name _ldap._tcp.Default-First-Site-Name._sit
es.dc._msdcs.KELLOGG.PRV timed out after none of the configured DNS servers resp
onded.
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 11/27/2013   11:58:32
            Event String:
            Time Provider NtpClient: This machine is configured to use the domai
n hierarchy to determine its time source, but it is the AD PDC emulator for the
domain at the root of the forest, so there is no machine above it in the domain
hierarchy to use as a time source. It is recommended that you either configure a
 reliable time service in the root domain, or manually configure the AD PDC to s
ynchronize with an external time source. Otherwise, this machine will function a
s the authoritative time source in the domain hierarchy. If an external time sou
rce is not configured or used for this computer, you may choose to disable the N
tpClient.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 11/27/2013   11:58:32
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 11/27/2013   11:58:34
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver lks-s1$. The target name used was ldap/LKS-S1.KELLOGG.PRV. This indicates t
hat the target server failed to decrypt the ticket provided by the client. This
can occur when the target server principal name (SPN) is registered on an accoun
t other than the account the target service is using. Please ensure that the tar
get SPN is registered on, and only registered on, the account used by the server
. This error can also happen when the target service is using a different passwo
rd for the target service account than what the Kerberos Key Distribution Center
 (KDC) has for the target service account. Please ensure that the service on the
 server and the KDC are both updated to use the current password. If the server
name is not fully qualified, and the target domain (KELLOGG.PRV) is different fr
om the client domain (KELLOGG.PRV), check if there are identically named server
accounts in these two domains, or use the fully-qualified name to identify the s
erver.
         An error event occurred.  EventID: 0x40000004
            Time Generated: 11/27/2013   11:58:35
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver lks-s1$. The target name used was LDAP/LKS-S1. This indicates that the targ
et server failed to decrypt the ticket provided by the client. This can occur wh
en the target server principal name (SPN) is registered on an account other than
 the account the target service is using. Please ensure that the target SPN is r
egistered on, and only registered on, the account used by the server. This error
 can also happen when the target service is using a different password for the t
arget service account than what the Kerberos Key Distribution Center (KDC) has f
or the target service account. Please ensure that the service on the server and
the KDC are both updated to use the current password. If the server name is not
fully qualified, and the target domain (KELLOGG.PRV) is different from the clien
t domain (KELLOGG.PRV), check if there are identically named server accounts in
these two domains, or use the fully-qualified name to identify the server.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 11/27/2013   11:58:47
            Event String:
            Name resolution for the name KELLOGG.PRV timed out after none of the
 configured DNS servers responded.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 11/27/2013   11:58:59
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 11/27/2013   11:59:26
            Event String:
            This computer has at least one dynamically assigned IPv6 address.For
 reliable DHCPv6 server operation, you should use only static IPv6 addresses.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 11/27/2013   11:59:26
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         A warning event occurred.  EventID: 0x000727AA
            Time Generated: 11/27/2013   12:01:27
            Event String:
            The WinRM service failed to create the following SPNs: WSMAN/LKS-S1.
KELLOGG.PRV; WSMAN/LKS-S1.
         ......................... LKS-S1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... LKS-S1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : KELLOGG
      Starting test: CheckSDRefDom
         ......................... KELLOGG passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... KELLOGG passed test CrossRefValidation

   Running enterprise tests on : KELLOGG.PRV
      Starting test: LocatorCheck
         ......................... KELLOGG.PRV passed test LocatorCheck
      Starting test: Intersite
         ......................... KELLOGG.PRV passed test Intersite

Any help is appreciated
0
Comment
Question by:electricdad
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
Tymetwister earned 500 total points
ID: 39681542
Sounds like it could be a DNS problem, especially since you are able to access it via IP address, plus there are a couple errors in your log that say "server timed out after none of the configured DNS servers responded."

Check your DNS settings on the server and make sure they are all correct.  Do an ipconfig /all on some of the problem machines and make sure they are pointing to the correct DNS server.  If they are, try using Google's public DNS (8.8.8.8) to test with and see if you get the same results.
0
 

Author Comment

by:electricdad
ID: 39681661
Well, I did see this on client machine in Event Viewer

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server lks-s1$. The target name used was cifs/lks-s1.KELLOGG.PRV. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (KELLOGG.PRV) is different from the client domain (KELLOGG.PRV), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
0
 

Author Comment

by:electricdad
ID: 39681685
Hey folks,
It just started working. I decided to reboot the 2nd domain controller (I had done that before 2X)
After that all clients and the 2nd DC can now access the PDC by computername.
Like to know what happened. I know it has to be related to DNS, but there were some KDC errors
Any comments??
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now