Solved

Users cannot access network share by FQDN, only IP

Posted on 2015-01-16
19
162 Views
Last Modified: 2015-02-02
We have users who are unable to connect to a network share //SHARE but can by IP //192.168.0.1.

In looking at the DNS records on DNS server, DNS is assigning to that share 2 other static IPs on top of the static IP I issued it (mine: 192.168.0.1 and it's also assigning 192.168.111.1 and 192.168.226.1) which might be causing the issue?

Why is DNS assigning a static server multiple IPs outside the range and what can I do to address people not connecting to the network share?
0
Comment
Question by:pstiffsae
  • 8
  • 5
  • 3
  • +3
19 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40554027
Check the NIC properties and see of other static IPs have been assigned in the advanced tab. A NIC can have multiple IPs.  Also look for other NICs that may be connected and getting an IP from a DHCP server (rogue or otherwise.)  If the NICs are on the same subnet, that can cause issues. If they are on different subnets (often referred to as multi-homed) with no route, that can also cause issues if the DHCP client is being allowed to dynamically register those IPs in DNS. Based on the IP addresses, also look for misconfigured VPN settings.  192.168.111.x is a common subnet in several VPN appliances.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40554042
I see this issue all the time when the DNS suffix is misconfigured on the NIC itself. I would start there.

Will.
0
 

Author Comment

by:pstiffsae
ID: 40554152
Checked both PCs and its all set to automatically pull in network information. I specified DNS server and same issue, if you try to remote in \\SHARE you get "Logon Failure: The target account name is incorrect". It's not happening system wide, just a few PCs. They can remote into other network devices, email, etc.
0
 

Author Comment

by:pstiffsae
ID: 40554154
Additionally - if you reboot it'll be fine for awhile until it just suddenly stops and you can't connect to FQDN only IP
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40556675
DO you have multiple subnets or vlans on your network?
0
 

Author Comment

by:pstiffsae
ID: 40556683
I do not. Another thing it's only happening with a specific set of computers (Dell). Everyone else is fine as well as the PCs having issues can access other network resources.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40556701
On the affected workstations have you check under Advanced Network setting to check the ordering of the NIC? You want to make sure Local Area Connection is listed first.
0
 

Author Comment

by:pstiffsae
ID: 40556704
It is. I've check network adapter settings and everything looks fine. DNS server looks good (I had posted about thee Ips but there was VMWare adapters enabled and once disabled those IPs stopped coming in as static ips) and so does DHCP. What should I be keeping an out for on the sever? Or other network services?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40556819
If DNS and everything has been verified then it is probably CSC (client side caching).

Apply this registry setting to your machine and reboot. Should resolve the issue. This is another common one that i see, just forgot about it.

Client Side Caching Fix

Will.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 40558066
if you try to remote in \\SHARE you get "Logon Failure: The target account name is incorrect"
Just to be clear, do you mean \\servername\sharename? Accessing a share by simply typing \\sharename is nonstandard, and I wouldn't expect it to work in most situations.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40558400
You have checked to make sure your AD environment is healthy correct?

Have your run dcdiag /v /e >c:\dcdiag.txt
repadmin /showrepl >C:\repadmin.txt

Also any errors in the event logs on the workstations?
0
 
LVL 4

Expert Comment

by:Praveen Kumar Bonala
ID: 40558852
which operating system you are using for share server.?
0
 

Author Comment

by:pstiffsae
ID: 40558855
Server 2008 R2 for server
Windows 7 for clients

Deployed the fix for client side caching to see if that fixed the issue
0
 

Author Comment

by:pstiffsae
ID: 40558875
No issues with repadmin
DCDIAG:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine NetOps, is a Directory Server.
   Home Server = NetOps

   * Connecting to directory service on server NetOps.

   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=XXX,DC=net,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=XXX,DC=net,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 2 DC(s). Testing 2 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\NETOPS

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... NETOPS passed test Connectivity

   
   Testing server: Default-First-Site-Name\FILES

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... FILES passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\NETOPS

      Starting test: Advertising

         The DC NETOPS is advertising itself as a DC and having a DS.
         The DC NETOPS is advertising as an LDAP server
         The DC NETOPS is advertising as having a writeable directory
         The DC NETOPS is advertising as a Key Distribution Center
         The DC NETOPS is advertising as a time server
         The DS NETOPS is advertising as a GC.
         ......................... NETOPS passed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 01/19/2015   08:18:15

            Event String:

            The File Replication Service is having trouble enabling replication from FILES to NETOPS for c:\windows\sysvol\domain using the DNS name FILES.XXX.net. FRS will keep retrying.

             Following are some of the reasons you would see this warning.

             

             [1] FRS can not correctly resolve the DNS name FILES.XXX.net from this computer.

             [2] FRS is not running on FILES.XXX.net.

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         ......................... NETOPS passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         Skip the test because the server is running FRS.

         ......................... NETOPS passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... NETOPS passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... NETOPS passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Domain Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role PDC Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Rid Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         ......................... NETOPS passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC NETOPS on DC NETOPS.
         * SPN found :LDAP/NetOps.XXX.net/XXX.net
         * SPN found :LDAP/NetOps.XXX.net
         * SPN found :LDAP/NETOPS
         * SPN found :LDAP/NetOps.XXX.net/SIGMA
         * SPN found :LDAP/faeedd75-072f-46ed-9693-0a112389d002._msdcs.XXX.net
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/faeedd75-072f-46ed-9693-0a112389d002/XXX.net
         * SPN found :HOST/NetOps.XXX.net/XXX.net
         * SPN found :HOST/NetOps.XXX.net
         * SPN found :HOST/NETOPS
         * SPN found :HOST/NetOps.XXX.net/SIGMA
         * SPN found :GC/NetOps.XXX.net/XXX.net
         ......................... NETOPS passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC NETOPS.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=XXX,DC=net
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=XXX,DC=net
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=XXX,DC=net
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=XXX,DC=net
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=XXX,DC=net
            (Domain,Version 3)
         ......................... NETOPS passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\NETOPS\netlogon
         Verified share \\NETOPS\sysvol
         ......................... NETOPS passed test NetLogons

      Starting test: ObjectsReplicated

         NETOPS is in domain DC=XXX,DC=net
         Checking for CN=NETOPS,OU=Domain Controllers,DC=XXX,DC=net in domain DC=XXX,DC=net on 2 servers
            Authoritative attribute lastLogonTimestamp on NETOPS (writeable)
               usnLocalChange = 6561780
               LastOriginatingDsa = NETOPS
               usnOriginatingChange = 6561780
               timeLastOriginatingChange = 2015-01-19 03:40:10
               VersionLastOriginatingChange = 123
            Out-of-date attribute lastLogonTimestamp on FILES (writeable)
               usnLocalChange = 5963500
               LastOriginatingDsa = NETOPS
               usnOriginatingChange = 6525988
               timeLastOriginatingChange = 2015-01-09 03:19:00
               VersionLastOriginatingChange = 122
            Authoritative attribute pwdLastSet on NETOPS (writeable)
               usnLocalChange = 6546548
               LastOriginatingDsa = NETOPS
               usnOriginatingChange = 6546548
               timeLastOriginatingChange = 2015-01-12 23:21:34
               VersionLastOriginatingChange = 44
            Out-of-date attribute pwdLastSet on FILES (writeable)
               usnLocalChange = 5839570
               LastOriginatingDsa = NETOPS
               usnOriginatingChange = 6381645
               timeLastOriginatingChange = 2014-12-13 03:05:29
               VersionLastOriginatingChange = 43
         Checking for CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net in domain CN=Configuration,DC=XXX,DC=net on 2 servers
            Object is up-to-date on all servers.
         ......................... NETOPS failed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         REPLICATION LATENCY WARNING

         ERROR: Expected notification link is missing.

         Source FILES

         Replication of new changes along this path will be delayed.

         This problem should self-correct on the next periodic sync.

         * Replication Latency Check
            DC=ForestDnsZones,DC=XXX,DC=net
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=XXX,DC=net
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=XXX,DC=net
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=XXX,DC=net
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=XXX,DC=net
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... NETOPS passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 6103 to 1073741823
         * NetOps.XXX.net is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 5103 to 5602
         * rIDPreviousAllocationPool is 5103 to 5602
         * rIDNextRID: 5169
         ......................... NETOPS passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... NETOPS passed test Services

      Starting test: SystemLog

         * The System Event log test
         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 01/19/2015   17:24:40

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         Found no errors in "System" Event log in the last 60 minutes.
         ......................... NETOPS passed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=NETOPS,OU=Domain Controllers,DC=XXX,DC=net and backlink on

         CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net

         are correct.
         The system object reference (serverReferenceBL)

         CN=NETOPS,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=XXX,DC=net

         and backlink on

         CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=NETOPS,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=XXX,DC=net

         and backlink on CN=NETOPS,OU=Domain Controllers,DC=XXX,DC=net are

         correct.
         ......................... NETOPS passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
   Testing server: Default-First-Site-Name\FILES

      Starting test: Advertising

         The DC FILES is advertising itself as a DC and having a DS.
         The DC FILES is advertising as an LDAP server
         The DC FILES is advertising as having a writeable directory
         The DC FILES is advertising as a Key Distribution Center
         Warning: FILES is not advertising as a time server.

         The DS FILES is advertising as a GC.
         ......................... FILES failed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         A warning event occurred.  EventID: 0x800034C4

            Time Generated: 01/19/2015   10:55:16

            Event String:

            The File Replication Service is having trouble enabling replication from NETOPS to FILES for c:\windows\sysvol\domain using the DNS name NetOps.XXX.net. FRS will keep retrying.

             Following are some of the reasons you would see this warning.

             

             [1] FRS can not correctly resolve the DNS name NetOps.XXX.net from this computer.

             [2] FRS is not running on NetOps.XXX.net.

             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.

             

             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

         ......................... FILES passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log.
         Skip the test because the server is running FRS.

         ......................... FILES passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... FILES passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... FILES passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Domain Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role PDC Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Rid Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         ......................... FILES passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC FILES on DC FILES.
         * SPN found :LDAP/FILES.XXX.net/XXX.net
         * SPN found :LDAP/FILES.XXX.net
         * SPN found :LDAP/FILES
         * SPN found :LDAP/FILES.XXX.net/SIGMA
         * SPN found :LDAP/e9329d5b-3169-4818-84aa-3f6f089e2f32._msdcs.XXX.net
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/e9329d5b-3169-4818-84aa-3f6f089e2f32/XXX.net
         * SPN found :HOST/FILES.XXX.net/XXX.net
         * SPN found :HOST/FILES.XXX.net
         * SPN found :HOST/FILES
         * SPN found :HOST/FILES.XXX.net/SIGMA
         * SPN found :GC/FILES.XXX.net/XXX.net
         ......................... FILES passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC FILES.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=XXX,DC=net
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=XXX,DC=net
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=XXX,DC=net
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=XXX,DC=net
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=XXX,DC=net
            (Domain,Version 3)
         ......................... FILES passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\FILES\netlogon
         Verified share \\FILES\sysvol
         ......................... FILES passed test NetLogons

      Starting test: ObjectsReplicated

         FILES is in domain DC=XXX,DC=net
         Checking for CN=FILES,OU=Domain Controllers,DC=XXX,DC=net in domain DC=XXX,DC=net on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net in domain CN=Configuration,DC=XXX,DC=net on 2 servers
            Object is up-to-date on all servers.
         ......................... FILES passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         [Replications Check,FILES] A recent replication attempt failed:

            From NETOPS to FILES

            Naming Context: DC=ForestDnsZones,DC=XXX,DC=net

            The replication generated an error (1256):

            The remote system is not available. For information about network troubleshooting, see Windows Help.

           

            The failure occurred at 2015-01-19 17:54:31.

            The last success occurred at 2015-01-12 22:50:58.

            177 failures have occurred since the last success.

         [Replications Check,FILES] A recent replication attempt failed:

            From NETOPS to FILES

            Naming Context: DC=DomainDnsZones,DC=XXX,DC=net

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2015-01-19 17:55:01.

            The last success occurred at 2015-01-12 22:50:55.

            438 failures have occurred since the last success.

         [Replications Check,FILES] A recent replication attempt failed:

            From NETOPS to FILES

            Naming Context: CN=Schema,CN=Configuration,DC=XXX,DC=net

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2015-01-19 17:54:31.

            The last success occurred at 2015-01-12 22:50:52.

            177 failures have occurred since the last success.

         [Replications Check,FILES] A recent replication attempt failed:

            From NETOPS to FILES

            Naming Context: CN=Configuration,DC=XXX,DC=net

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2015-01-19 17:54:31.

            The last success occurred at 2015-01-12 22:50:49.

            179 failures have occurred since the last success.

         [Replications Check,FILES] A recent replication attempt failed:

            From NETOPS to FILES

            Naming Context: DC=XXX,DC=net

            The replication generated an error (-2146893022):

            The target principal name is incorrect.

            The failure occurred at 2015-01-19 17:59:11.

            The last success occurred at 2015-01-12 23:20:50.

            5517 failures have occurred since the last success.

         ......................... FILES failed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 6103 to 1073741823
         * NetOps.XXX.net is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 5603 to 6102
         * rIDPreviousAllocationPool is 5603 to 6102
         * rIDNextRID: 5644
         ......................... FILES passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... FILES passed test Services

      Starting test: SystemLog

         * The System Event log test
         An error event occurred.  EventID: 0x40000004

            Time Generated: 01/19/2015   17:37:11

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server netops$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/faeedd75-072f-46ed-9693-0a112389d002/XXX.net@XXX.net. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XXX.NET) is different from the client domain (XXX.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 01/19/2015   17:44:54

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server netops$. The target name used was SIGMA\NETOPS$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XXX.NET) is different from the client domain (XXX.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x40000004

            Time Generated: 01/19/2015   17:59:55

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server netops$. The target name used was DNS/netops.XXX.net. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XXX.NET) is different from the client domain (XXX.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         ......................... FILES failed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=FILES,OU=Domain Controllers,DC=XXX,DC=net and backlink on

         CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net

         are correct.
         The system object reference (serverReferenceBL)

         CN=FILES,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=XXX,DC=net

         and backlink on

         CN=NTDS Settings,CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net

         are correct.
         The system object reference (frsComputerReferenceBL)

         CN=FILES,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=XXX,DC=net

         and backlink on CN=FILES,OU=Domain Controllers,DC=XXX,DC=net are

         correct.
         ......................... FILES passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

         Test omitted by user request: DNS

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : XXX

      Starting test: CheckSDRefDom

         ......................... XXX passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... XXX passed test CrossRefValidation

   
   Running enterprise tests on : XXX.net

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\NetOps.XXX.net

         Locator Flags: 0xe00033fd
         PDC Name: \\NetOps.XXX.net
         Locator Flags: 0xe00033fd
         Time Server Name: \\NetOps.XXX.net
         Locator Flags: 0xe00033fd
         Preferred Time Server Name: \\NetOps.XXX.net
         Locator Flags: 0xe00033fd
         KDC Name: \\NetOps.XXX.net
         Locator Flags: 0xe00033fd
         ......................... XXX.net passed test LocatorCheck

      Starting test: Intersite

         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided.
         ......................... XXX.net passed test Intersite
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40558879
Did the client side caching work? you should know immidiately after you reboot the machine.

Will.
0
 

Author Comment

by:pstiffsae
ID: 40558884
Will,
For one of the affected PCs it cleared it up right away but since it rebooted (which fixes the issue temporarily) making sure it's a perm fix.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40558886
Ok sounds good.

Glad it has worked in the interum.

Will.
0
 

Author Comment

by:pstiffsae
ID: 40564420
The client side caching fix did not ultimately address the issue. We're finding now people still lose the ability to print and instead of the reboot and print queue emptying, it straight errors out:

The document failed to print because the user did not have the necessary privileges.

I'm seeing a bunch of Security-Kerberos issues in Event logs:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server netops$. The target name used was cifs/NetOps.SAE.net. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (XXX.NET) is different from the client domain (XXX.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40564458
This seems like there is a more systemic issue aside from the one you have specified originally. Although the CSC fix did correct the issue for the network drives you are now encountering new issues.

I would create a new ticket addressing the other issues you have mentioned above.

Will.
0

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now