AD - Logon failure

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you in advance.

I had two domain controlers (Windows native) that seemed
to work fine, after 3 days, I needed to reboot and I can't
access the domain anymore. I tried removing the second one
and I can't cause of an RPC problem with the main. I now
get a problem when I try to access AD domains and trusts,
sites and services, users and computers on this 2nd
machine.

My logon script (map drives) doesn't execute on the
workstations and if I try to map using the server name
(\\server\share) it doesn't work and I get this
error: "Logon failure: the target account name is
incorrect". If I use the IP (\\192.168.1.1\share) it
works.

I found my problem in MS-Support but it recommends to use
Repadmin.exe, whitch I don't seem to have success with
(could be me).

http://support.microsoft.com/default.aspx?scid=296993
http://support.microsoft.com/kb/229896/EN-US/

What I know:
- The machine takes about 10 minutes to boot hanging
on 'preparing network connections'.
- Event viewer tells me : The DNS server was unable to
open Active Directory.
- Event viewer tells me : Active Directory was unable to
establish a connection with the global catalog (option
checked in NDTS settings properties).
- I can access the shares using the IP instead of the
machine name. If I use the machine name I get an access
denied.
- If I ping the server name the IP is good.

I've tried removing the second DC and have seized the 5
main FSOS on the one that is left. Still no luck. It
feels like the users access the server as a Workgroup and
not a Domain.

Can anybody help in restoring my main DC? I'll then be
able to promote a second machine and restablish peace here!

Thanks again!
Dora

Sorry for the long post I want to give more than not
enough.
5 answers Last reply
More about logon failure
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Dora" <dora@discussions.microsoft.com> wrote in message
    news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
    > Thank you in advance.
    >
    > I had two domain controlers (Windows native) that seemed
    > to work fine, after 3 days, I needed to reboot and I can't
    > access the domain anymore. I tried removing the second one
    > and I can't cause of an RPC problem with the main. I now
    > get a problem when I try to access AD domains and trusts,
    > sites and services, users and computers on this 2nd
    > machine.
    >
    > My logon script (map drives) doesn't execute on the
    > workstations and if I try to map using the server name
    > (\\server\share) it doesn't work and I get this
    > error: "Logon failure: the target account name is
    > incorrect". If I use the IP (\\192.168.1.1\share) it
    > works.
    >
    > I found my problem in MS-Support but it recommends to use
    > Repadmin.exe, whitch I don't seem to have success with
    > (could be me).
    >


    When you have AD problems, replication or authentication (which
    this may well be), or access in general, the first thing to check is
    the DNS:

    DNS for AD
    1) Dynamic for the zone supporting AD
    2) All internal DNS clients NIC\IP properties must specify SOLELY
    that internal, dynamic DNS server (set.)
    3) DCs and even DNS servers are DNS clients too -- see #2
    4) If you have more than one Domain, every DNS server must
    be able to resolve ALL domain (either directly or indirectly)

    netdiag /fix

    ....or maybe:

    dcdiag /fix

    (Win2003 can do this from Support tools):
    nltest /dsregdns /server:DC-ServerNameGoesHere
    http://support.microsoft.com/kb/q260371/

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Lable domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


    --
    Herb Martin


    "Dora" <dora@discussions.microsoft.com> wrote in message
    news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
    > Thank you in advance.
    >
    > I had two domain controlers (Windows native) that seemed
    > to work fine, after 3 days, I needed to reboot and I can't
    > access the domain anymore. I tried removing the second one
    > and I can't cause of an RPC problem with the main. I now
    > get a problem when I try to access AD domains and trusts,
    > sites and services, users and computers on this 2nd
    > machine.
    >
    > My logon script (map drives) doesn't execute on the
    > workstations and if I try to map using the server name
    > (\\server\share) it doesn't work and I get this
    > error: "Logon failure: the target account name is
    > incorrect". If I use the IP (\\192.168.1.1\share) it
    > works.
    >
    > I found my problem in MS-Support but it recommends to use
    > Repadmin.exe, whitch I don't seem to have success with
    > (could be me).
    >
    > http://support.microsoft.com/default.aspx?scid=296993
    > http://support.microsoft.com/kb/229896/EN-US/
    >
    > What I know:
    > - The machine takes about 10 minutes to boot hanging
    > on 'preparing network connections'.
    > - Event viewer tells me : The DNS server was unable to
    > open Active Directory.
    > - Event viewer tells me : Active Directory was unable to
    > establish a connection with the global catalog (option
    > checked in NDTS settings properties).
    > - I can access the shares using the IP instead of the
    > machine name. If I use the machine name I get an access
    > denied.
    > - If I ping the server name the IP is good.
    >
    > I've tried removing the second DC and have seized the 5
    > main FSOS on the one that is left. Still no luck. It
    > feels like the users access the server as a Workgroup and
    > not a Domain.
    >
    > Can anybody help in restoring my main DC? I'll then be
    > able to promote a second machine and restablish peace here!
    >
    > Thanks again!
    > Dora
    >
    > Sorry for the long post I want to give more than not
    > enough.
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    .... not enough information here to venture a guess - could you post some of
    your TCP/IP configuration information and some information as to how the DNS
    that supports AD is configured?

    -ds


    "Dora" <dora@discussions.microsoft.com> wrote in message
    news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
    > Thank you in advance.
    >
    > I had two domain controlers (Windows native) that seemed
    > to work fine, after 3 days, I needed to reboot and I can't
    > access the domain anymore. I tried removing the second one
    > and I can't cause of an RPC problem with the main. I now
    > get a problem when I try to access AD domains and trusts,
    > sites and services, users and computers on this 2nd
    > machine.
    >
    > My logon script (map drives) doesn't execute on the
    > workstations and if I try to map using the server name
    > (\\server\share) it doesn't work and I get this
    > error: "Logon failure: the target account name is
    > incorrect". If I use the IP (\\192.168.1.1\share) it
    > works.
    >
    > I found my problem in MS-Support but it recommends to use
    > Repadmin.exe, whitch I don't seem to have success with
    > (could be me).
    >
    > http://support.microsoft.com/default.aspx?scid=296993
    > http://support.microsoft.com/kb/229896/EN-US/
    >
    > What I know:
    > - The machine takes about 10 minutes to boot hanging
    > on 'preparing network connections'.
    > - Event viewer tells me : The DNS server was unable to
    > open Active Directory.
    > - Event viewer tells me : Active Directory was unable to
    > establish a connection with the global catalog (option
    > checked in NDTS settings properties).
    > - I can access the shares using the IP instead of the
    > machine name. If I use the machine name I get an access
    > denied.
    > - If I ping the server name the IP is good.
    >
    > I've tried removing the second DC and have seized the 5
    > main FSOS on the one that is left. Still no luck. It
    > feels like the users access the server as a Workgroup and
    > not a Domain.
    >
    > Can anybody help in restoring my main DC? I'll then be
    > able to promote a second machine and restablish peace here!
    >
    > Thanks again!
    > Dora
    >
    > Sorry for the long post I want to give more than not
    > enough.
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I followed Mr. Herb Martin's procedure and still no
    success.

    I reinstalled the DNS server.

    When I run te different Diag I get these errors:

    netdiag /fix

    Kerberos test. . . . . . . . . . . : Failed
    [FATAL] Kerberos does not have a ticket for
    host/fserv2.myDomainName.local.


    dcdiag /fix

    Starting test: frsevent
    There are warning or error events within the last 24
    hours after the
    SYSVOL has been shared. Failing SYSVOL replication
    problems may cause
    Group Policy problems.
    ......................... FSERV2 failed test frsevent

    I did erase manually a folder yesterday in sysvol, ooops.

    I followed the procedure to reinstall DNS ( I see the
    Active Directory DNS records _msdcs, _sites, _tcp, _udp)

    The AD settings in sites and services seem ok.

    How could I re-emit a Kerberos Key? Fix the sysvol?

    Can anybody shed some light, please.

    Thanks again
    Dora
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Dora,

    You have two things going on here. I'll agree with Herb that most of what
    you are expressing points to DNS. I know you said it is there and correct,
    but it really looks like a naming issue. The other problem you have is with
    the deletion of the objects in the sysvol. There are only very rare cases
    where you will ever want to delete something there that was not explicitly
    put there by you.

    At this point, we can start doing deeper diagnostics, but you are really
    better off opening a case with Microsoft. You are down to one domain
    controller as you can't bring the other one back in without formatting it
    now that you've seized the roles. You are working without a net and you are
    in a disabled state.

    You need to resolve this quickly with someone who can devote their full
    attention to it. Don't hire someone to do this either... PSS will be
    better and faster than bringing someone in and getting them up to speed with
    your environment. Make sure to tell them that you are in a downed state and
    that you are willing to work on it until the problem is resolved.

    --
    Ryan Hanisco
    MCSE, MCDBA
    Flagship Integration Services

    "Dora" <dora@discussions.microsoft.com> wrote in message
    news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
    > Thank you in advance.
    >
    > I had two domain controlers (Windows native) that seemed
    > to work fine, after 3 days, I needed to reboot and I can't
    > access the domain anymore. I tried removing the second one
    > and I can't cause of an RPC problem with the main. I now
    > get a problem when I try to access AD domains and trusts,
    > sites and services, users and computers on this 2nd
    > machine.
    >
    > My logon script (map drives) doesn't execute on the
    > workstations and if I try to map using the server name
    > (\\server\share) it doesn't work and I get this
    > error: "Logon failure: the target account name is
    > incorrect". If I use the IP (\\192.168.1.1\share) it
    > works.
    >
    > I found my problem in MS-Support but it recommends to use
    > Repadmin.exe, whitch I don't seem to have success with
    > (could be me).
    >
    > http://support.microsoft.com/default.aspx?scid=296993
    > http://support.microsoft.com/kb/229896/EN-US/
    >
    > What I know:
    > - The machine takes about 10 minutes to boot hanging
    > on 'preparing network connections'.
    > - Event viewer tells me : The DNS server was unable to
    > open Active Directory.
    > - Event viewer tells me : Active Directory was unable to
    > establish a connection with the global catalog (option
    > checked in NDTS settings properties).
    > - I can access the shares using the IP instead of the
    > machine name. If I use the machine name I get an access
    > denied.
    > - If I ping the server name the IP is good.
    >
    > I've tried removing the second DC and have seized the 5
    > main FSOS on the one that is left. Still no luck. It
    > feels like the users access the server as a Workgroup and
    > not a Domain.
    >
    > Can anybody help in restoring my main DC? I'll then be
    > able to promote a second machine and restablish peace here!
    >
    > Thanks again!
    > Dora
    >
    > Sorry for the long post I want to give more than not
    > enough.
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thank you for your time, knowledge and your honest
    opinions. It's greatly appreciated. I am in trouble if I
    mess up with my last DC.

    I will start an email request with Microsoft right now and
    get to the bottom of it.

    Dora.

    >-----Original Message-----
    >Hi Dora,
    >
    >You have two things going on here. I'll agree with Herb
    that most of what
    >you are expressing points to DNS. I know you said it is
    there and correct,
    >but it really looks like a naming issue. The other
    problem you have is with
    >the deletion of the objects in the sysvol. There are
    only very rare cases
    >where you will ever want to delete something there that
    was not explicitly
    >put there by you.
    >
    >At this point, we can start doing deeper diagnostics, but
    you are really
    >better off opening a case with Microsoft. You are down
    to one domain
    >controller as you can't bring the other one back in
    without formatting it
    >now that you've seized the roles. You are working
    without a net and you are
    >in a disabled state.
    >
    >You need to resolve this quickly with someone who can
    devote their full
    >attention to it. Don't hire someone to do this
    either... PSS will be
    >better and faster than bringing someone in and getting
    them up to speed with
    >your environment. Make sure to tell them that you are in
    a downed state and
    >that you are willing to work on it until the problem is
    resolved.
    >
    >--
    >Ryan Hanisco
    >MCSE, MCDBA
    >Flagship Integration Services
    >
    >"Dora" <dora@discussions.microsoft.com> wrote in message
    >news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
    >> Thank you in advance.
    >>
    >> I had two domain controlers (Windows native) that seemed
    >> to work fine, after 3 days, I needed to reboot and I
    can't
    >> access the domain anymore. I tried removing the second
    one
    >> and I can't cause of an RPC problem with the main. I
    now
    >> get a problem when I try to access AD domains and
    trusts,
    >> sites and services, users and computers on this 2nd
    >> machine.
    >>
    >> My logon script (map drives) doesn't execute on the
    >> workstations and if I try to map using the server name
    >> (\\server\share) it doesn't work and I get this
    >> error: "Logon failure: the target account name is
    >> incorrect". If I use the IP (\\192.168.1.1\share) it
    >> works.
    >>
    >> I found my problem in MS-Support but it recommends to
    use
    >> Repadmin.exe, whitch I don't seem to have success with
    >> (could be me).
    >>
    >> http://support.microsoft.com/default.aspx?scid=296993
    >> http://support.microsoft.com/kb/229896/EN-US/
    >>
    >> What I know:
    >> - The machine takes about 10 minutes to boot hanging
    >> on 'preparing network connections'.
    >> - Event viewer tells me : The DNS server was unable to
    >> open Active Directory.
    >> - Event viewer tells me : Active Directory was unable to
    >> establish a connection with the global catalog (option
    >> checked in NDTS settings properties).
    >> - I can access the shares using the IP instead of the
    >> machine name. If I use the machine name I get an access
    >> denied.
    >> - If I ping the server name the IP is good.
    >>
    >> I've tried removing the second DC and have seized the 5
    >> main FSOS on the one that is left. Still no luck. It
    >> feels like the users access the server as a Workgroup
    and
    >> not a Domain.
    >>
    >> Can anybody help in restoring my main DC? I'll then be
    >> able to promote a second machine and restablish peace
    here!
    >>
    >> Thanks again!
    >> Dora
    >>
    >> Sorry for the long post I want to give more than not
    >> enough.
    >
    >
    >.
    >
Ask a new question

Read More

Domain Active Directory Windows