Sign in with
Sign up | Sign in
Your question

AD - Logon failure

Last response: in Windows 2000/NT
Share
Anonymous
February 8, 2005 12:28:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you in advance.

I had two domain controlers (Windows native) that seemed
to work fine, after 3 days, I needed to reboot and I can't
access the domain anymore. I tried removing the second one
and I can't cause of an RPC problem with the main. I now
get a problem when I try to access AD domains and trusts,
sites and services, users and computers on this 2nd
machine.

My logon script (map drives) doesn't execute on the
workstations and if I try to map using the server name
(\\server\share) it doesn't work and I get this
error: "Logon failure: the target account name is
incorrect". If I use the IP (\\192.168.1.1\share) it
works.

I found my problem in MS-Support but it recommends to use
Repadmin.exe, whitch I don't seem to have success with
(could be me).

http://support.microsoft.com/default.aspx?scid=296993
http://support.microsoft.com/kb/229896/EN-US/

What I know:
- The machine takes about 10 minutes to boot hanging
on 'preparing network connections'.
- Event viewer tells me : The DNS server was unable to
open Active Directory.
- Event viewer tells me : Active Directory was unable to
establish a connection with the global catalog (option
checked in NDTS settings properties).
- I can access the shares using the IP instead of the
machine name. If I use the machine name I get an access
denied.
- If I ping the server name the IP is good.

I've tried removing the second DC and have seized the 5
main FSOS on the one that is left. Still no luck. It
feels like the users access the server as a Workgroup and
not a Domain.

Can anybody help in restoring my main DC? I'll then be
able to promote a second machine and restablish peace here!

Thanks again!
Dora

Sorry for the long post I want to give more than not
enough.

More about : logon failure

Anonymous
February 8, 2005 3:03:32 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Dora" <dora@discussions.microsoft.com> wrote in message
news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
> Thank you in advance.
>
> I had two domain controlers (Windows native) that seemed
> to work fine, after 3 days, I needed to reboot and I can't
> access the domain anymore. I tried removing the second one
> and I can't cause of an RPC problem with the main. I now
> get a problem when I try to access AD domains and trusts,
> sites and services, users and computers on this 2nd
> machine.
>
> My logon script (map drives) doesn't execute on the
> workstations and if I try to map using the server name
> (\\server\share) it doesn't work and I get this
> error: "Logon failure: the target account name is
> incorrect". If I use the IP (\\192.168.1.1\share) it
> works.
>
> I found my problem in MS-Support but it recommends to use
> Repadmin.exe, whitch I don't seem to have success with
> (could be me).
>


When you have AD problems, replication or authentication (which
this may well be), or access in general, the first thing to check is
the DNS:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:D C-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]


--
Herb Martin


"Dora" <dora@discussions.microsoft.com> wrote in message
news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
> Thank you in advance.
>
> I had two domain controlers (Windows native) that seemed
> to work fine, after 3 days, I needed to reboot and I can't
> access the domain anymore. I tried removing the second one
> and I can't cause of an RPC problem with the main. I now
> get a problem when I try to access AD domains and trusts,
> sites and services, users and computers on this 2nd
> machine.
>
> My logon script (map drives) doesn't execute on the
> workstations and if I try to map using the server name
> (\\server\share) it doesn't work and I get this
> error: "Logon failure: the target account name is
> incorrect". If I use the IP (\\192.168.1.1\share) it
> works.
>
> I found my problem in MS-Support but it recommends to use
> Repadmin.exe, whitch I don't seem to have success with
> (could be me).
>
> http://support.microsoft.com/default.aspx?scid=296993
> http://support.microsoft.com/kb/229896/EN-US/
>
> What I know:
> - The machine takes about 10 minutes to boot hanging
> on 'preparing network connections'.
> - Event viewer tells me : The DNS server was unable to
> open Active Directory.
> - Event viewer tells me : Active Directory was unable to
> establish a connection with the global catalog (option
> checked in NDTS settings properties).
> - I can access the shares using the IP instead of the
> machine name. If I use the machine name I get an access
> denied.
> - If I ping the server name the IP is good.
>
> I've tried removing the second DC and have seized the 5
> main FSOS on the one that is left. Still no luck. It
> feels like the users access the server as a Workgroup and
> not a Domain.
>
> Can anybody help in restoring my main DC? I'll then be
> able to promote a second machine and restablish peace here!
>
> Thanks again!
> Dora
>
> Sorry for the long post I want to give more than not
> enough.
Anonymous
February 8, 2005 3:56:58 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

.... not enough information here to venture a guess - could you post some of
your TCP/IP configuration information and some information as to how the DNS
that supports AD is configured?

-ds


"Dora" <dora@discussions.microsoft.com> wrote in message
news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
> Thank you in advance.
>
> I had two domain controlers (Windows native) that seemed
> to work fine, after 3 days, I needed to reboot and I can't
> access the domain anymore. I tried removing the second one
> and I can't cause of an RPC problem with the main. I now
> get a problem when I try to access AD domains and trusts,
> sites and services, users and computers on this 2nd
> machine.
>
> My logon script (map drives) doesn't execute on the
> workstations and if I try to map using the server name
> (\\server\share) it doesn't work and I get this
> error: "Logon failure: the target account name is
> incorrect". If I use the IP (\\192.168.1.1\share) it
> works.
>
> I found my problem in MS-Support but it recommends to use
> Repadmin.exe, whitch I don't seem to have success with
> (could be me).
>
> http://support.microsoft.com/default.aspx?scid=296993
> http://support.microsoft.com/kb/229896/EN-US/
>
> What I know:
> - The machine takes about 10 minutes to boot hanging
> on 'preparing network connections'.
> - Event viewer tells me : The DNS server was unable to
> open Active Directory.
> - Event viewer tells me : Active Directory was unable to
> establish a connection with the global catalog (option
> checked in NDTS settings properties).
> - I can access the shares using the IP instead of the
> machine name. If I use the machine name I get an access
> denied.
> - If I ping the server name the IP is good.
>
> I've tried removing the second DC and have seized the 5
> main FSOS on the one that is left. Still no luck. It
> feels like the users access the server as a Workgroup and
> not a Domain.
>
> Can anybody help in restoring my main DC? I'll then be
> able to promote a second machine and restablish peace here!
>
> Thanks again!
> Dora
>
> Sorry for the long post I want to give more than not
> enough.
Related resources
Anonymous
February 8, 2005 4:54:57 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I followed Mr. Herb Martin's procedure and still no
success.

I reinstalled the DNS server.

When I run te different Diag I get these errors:

netdiag /fix

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/fserv2.myDomainName.local.


dcdiag /fix

Starting test: frsevent
There are warning or error events within the last 24
hours after the
SYSVOL has been shared. Failing SYSVOL replication
problems may cause
Group Policy problems.
......................... FSERV2 failed test frsevent

I did erase manually a folder yesterday in sysvol, ooops.

I followed the procedure to reinstall DNS ( I see the
Active Directory DNS records _msdcs, _sites, _tcp, _udp)

The AD settings in sites and services seem ok.

How could I re-emit a Kerberos Key? Fix the sysvol?

Can anybody shed some light, please.

Thanks again
Dora
Anonymous
February 8, 2005 10:46:18 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Dora,

You have two things going on here. I'll agree with Herb that most of what
you are expressing points to DNS. I know you said it is there and correct,
but it really looks like a naming issue. The other problem you have is with
the deletion of the objects in the sysvol. There are only very rare cases
where you will ever want to delete something there that was not explicitly
put there by you.

At this point, we can start doing deeper diagnostics, but you are really
better off opening a case with Microsoft. You are down to one domain
controller as you can't bring the other one back in without formatting it
now that you've seized the roles. You are working without a net and you are
in a disabled state.

You need to resolve this quickly with someone who can devote their full
attention to it. Don't hire someone to do this either... PSS will be
better and faster than bringing someone in and getting them up to speed with
your environment. Make sure to tell them that you are in a downed state and
that you are willing to work on it until the problem is resolved.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Dora" <dora@discussions.microsoft.com> wrote in message
news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
> Thank you in advance.
>
> I had two domain controlers (Windows native) that seemed
> to work fine, after 3 days, I needed to reboot and I can't
> access the domain anymore. I tried removing the second one
> and I can't cause of an RPC problem with the main. I now
> get a problem when I try to access AD domains and trusts,
> sites and services, users and computers on this 2nd
> machine.
>
> My logon script (map drives) doesn't execute on the
> workstations and if I try to map using the server name
> (\\server\share) it doesn't work and I get this
> error: "Logon failure: the target account name is
> incorrect". If I use the IP (\\192.168.1.1\share) it
> works.
>
> I found my problem in MS-Support but it recommends to use
> Repadmin.exe, whitch I don't seem to have success with
> (could be me).
>
> http://support.microsoft.com/default.aspx?scid=296993
> http://support.microsoft.com/kb/229896/EN-US/
>
> What I know:
> - The machine takes about 10 minutes to boot hanging
> on 'preparing network connections'.
> - Event viewer tells me : The DNS server was unable to
> open Active Directory.
> - Event viewer tells me : Active Directory was unable to
> establish a connection with the global catalog (option
> checked in NDTS settings properties).
> - I can access the shares using the IP instead of the
> machine name. If I use the machine name I get an access
> denied.
> - If I ping the server name the IP is good.
>
> I've tried removing the second DC and have seized the 5
> main FSOS on the one that is left. Still no luck. It
> feels like the users access the server as a Workgroup and
> not a Domain.
>
> Can anybody help in restoring my main DC? I'll then be
> able to promote a second machine and restablish peace here!
>
> Thanks again!
> Dora
>
> Sorry for the long post I want to give more than not
> enough.
Anonymous
February 9, 2005 8:50:16 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you for your time, knowledge and your honest
opinions. It's greatly appreciated. I am in trouble if I
mess up with my last DC.

I will start an email request with Microsoft right now and
get to the bottom of it.

Dora.

>-----Original Message-----
>Hi Dora,
>
>You have two things going on here. I'll agree with Herb
that most of what
>you are expressing points to DNS. I know you said it is
there and correct,
>but it really looks like a naming issue. The other
problem you have is with
>the deletion of the objects in the sysvol. There are
only very rare cases
>where you will ever want to delete something there that
was not explicitly
>put there by you.
>
>At this point, we can start doing deeper diagnostics, but
you are really
>better off opening a case with Microsoft. You are down
to one domain
>controller as you can't bring the other one back in
without formatting it
>now that you've seized the roles. You are working
without a net and you are
>in a disabled state.
>
>You need to resolve this quickly with someone who can
devote their full
>attention to it. Don't hire someone to do this
either... PSS will be
>better and faster than bringing someone in and getting
them up to speed with
>your environment. Make sure to tell them that you are in
a downed state and
>that you are willing to work on it until the problem is
resolved.
>
>--
>Ryan Hanisco
>MCSE, MCDBA
>Flagship Integration Services
>
>"Dora" <dora@discussions.microsoft.com> wrote in message
>news:004501c50e03$ab1aacb0$a401280a@phx.gbl...
>> Thank you in advance.
>>
>> I had two domain controlers (Windows native) that seemed
>> to work fine, after 3 days, I needed to reboot and I
can't
>> access the domain anymore. I tried removing the second
one
>> and I can't cause of an RPC problem with the main. I
now
>> get a problem when I try to access AD domains and
trusts,
>> sites and services, users and computers on this 2nd
>> machine.
>>
>> My logon script (map drives) doesn't execute on the
>> workstations and if I try to map using the server name
>> (\\server\share) it doesn't work and I get this
>> error: "Logon failure: the target account name is
>> incorrect". If I use the IP (\\192.168.1.1\share) it
>> works.
>>
>> I found my problem in MS-Support but it recommends to
use
>> Repadmin.exe, whitch I don't seem to have success with
>> (could be me).
>>
>> http://support.microsoft.com/default.aspx?scid=296993
>> http://support.microsoft.com/kb/229896/EN-US/
>>
>> What I know:
>> - The machine takes about 10 minutes to boot hanging
>> on 'preparing network connections'.
>> - Event viewer tells me : The DNS server was unable to
>> open Active Directory.
>> - Event viewer tells me : Active Directory was unable to
>> establish a connection with the global catalog (option
>> checked in NDTS settings properties).
>> - I can access the shares using the IP instead of the
>> machine name. If I use the machine name I get an access
>> denied.
>> - If I ping the server name the IP is good.
>>
>> I've tried removing the second DC and have seized the 5
>> main FSOS on the one that is left. Still no luck. It
>> feels like the users access the server as a Workgroup
and
>> not a Domain.
>>
>> Can anybody help in restoring my main DC? I'll then be
>> able to promote a second machine and restablish peace
here!
>>
>> Thanks again!
>> Dora
>>
>> Sorry for the long post I want to give more than not
>> enough.
>
>
>.
>
!