AD - Logon failure

[Dora]

Thank you in advance.

I had two domain controlers (Windows native) that seemed
to work fine, after 3 days, I needed to reboot and I can't
access the domain anymore. I tried removing the second one
and I can't cause of an RPC problem with the main. I now
get a problem when I try to access AD domains and trusts,
sites and services, users and computers on this 2nd
machine.

My logon script (map drives) doesn't execute on the
workstations and if I try to map using the server name
(\\server\share) it doesn't work and I get this
error: "Logon failure: the target account name is
incorrect". If I use the IP (\\192.168.1.1\share) it
works.

I found my problem in MS-Support but it recommends to use
Repadmin.exe, whitch I don't seem to have success with
(could be me).

http://support.microsoft.com/default.aspx?scid=296993
http://support.microsoft.com/kb/229896/EN-US/

What I know:
- The machine takes about 10 minutes to boot hanging
on 'preparing network connections'.
- Event viewer tells me : The DNS server was unable to
open Active Directory.
- Event viewer tells me : Active Directory was unable to
establish a connection with the global catalog (option
checked in NDTS settings properties).
- I can access the shares using the IP instead of the
machine name. If I use the machine name I get an access
denied.
- If I ping the server name the IP is good.

I've tried removing the second DC and have seized the 5
main FSOS on the one that is left. Still no luck. It
feels like the users access the server as a Workgroup and
not a Domain.

Can anybody help in restoring my main DC? I'll then be
able to promote a second machine and restablish peace here!

Thanks again!
Dora

Sorry for the long post I want to give more than not
enough.

 

[Dave Shaw [MVP - Directory Services]]

.... not enough information here to venture a guess - could you post some of
your TCP/IP configuration information and some information as to how the DNS
that supports AD is configured?

-ds

 

[Herb Martin]

Thank you in advance.

I had two domain controlers (Windows native) that seemed
to work fine, after 3 days, I needed to reboot and I can't
access the domain anymore. I tried removing the second one
and I can't cause of an RPC problem with the main. I now
get a problem when I try to access AD domains and trusts,
sites and services, users and computers on this 2nd
machine.

My logon script (map drives) doesn't execute on the
workstations and if I try to map using the server name
(\\server\share) it doesn't work and I get this
error: "Logon failure: the target account name is
incorrect". If I use the IP (\\192.168.1.1\share) it
works.

I found my problem in MS-Support but it recommends to use
Repadmin.exe, whitch I don't seem to have success with
(could be me).

When you have AD problems, replication or authentication (which
this may well be), or access in general, the first thing to check is
the DNS:

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Dora]

I followed Mr. Herb Martin's procedure and still no
success.

I reinstalled the DNS server.

When I run te different Diag I get these errors:

netdiag /fix

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/fserv2.myDomainName.local.


dcdiag /fix

Starting test: frsevent
There are warning or error events within the last 24
hours after the
SYSVOL has been shared. Failing SYSVOL replication
problems may cause
Group Policy problems.
......................... FSERV2 failed test frsevent

I did erase manually a folder yesterday in sysvol, ooops.

I followed the procedure to reinstall DNS ( I see the
Active Directory DNS records _msdcs, _sites, _tcp, _udp)

The AD settings in sites and services seem ok.

How could I re-emit a Kerberos Key? Fix the sysvol?

Can anybody shed some light, please.

Thanks again
Dora

 

[Ryan Hanisco]

Hi Dora,

You have two things going on here. I'll agree with Herb that most of what
you are expressing points to DNS. I know you said it is there and correct,
but it really looks like a naming issue. The other problem you have is with
the deletion of the objects in the sysvol. There are only very rare cases
where you will ever want to delete something there that was not explicitly
put there by you.

At this point, we can start doing deeper diagnostics, but you are really
better off opening a case with Microsoft. You are down to one domain
controller as you can't bring the other one back in without formatting it
now that you've seized the roles. You are working without a net and you are
in a disabled state.

You need to resolve this quickly with someone who can devote their full
attention to it. Don't hire someone to do this either... PSS will be
better and faster than bringing someone in and getting them up to speed with
your environment. Make sure to tell them that you are in a downed state and
that you are willing to work on it until the problem is resolved.

 

[Dora]

Thank you for your time, knowledge and your honest
opinions. It's greatly appreciated. I am in trouble if I
mess up with my last DC.

I will start an email request with Microsoft right now and
get to the bottom of it.

Dora.