none
Logon Failure: The target account name is incorrect

    Question

  • I'm having an issue where I cannot connect to a DC (\\DC1.help.local) via name but can connect through IP.

    What happened was our main DC (DC1 on network 172.16.1.1/24) went down due to motherboard failure. When DC1 was brought back online all users within its own network (172.16.1.1/24) could access it by name (DC1.help.local) but our external office networks (172.16.2.1 - 4.1/24) could not. When you try to visit \\dc1.help.local externally you get: Logon Failure: The target account name is incorrect.

    On the forward lookup zones under _msdcs I can see all the proper Alias CNAME records, no duplicates. When you try to connect via this Alias CNAME of other DC's, you can, except for DC1's Alias CNAME. When you try, it pops this message up:

    You were not connected because a duplicate name exists on the network.

    I can assure you that we have not cloned DC1 nor have we brought anything online that resembles this. We also only have one nic card on DC1.

    Any thoughts on how to correct this problem?

    Friday, July 05, 2013 4:00 PM

Answers

  • For those who stumble upon this. My issue was a machine account password.

    Once I reset the machine account password from the Master DC to the suspect DCs, everything started replicating.

    Thanks for the help all.

    • Marked as answer by Mike_Vloet Tuesday, August 13, 2013 3:56 PM
    Tuesday, August 13, 2013 3:55 PM

All replies

  • 1. Clear cache ipconfig /flushdns and refresh.

    2. Diagnose your system (AD, DNS) with dcdiag (or netdiag in olde systems)

    Rgds

    Milos

    Friday, July 05, 2013 8:47 PM
  • Hello,

    so the DC was NOT restored from a backup, just the motherboard was changed and the same configuration was used as before?

    Please post an unedited ipconfig /all from the 2 DC/DNS servers, so we can verify some settings.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, July 07, 2013 6:47 PM
  • Morning,

    Correct, the DC was not restored from a backup and only the motherboard was changed by Dell.

    DC1 below

    Host Name . . . . . . . . . . . . : DC1
    Primary DNS Suffix  . . . . . . . : company.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : company.local

    Ethernet adapter 1GBS Broadcom:

            Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
            Physical Address. . . . . . . . . : 00-1D-09-FE-8B-82
            DHCP Enabled. . . . . . . . . . . : No
            IP Address. . . . . . . . . . . . : 192.168.1.1
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.1.30
            DNS Servers . . . . . . . . . . . : 192.168.1.1
                                                          192.168.2.1
            Primary WINS Server . . . . . . . : 192.168.1.1


    DC2 Below

    Host Name . . . . . . . . . . . . : DC2
    Primary Dns Suffix  . . . . . . . : company.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : company.local

    Ethernet adapter Local Area Connection 2:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
    Physical Address. . . . . . . . . : B8-AC-6F-9A-B0-2E
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.0.30
    DNS Servers . . . . . . . . . . . : 192.168.0.2
                                                 192.168.1.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Monday, July 08, 2013 1:54 PM
  • Morning Milos,

    I performed an ipconfig /flushdns and refreshed, no changes.

    I did the dcdiag and noticed one paragraph that stands out on DC2:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
    rver DC1$. The target name used was LDAP/7a7700da-c576-41b1-bfb3-0345a362da
    6a._msdcs.company.local. This indicates that the target server failed to decrypt
     the ticket provided by the client. This can occur when the target server princi
    pal name (SPN) is registered on an account other than the account the target ser
    vice is using. Please ensure that the target SPN is registered on, and only regi
    stered on, the account used by the server. This error can also happen when the t
    arget service is using a different password for the target service account than
    what the Kerberos Key Distribution Center (KDC) has for the target service accou
    nt. Please ensure that the service on the server and the KDC are both updated to
     use the current password. If the server name is not fully qualified, and the ta
    rget domain (COMPANY.LOCAL) is different from the client domain (COMPANY.LOCAL),
     check if there are identically named server accounts in these two domains, or u
    se the fully-qualified name to identify the server.

    When I ran DCDIAG on DC1, everything passed with flying colours. Also, DC1 has no problem replicating to DC2. DC2 can't replicated with DC1 due to duplicate name found on the network.

    Monday, July 08, 2013 2:02 PM
  • Hello,

    on DC1 please remove RRAS "IP Routing Enabled. . . . . . . . : Yes" as this is not recommended on a DC and may result in strange problems. After the removal please reboot the DC.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Monday, July 08, 2013 6:10 PM
  • I'll give that a shot and post my results. Did you see what I posted to Milos above?
    Monday, July 08, 2013 6:29 PM
  • Hello,

    yes, would be my next part if RRAS removal doesn't help:

    ipconfig /all >c:\ipconfig.log [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.log
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.log  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)
    ADREPLSTATUS http://www.microsoft.com/en-us/download/details.aspx?id=30005 can also be exported to file.

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, July 08, 2013 7:10 PM
  • Sorry for the delay,

    I might also add that when the motherboard was replaced on DC1, the time was incorrect by a few hours in the BIOS throwing off the time for the whole domain. We fixed it 2 mins after noticing. Not sure if that is part of the problem or not.

    https://skydrive.live.com/?cid=9433093E135A42B9&id=9433093E135A42B9!350

    Tuesday, July 16, 2013 8:38 PM
  • For those who stumble upon this. My issue was a machine account password.

    Once I reset the machine account password from the Master DC to the suspect DCs, everything started replicating.

    Thanks for the help all.

    • Marked as answer by Mike_Vloet Tuesday, August 13, 2013 3:56 PM
    Tuesday, August 13, 2013 3:55 PM