none
Authentication Issue

    Question

  • Few days back, we are getting authentication issues in all the member server even in Our Domain Controller.

    Error - Invalid user name or bad password. After reset the secure channel it was got resolved but again we are facing the same issue. Anyone can guide me how to fix this issue.

    Event ID - 4, and 14

    Please help me to fix the issue


    Regards, suman

    Tuesday, June 30, 2015 1:19 PM

Answers

  • DCDIAG shows error related to the Netlogon and replication...It seems you didn't open command prompt in run as administrator.

    Try the DCDIAG after opening it as run as administrator and check is the netlogon and replication test failing?

    Could you please let me know the exact error message and corresponding event which you get at the time of the issue?

    Wednesday, July 1, 2015 5:19 PM

All replies

  • All Domain controllers are running in windows 2012 R2 and member servers are running in 2012 R2 and 2008 R2

    In domain controller , we are having all the roles except PDC Emulator

    PDC Emulator is in Additional server.


    Regards, suman

    Tuesday, June 30, 2015 1:21 PM
  • Hi,

    did you try to reset the krbtgt account password as suggested by technet here?


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Tuesday, June 30, 2015 1:23 PM
  • Hello,

    Could you please share the repadmin /replsum and the dcdiag /v > a.txt of the domain controller you are facing issue with.

    Note: You can login after stopping he KDC service of the domain controller. (You’ll have to connect remotely using services.msc :P)

    Regards,

    Mitul aka v-2min

    Tuesday, June 30, 2015 1:47 PM
  • Replication Summary Start Time: 2015-06-30 20:26:53

    Beginning data collection for replication summary, this may take awhile:

      ......

    Source DSA          largest delta    fails/total %%   error

     TNMMADCSRV01P             08m:50s    0 /  10    0 

     TNMMADCSRV02P             11m:08s    0 /  10    0 

     TNMMRDCSRV01P             11m:08s    0 /  10    0 

    Destination DSA     largest delta    fails/total %%   error

     TNMMADCSRV01P             11m:08s    0 /  10    0 

     TNMMADCSRV02P             01m:31s    0 /  10    0 

     TNMMRDCSRV01P             08m:50s    0 /  10    0 

    DC DIAG Result

    ====================


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       * Verifying that the local machine TNMMRDCSRV01P, is a Directory Server.
       Home Server = TNMMRDCSRV01P

       * Connecting to directory service on server TNMMRDCSRV01P.

       * Identified AD Forest.
       Collecting AD specific global data
       * Collecting site info.

       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
       The previous call succeeded
       Iterating through the sites
       Looking at base site object: CN=NTDS Site Settings,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=TelenorCO,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
       Getting ISTG and options for the site
       * Identifying all servers.

       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers
       Getting information for the server CN=NTDS Settings,CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=TNMMADCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=TNMMADCSRV02P,CN=Servers,CN=TelenorCO,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.

       * Found 3 DC(s). Testing 1 of them.

       Done gathering initial info.


    Doing initial required tests

      
       Testing server: TelenorDC\TNMMRDCSRV01P

          Starting test: Connectivity

             * Active Directory LDAP Services Check
             Determining IP4 connectivity
             * Active Directory RPC Services Check
             ......................... TNMMRDCSRV01P passed test Connectivity

    Doing primary tests

      
       Testing server: TelenorDC\TNMMRDCSRV01P

          Starting test: Advertising

             The DC TNMMRDCSRV01P is advertising itself as a DC and having a DS.
             The DC TNMMRDCSRV01P is advertising as an LDAP server
             The DC TNMMRDCSRV01P is advertising as having a writeable directory
             The DC TNMMRDCSRV01P is advertising as a Key Distribution Center
             The DC TNMMRDCSRV01P is advertising as a time server
             The DS TNMMRDCSRV01P is advertising as a GC.
             ......................... TNMMRDCSRV01P passed test Advertising

          Test omitted by user request: CheckSecurityError

          Test omitted by user request: CutoffServers

          Starting test: FrsEvent

             * The File Replication Service Event log test
             Skip the test because the server is running DFSR.

             ......................... TNMMRDCSRV01P passed test FrsEvent

          Starting test: DFSREvent

             The DFS Replication Event Log.
             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             A warning event occurred.  EventID: 0x80001396

                Time Generated: 06/29/2015   21:01:04

                Event String:

                The DFS Replication service is stopping communication with partner TNMMADCSRV01P for replication group Domain System Volume due to an error. The service will retry the connection periodically.

                

                Additional Information:

                Error: 9036 (Paused for backup or restore)

                Connection ID: B1CD8E3D-163F-410A-BC53-775C8E36DE48

                Replication Group ID: C6837DED-27FB-42F8-9DC8-0AECFD0D0825

             ......................... TNMMRDCSRV01P passed test DFSREvent

          Starting test: SysVolCheck

             * The File Replication Service SYSVOL ready test
             File Replication Service's SYSVOL is ready
             ......................... TNMMRDCSRV01P passed test SysVolCheck

          Starting test: KccEvent

             * The KCC Event log test
             Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
             ......................... TNMMRDCSRV01P passed test KccEvent

          Starting test: KnowsOfRoleHolders

             Role Schema Owner = CN=NTDS Settings,CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
             Role Domain Owner = CN=NTDS Settings,CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
             Role PDC Owner = CN=NTDS Settings,CN=TNMMADCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
             Role Rid Owner = CN=NTDS Settings,CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm
             ......................... TNMMRDCSRV01P passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             Checking machine account for DC TNMMRDCSRV01P on DC TNMMRDCSRV01P.
             * SPN found :LDAP/TNMMRDCSRV01P.telenor.com.mm/telenor.com.mm
             * SPN found :LDAP/TNMMRDCSRV01P.telenor.com.mm
             * SPN found :LDAP/TNMMRDCSRV01P
             * SPN found :LDAP/TNMMRDCSRV01P.telenor.com.mm/TELENOR
             * SPN found :LDAP/5eec478a-c461-4743-b4f3-0a49f42cede0._msdcs.telenor.com.mm
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5eec478a-c461-4743-b4f3-0a49f42cede0/telenor.com.mm
             * SPN found :HOST/TNMMRDCSRV01P.telenor.com.mm/telenor.com.mm
             * SPN found :HOST/TNMMRDCSRV01P.telenor.com.mm
             * SPN found :HOST/TNMMRDCSRV01P
             * SPN found :HOST/TNMMRDCSRV01P.telenor.com.mm/TELENOR
             * SPN found :GC/TNMMRDCSRV01P.telenor.com.mm/telenor.com.mm
             ......................... TNMMRDCSRV01P passed test MachineAccount

          Starting test: NCSecDesc

             * Security Permissions check for all NC's on DC TNMMRDCSRV01P.
             * Security Permissions Check for

               DC=ForestDnsZones,DC=telenor,DC=com,DC=mm
                (NDNC,Version 3)
             * Security Permissions Check for

               DC=DomainDnsZones,DC=telenor,DC=com,DC=mm
                (NDNC,Version 3)
             * Security Permissions Check for

               CN=Schema,CN=Configuration,DC=telenor,DC=com,DC=mm
                (Schema,Version 3)
             * Security Permissions Check for

               CN=Configuration,DC=telenor,DC=com,DC=mm
                (Configuration,Version 3)
             * Security Permissions Check for

               DC=telenor,DC=com,DC=mm
                (Domain,Version 3)
             ......................... TNMMRDCSRV01P passed test NCSecDesc

          Starting test: NetLogons

             * Network Logons Privileges Check
             Verified share \\TNMMRDCSRV01P\netlogon
             Verified share \\TNMMRDCSRV01P\sysvol
             [TNMMRDCSRV01P] User credentials does not have permission to perform

             this operation.

             The account used for this test must have network logon privileges

             for this machine's domain.

             ......................... TNMMRDCSRV01P failed test NetLogons

          Starting test: ObjectsReplicated

             TNMMRDCSRV01P is in domain DC=telenor,DC=com,DC=mm
             Checking for CN=TNMMRDCSRV01P,OU=Domain Controllers,DC=telenor,DC=com,DC=mm in domain DC=telenor,DC=com,DC=mm on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm in domain CN=Configuration,DC=telenor,DC=com,DC=mm on 1 servers
                Object is up-to-date on all servers.
             ......................... TNMMRDCSRV01P passed test ObjectsReplicated

          Test omitted by user request: OutboundSecureChannels

          Starting test: Replications

             * Replications Check
             [Replications Check,TNMMRDCSRV01P] DsReplicaGetInfo(PENDING_OPS, NULL)

             failed, error 0x2105 "Replication access was denied."

             ......................... TNMMRDCSRV01P failed test Replications

          Starting test: RidManager

             * Available RID Pool for the Domain is 7101 to 1073741823
             * TNMMRDCSRV01P.telenor.com.mm is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 5101 to 5600
             * rIDPreviousAllocationPool is 2601 to 3100
             * rIDNextRID: 3058
             * Warning :There is less than 9% available RIDs in the current pool
             ......................... TNMMRDCSRV01P passed test RidManager

          Starting test: Services

             * Checking Service: EventSystem
             * Checking Service: RpcSs
             * Checking Service: NTDS
                Could not open NTDS Service on TNMMRDCSRV01P, error 0x5

                "Access is denied."

             * Checking Service: DnsCache
             * Checking Service: DFSR
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... TNMMRDCSRV01P failed test Services

          Starting test: SystemLog

             * The System Event log test
             A warning event occurred.  EventID: 0x000016AF

                Time Generated: 06/30/2015   20:17:40

                Event String:

                During the past 4.25 hours there have been 3525 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

             An error event occurred.  EventID: 0xC000000E

                Time Generated: 06/30/2015   20:19:30

                Event String:

                While processing an AS request for target service krbtgt, the account C60637 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18  23  -133  -128  24  -135. The accounts available etypes : 23  -133  -128  18  17  3  1. Changing or resetting the password of C60637 will generate a proper key.

             ......................... TNMMRDCSRV01P failed test SystemLog

          Test omitted by user request: Topology

          Test omitted by user request: VerifyEnterpriseReferences

          Starting test: VerifyReferences

             The system object reference (serverReference)

             CN=TNMMRDCSRV01P,OU=Domain Controllers,DC=telenor,DC=com,DC=mm and

             backlink on

             CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm

             are correct.
             The system object reference (serverReferenceBL)

             CN=TNMMRDCSRV01P,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=telenor,DC=com,DC=mm

             and backlink on

             CN=NTDS Settings,CN=TNMMRDCSRV01P,CN=Servers,CN=TelenorDC,CN=Sites,CN=Configuration,DC=telenor,DC=com,DC=mm

             are correct.
             The system object reference (msDFSR-ComputerReferenceBL)

             CN=TNMMRDCSRV01P,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=telenor,DC=com,DC=mm

             and backlink on

             CN=TNMMRDCSRV01P,OU=Domain Controllers,DC=telenor,DC=com,DC=mm are

             correct.
             ......................... TNMMRDCSRV01P passed test VerifyReferences

          Test omitted by user request: VerifyReplicas

      
          Test omitted by user request: DNS

          Test omitted by user request: DNS

      
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running partition tests on : telenor

          Starting test: CheckSDRefDom

             ......................... telenor passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... telenor passed test CrossRefValidation

      
       Running enterprise tests on : telenor.com.mm

          Test omitted by user request: DNS

          Test omitted by user request: DNS

          Starting test: LocatorCheck

             GC Name: \\TNMMRDCSRV01P.telenor.com.mm

             Locator Flags: 0xe000f1fc
             PDC Name: \\TNMMADCSRV01P.telenor.com.mm
             Locator Flags: 0xe000f3fd
             Time Server Name: \\TNMMRDCSRV01P.telenor.com.mm
             Locator Flags: 0xe000f1fc
             Preferred Time Server Name: \\TNMMADCSRV01P.telenor.com.mm
             Locator Flags: 0xe000f3fd
             KDC Name: \\TNMMRDCSRV01P.telenor.com.mm
             Locator Flags: 0xe000f1fc
             ......................... telenor.com.mm passed test LocatorCheck

          Starting test: Intersite

             Skipping site TelenorDC, this site is outside the scope provided by

             the command line arguments provided.
             Skipping site TelenorCO, this site is outside the scope provided by

             the command line arguments provided.
             ......................... telenor.com.mm passed test Intersite


    Regards, suman

    Tuesday, June 30, 2015 2:00 PM
  • Any Suggestion in the above query..

    Regards, suman

    Wednesday, July 1, 2015 1:01 PM
  • did you reset the krbtgt password?

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Wednesday, July 1, 2015 1:10 PM
  • DCDIAG shows error related to the Netlogon and replication...It seems you didn't open command prompt in run as administrator.

    Try the DCDIAG after opening it as run as administrator and check is the netlogon and replication test failing?

    Could you please let me know the exact error message and corresponding event which you get at the time of the issue?

    Wednesday, July 1, 2015 5:19 PM