none
error 1326 logon failure: unknown user name or bad password

    Question

  • Hi All: I have a small 2008R2 domain with several DCs. The AD "administrator" account was not set up with "password never expires", so I have been resetting the password every 3 months.

    I noticed recently that I'm getting group policy replication failures, and dcdiag is showing 

          Starting test: KnowsOfRoleHolders
             [SERVER1] DsBindWithSpnEx() failed with error 5,
             Access is denied..
             Warning: SERVER1is the Schema Owner, but is not responding to DS RPC
             Bind.
             [SERVER1] LDAP bind failed with error 1326,
             Logon failure: unknown user name or bad password..

    Is this related to the password expiration on the "administrator" account? If not, what do I need to do to resolve the issue?

    Friday, June 21, 2013 4:31 PM

All replies

  • Hi,

    This error is not related to "Administrator" account.

    There are many causes for this issue, like DNS pointing is not correct, more than 5 minutes time skew between DC, Secure channel issue, Connectivity problem between DC, etc...

    Please check and correct DNS pointing on all DC:
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
    Ensure the PDC role DC is configured as an authorative time server and other DCs sync with domain hierarchy:
    http://abhijitw.wordpress.com/2011/10/08/authorative-time-server/

    And refer this KB article for advanced troubleshooting:
    Troubleshooting AD Replication error 5: Access is denied
    http://support.microsoft.com/kb/2002013

    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Friday, June 21, 2013 5:50 PM
  • Hello,

    this seems to belong to connectivity problems within the domain/DCs. Lets start with an unedited ipconfig /all from ALL DC/DNS servers you use, so we can verify some basic settings.

    Is any of your DCs cloned or created from an image that is NOT prepared with sysprep?

    Hopefully you use ONLY the domain DNS servers on the NIC and none else like the ISPs one?

    Also assure that no firewall port is blocked according to http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, June 22, 2013 6:35 PM
  • Hello,

    this seems to belong to connectivity problems within the domain/DCs. Lets start with an unedited ipconfig /all from ALL DC/DNS servers you use, so we can verify some basic settings.

    Is any of your DCs cloned or created from an image that is NOT prepared with sysprep?

    Hopefully you use ONLY the domain DNS servers on the NIC and none else like the ISPs one?

    Also assure that no firewall port is blocked according to http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thanks Meinholf and Abhijit. I've been trying to run through the various links and confirm the settings.

    All the servers have a private "LAN" NIC and a public "WAN" NIC. The "LAN" NIC is configured as the first NIC on each server, and on each server, the NS is set to two of the other DCs (there are three DCs in total). I have a forwarder set on each of the DCs (all 3 are running DNS) with the external NS from my colo facility.

    I did not set up an authoritative timeserver on the PDC, but all the DCs are using microsoft timeservers and are all synchronized (no time gaps between servers).

    All the DCs are normally set up 2008 R2 Standard (no cloning), and on each one I ran DCPROMO. I presume DCPROMO enables all the necessary ports on the firewall, but I didn't check through the entire list of ports yet. All the firewalls have the AD-related ACLs enabled (they were set up automatically). IPv6 is enabled on all LAN adapters without any manual config.

    I've restarted DNS and NETLOGON on all the servers. They can all reach each other, but I'm still getting the "1026/permission denied" and an error trying to read the gpt.ini share. Here's the ipconfig and dcdiag from the PDC:

    C:\Users\Administrator>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : myDomainSQL1
       Primary Dns Suffix  . . . . . . . : myDomain.myColo.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : myDomain.myColo.local
    
    Ethernet adapter LocalSubnet:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
    ith I/O Acceleration #3
       Physical Address. . . . . . . . . : 00-30-48-F9-D6-34
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::ed05:9fa9:2909:f655%16(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.197(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DHCPv6 IAID . . . . . . . . . . . : 318779464
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-85-D2-E3-00-30-48-F9-D6-35
    
       DNS Servers . . . . . . . . . . . : 192.168.1.199
                                           192.168.1.197
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Ethernet adapter Internet:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
    ith I/O Acceleration #4
       Physical Address. . . . . . . . . : 00-30-48-F9-D6-35
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : xxx.xxx.xxx.139(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.240
       Default Gateway . . . . . . . . . : xxx.xxx.xxx.129
       DNS Servers . . . . . . . . . . . : 192.168.1.199
                                           192.168.1.197
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{20220918-CB13-405C-8B87-E9A182E98578}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter isatap.{767D8CA3-B548-4825-9F25-3BF2879AB425}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter 6TO4 Adapter:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft 6to4 Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2002:d8da:e38b::d8da:e38b(Preferred)
       Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
       DNS Servers . . . . . . . . . . . : 192.168.1.199
                                           192.168.1.197
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    C:\Users\Administrator>dcdiag
    
    Directory Server Diagnosis
    
    Performing initial setup:
       Trying to find home server...
       Home Server = myDomainSQL1
       * Identified AD Forest.
       [myDomainWEB1] LDAP bind failed with error 1326,
       Logon failure: unknown user name or bad password..
       Got error while checking if the DC is using FRS or DFSR. Error:
       Logon failure: unknown user name or bad password.The VerifyReferences,
       FrsEvent and DfsrEvent tests might fail because of this error.
       [myDomainWEB3] LDAP bind failed with error 1326,
       Logon failure: unknown user name or bad password..
       Got error while checking if the DC is using FRS or DFSR. Error:
       Logon failure: unknown user name or bad password.The VerifyReferences,
       FrsEvent and DfsrEvent tests might fail because of this error.
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: Default-First-Site-Name\myDomainSQL1
          Starting test: Connectivity
             ......................... myDomainSQL1 passed test Connectivity
    
    Doing primary tests
    
       Testing server: Default-First-Site-Name\myDomainSQL1
          Starting test: Advertising
             ......................... myDomainSQL1 passed test Advertising
          Starting test: FrsEvent
             ......................... myDomainSQL1 passed test FrsEvent
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... myDomainSQL1 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... myDomainSQL1 passed test SysVolCheck
          Starting test: KccEvent
             ......................... myDomainSQL1 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... myDomainSQL1 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... myDomainSQL1 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... myDomainSQL1 passed test NCSecDesc
          Starting test: NetLogons
             ......................... myDomainSQL1 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... myDomainSQL1 passed test ObjectsReplicated
          Starting test: Replications
             [myDomainWEB3] DsBindWithSpnEx() failed with error 5,
             Access is denied..
             [myDomainWEB1] DsBindWithSpnEx() failed with error 5,
             Access is denied..
             ......................... myDomainSQL1 failed test Replications
          Starting test: RidManager
             ......................... myDomainSQL1 passed test RidManager
          Starting test: Services
             ......................... myDomainSQL1 passed test Services
          Starting test: SystemLog
             An error event occurred.  EventID: 0x00000422
                Time Generated: 06/22/2013   11:32:27
                Event String:
                The processing of Group Policy failed. Windows attempted to read the
     file \\myDomain.myColo.local\sysvol\myDomain.myColo.local\Policies\{31B
    2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not
    successful. Group Policy settings may not be applied until this event is resolve
    d. This issue may be transient and could be caused by one or more of the followi
    ng:
             ......................... myDomainSQL1 failed test SystemLog
          Starting test: VerifyReferences
             ......................... myDomainSQL1 passed test VerifyReferences
    
    
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
    
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
    
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
    
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
    
       Running partition tests on : myDomain
          Starting test: CheckSDRefDom
             ......................... myDomain passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... myDomain passed test CrossRefValidation
    
       Running enterprise tests on : myDomain.myColo.local
          Starting test: LocatorCheck
             ......................... myDomain.myColo.local passed test
             LocatorCheck
          Starting test: Intersite
             ......................... myDomain.myColo.local passed test
             Intersite
    
    C:\Users\Administrator>

    Saturday, June 22, 2013 7:10 PM
  • Hello,

    multihoming DCs, using more then one ip address or NICs, is NOT recommended and result in multiple problems.

    So on each DC that has more then one ip address REMOVE the ip address NOT used for the internal connections in the domain.

    Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service.

    Also assure that DNS zoens contains ONLY the correct use DNS record for the SINGLE ip address from DCs.

    Multihoming DCs is bad practice and should NEVER be done!!!

    http://support.microsoft.com/kb/157025

    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, June 22, 2013 9:50 PM
  • Hello,

    multihoming DCs, using more then one ip address or NICs, is NOT recommended and result in multiple problems.

    So on each DC that has more then one ip address REMOVE the ip address NOT used for the internal connections in the domain.

    Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service.

    Also assure that DNS zoens contains ONLY the correct use DNS record for the SINGLE ip address from DCs.

    Multihoming DCs is bad practice and should NEVER be done!!!

    http://support.microsoft.com/kb/157025

    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Thanks Meinolf: Unfortunately some of the DCs are also public webservers, so I can't disable the NICs with the public IPs on them. Fortunately the PDC does not need WAN access, so I can disable the 2nd nic on that server and demote the other DCs to members, then bring up a 2nd DC with only LAN access. If I am still having problems at that point, I will update this thread.
    Saturday, June 22, 2013 9:54 PM
  • Hello,

    DCs as webserver???? Who the hell is recommending this configuration.

    In your case I would ASAP!!! move the web servers to domain member servers in a DMZ and also move other applications, if exist like SQL, Exchange etc., to domain member servers, then cleanup the DCs from this and make them ONLY LAN internal used machines without a direct connection to the internet.

    This is a security mess in your network that should be removed ASAP.

    Your main problem belongs to the DNS as a DC require a unique DNS name resolution option and if that is not given you see all this strange problems.

    So remove this main misconfiguration and you should get rid of lots problems you have now. I understand that this may result in additional cost for software and hardware but also this can be limited with virtualization and proper license planning. For example, a Windows server 2008 R2 Enterprise edition can be run on a physical machine with ONLY the Hyper-V role installed and host then up to 4!!! VMs.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, June 23, 2013 9:27 AM
  • As Meinolf mentioned, you have a very bad design. DCs should NEVER be Web servers. This is because of security, performance and troubleshooting complexity issues (Like the one your are facing now).

    A DC should have a single NIC card enabled with a single IP address to avoid the multi-homing as Meinolf mentioned.

    The permanent solution for your issue is to:

    1. Migrate all your Web servers to member servers and not DCs
    2. Disable the public NIC card of your DCs

    As this may take time, I would recommend applying this workaround:

    1. On the public NIC card, please disable the Register this connections's addresses in DNS option
    2. On the DNS system, please remove all the DNS records that were registered for your public NICs

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    Sunday, June 23, 2013 2:33 PM
  • As Meinolf mentioned, you have a very bad design. DCs should NEVER be Web servers. This is because of security, performance and troubleshooting complexity issues (Like the one your are facing now).

    A DC should have a single NIC card enabled with a single IP address to avoid the multi-homing as Meinolf mentioned.

    The permanent solution for your issue is to:

    1. Migrate all your Web servers to member servers and not DCs
    2. Disable the public NIC card of your DCs

    As this may take time, I would recommend applying this workaround:

    1. On the public NIC card, please disable the Register this connections's addresses in DNS option
    2. On the DNS system, please remove all the DNS records that were registered for your public NICs

    Thank you both for the suggestions. These are just a group of servers in a colo cabinet, with their their own "mini domain" set up as a convenience for directory replication, but I can update the network architecture as you suggest.
    Sunday, June 23, 2013 3:25 PM
  •  I had the same issue while promoting new W2008 Std to a DC in a remote site in world-wide forest.

    It generated same error during "examining AD"

    After searching google I realised that in spite of error messqage "LDAP bind failed with error 1326,
             Logon failure: unknown user name or bad password" it does not relate to any creds.

    In my case It caused by incorrect MTU size on WAN channel (GRE tunnel).

    Once we corrected this - everything ran smoothly.

    Hope it could help to someone.

    Friday, June 26, 2015 3:17 PM