Active Directory Woes

  • Thread starter Thread starter RLG
  • Start date Start date
R

RLG

A few months ago we added a couple of Windows 2000 DC's to our network.
Everything has seemed to work fine up until yesterday afternoon. My coworker
attempted to connect to a share on one of the DCs and was unable to connect
using the server name (in this case "backup" is the server name). The error
he received is the one below:

\\Backup is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out if
you have access permissions. Login Failure: The target account name is
incorrect.

The coworker who attempted the connection has administrator rights to the
domain. So, permissions should not be a problem. So, I tried connecting to
the same server via a share (any share, for that matter) and was greeted
with the same exact error. I too have administrator rights to the domain. We
eventually tried connecting to the server using it's IP address and didn't
have any problems at all connecting this way. Permissions seem to be intact.
We ended up, as a bandaid to the problem, remapping shares for users that
need to connect to a specific share on that server, using the IP address
instead of the server name.

Here are some facts:

-Some users can connect to the "backup" server via network shares.
-We are able to resolve the servername using DNS. We ping the name "backup"
and receive a response from the machine.
-DNS is running and "backup" is in the zone.
- Other than changing a few user account passwords there have been no
recent changes to the Active Directory.
- We are running in Mixed mode. We have two Windows 2000 domain controllers
and two Windows NT 4 BDCs.

Does anyone have an idea what might be the problem? Any troubleshooting
advice?

Thanks for your time and help,
Rod
 
Thanks Christoffer. The KB article you pointed me to says to either rename
the computer or delete the machine account from the domain. We have only one
domain. The computer is a domain controller; the controller with the Global
Catalog. How can I rename or delete a DC without causing problems?

Thanks again,
Rod
 
I've tried that with another computer already. I disconnected it from the
domain, renamed it, then readded it to the domain. I still get the same
error when try to access the \\backup server.

Thanks,
Rod
 
Wasn't clear about if the connection attempts you and the other admin made
were from the same client of different ones which willl make a difference.
Also what OS is the client/s having the problems running?
Since you're able to ping that dc by dns name and other users can connect to
those same shares ok, it appears to be more client end related, but verify
that the two dc event logs don't show any errors that might be related to
this (ie, replication, dns, etc problems that could affect it). (you also
mentioned that dns resolution and pinging "back" up gave a reply, but wanted
to verify that pinging both netbios name backup and dns name
backup.domainname.com both work)
Are the clients experiencing the problem share any commonalities (using same
swithch/router/etc, on same subnet, running same apps, etc).
Also are the clients showing any problems domain related in their event
logs, such as logon or secure channel problems.
also look at;
318245 "An Invalid Operation Was Attempted on an Active Network Connection"
http://support.microsoft.com/?id=318245

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
Move the FSMO's off of the server, if not, Dcpromo will
do it for you, but it is better to do it yourself.

Move the GC to another server (make sure the server is
not housing the Infrastructure Master role).

Run Dcpromo, demote the server and reboot.

Move the server from the domain to a workgroup and reboot.

Change the name of the server. If the original name is
still in AD, delete it. reboot

Change the name back to the original name. reboot

Add the server back to the domain. reboot

Run Dcpromo and load AD back up.

Moving it to the workgroup seems like an unecessary step,
however I have seen where changing the name while it is
still in the domain, the account will still have problems.

Have fun with all the reboots.
 
Thank you David. The connection attempts were from several different
computers. We've tried on three computers with the same results; the same
error. Regular users are unable to connect to the same server as well.

The clients are running Windows XP Professional and Windows 2000
Professional.

In the event logs I see an error that maybe something if importance:
-------------------------------------------------------------------
"Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/15/2004
Time: 1:29:10 PM
User: N/A
Computer: ACERP2400-01
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
BACKUP$. This indicates that the password used to encrypt the kerberos
service ticket is different than that on the target server. Commonly, this
is due to identically named machine accounts in the target realm
(TRAYER1.TRAYERPRODUCTS.COM), and the client realm. Please contact your
system administrator.
----------------------------------------------------------------------------
--

The only thing I can think of as far as identically named machine accounts
is that a Linux machine was joined to the domain yesterday. The admin who
added it might not have used the proper Samba syntax and typed in the name
"backup" in the wrong place in the command. If that is the case, what do we
do now? The Linux machine he was working on is now online but has a
different name.

As far as pinging both the netbios name and the dns name, yes, they both
work fine.

Thanks again for your help,
Rod
 
Back
Top