Domain Controller - Active Directory errors galore

  • Thread starter Thread starter Stephan Carydakis
  • Start date Start date
S

Stephan Carydakis

Hi All,

First some background to the problem. I am a developer not a network,
systems or db admin! I have a Debian Linux VM running Samba and recently ran
an apt-get update which installed the latest versions of everything. After
this update, I could no longer connect the Debian box to my DC via ads
connect and I could not browse or login to any Samba shares. I eventually
(after about 16 hours) managed to get this working again. In the process, I
did a whole heap of joining the Debian box to my single Win2k AS domain.

At some point later, I was on the DC for my domain and opened the AD Users
And Computers mmc only to get the following error:

Naming information could not be located because:
The target principal name is incorrect.
Contact your system admin yada yada yada...



What the? When I try to run any mmc related to Active Directory, I Get
similar errors. If I run the Domain Controller Security Policy or Domain
Security Policy mmc I get:

Failed to open the Group policy Object. You may not have the appropriate
rights.
Details:
Logon Failure: The target account name is incorrect.



The userenv.log is full of the following:

USERENV(130.31c) 23:42:22:515 ProcessGPOs: MyGetUserName failed with 1326.
USERENV(130.4e4) 23:42:31:531 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:32:062 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:32:593 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:33:140 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:33:140 ProcessGPOs: MyGetUserName failed
with -2146893022.
USERENV(130.4e4) 23:45:14:453 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:45:14:984 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:45:15:718 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.31c) 23:45:16:031 MyGetUserName: GetUserNameEx failed With
1326.
USERENV(130.4e4) 23:45:16:250 MyGetUserName: GetUserNameEx failed
with -2146893022.



The Directory Service Log has a few entries for:

Type: warning
Source: NTDS General
Category: (18)
Event ID: 1655
Description:
The attempt to communicate with global catalog \\SHIRAZ.vineyard.local
failed with the following status:

Logon failure: unknown user name or bad password.

The operation in progress might be unable to continue. The directory
service will use the locator to try find an available global catalog Server
for the next operation that requires one.

The record data is the status code.

Type: error
Source: NTDS General
Category: (18)
Event ID: 1126
Description:
Unable to establish connection with global catalog.



The File Replication Log has a couple of entries for:

Type: warning
Source: NtFrs
Category: None
Event ID: 13562
Description:
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
SHIRAZ.vineyard.local for FRS replica set configuration information.

Could not bind to a Domain Controller. Will try again at next polling
cycle.



The System Log has mucho entries for:

Type: warning
Source: MRxSmb
Category: None
Event ID: 3034
Description:
The redirector was unable to initialize security context or query context
attributes.



The Application Log has mucho entries for:

Type: error
Source: Userenv
Category: None
Event ID: 1000
Description:
Windows cannot determine the user or computer name. Return value (1326).



The Application log has 1 entry for:


Type: error
Source: SceSrv
Category: None
Event ID: 1003
Description:
Policy change from LSA/SAM can't be saved in the policy storage. Error 4312
to save policy change for account
S-1-5-21-1220945662-1275210071-725345543-3097 in the default GPOs. For more
debugging information, please look security\logs\scepol.log under Windows
root.



The last entry logged in scepol.log was on 03/31/2005 14:16:46. After
running NetDiag I found the following fails:

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to SHIRAZ.vineyard.local (10.5.1.50).
[SEC_E_WRONG_PRINCIPAL]
List of DCs in Domain 'VINEYARD':
SHIRAZ.vineyard.local

LDAP test. . . . . . . . . . . . . : Passed

<snip>

[WARNING] Failed to query SPN registration on DC
'SHIRAZ.vineyard.local'.


Per interface results:

Adapter : Local Area Connection

<snip>

[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.


NetBT name test. . . . . . . . . . : Passed
No NetBT scope defined
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.



I have rebooted and still have these issues. From the domain controller, I
can see the domain and domain controller (including shares) however when I
try to open one, I get "Logon failure: the target account name is
incorrect".

From another Win2k member server, I can logon to the domain (cached
credentials?), I can see the domain but can't see any shares and when I try
to map to the default c$ share, I get the same error "Logon failure: the
target account name is incorrect".

Any input is much appreciated, even if only in thought. BTW, I have posted
this to the microsoft.public.win2000.advanced_server group but thought this
is a better place. Sorry...

Steph.
 
"Unable to establish connection with global catalog."

This should say all.

And who is SHIRAZ.vineyard.local? Can you connect to this machine? Is it
listening on port 3268? (global catalog)

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au


Stephan Carydakis said:
Hi All,

First some background to the problem. I am a developer not a network,
systems or db admin! I have a Debian Linux VM running Samba and recently
ran
an apt-get update which installed the latest versions of everything. After
this update, I could no longer connect the Debian box to my DC via ads
connect and I could not browse or login to any Samba shares. I eventually
(after about 16 hours) managed to get this working again. In the process,
I
did a whole heap of joining the Debian box to my single Win2k AS domain.

At some point later, I was on the DC for my domain and opened the AD
Users
And Computers mmc only to get the following error:

Naming information could not be located because:
The target principal name is incorrect.
Contact your system admin yada yada yada...



What the? When I try to run any mmc related to Active Directory, I Get
similar errors. If I run the Domain Controller Security Policy or Domain
Security Policy mmc I get:

Failed to open the Group policy Object. You may not have the appropriate
rights.
Details:
Logon Failure: The target account name is incorrect.



The userenv.log is full of the following:

USERENV(130.31c) 23:42:22:515 ProcessGPOs: MyGetUserName failed with 1326.
USERENV(130.4e4) 23:42:31:531 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:32:062 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:32:593 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:33:140 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:42:33:140 ProcessGPOs: MyGetUserName failed
with -2146893022.
USERENV(130.4e4) 23:45:14:453 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:45:14:984 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.4e4) 23:45:15:718 MyGetUserName: GetUserNameEx failed
with -2146893022.
USERENV(130.31c) 23:45:16:031 MyGetUserName: GetUserNameEx failed With
1326.
USERENV(130.4e4) 23:45:16:250 MyGetUserName: GetUserNameEx failed
with -2146893022.



The Directory Service Log has a few entries for:

Type: warning
Source: NTDS General
Category: (18)
Event ID: 1655
Description:
The attempt to communicate with global catalog \\SHIRAZ.vineyard.local
failed with the following status:

Logon failure: unknown user name or bad password.

The operation in progress might be unable to continue. The directory
service will use the locator to try find an available global catalog
Server
for the next operation that requires one.

The record data is the status code.

Type: error
Source: NTDS General
Category: (18)
Event ID: 1126
Description:
Unable to establish connection with global catalog.



The File Replication Log has a couple of entries for:

Type: warning
Source: NtFrs
Category: None
Event ID: 13562
Description:
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
SHIRAZ.vineyard.local for FRS replica set configuration information.

Could not bind to a Domain Controller. Will try again at next polling
cycle.



The System Log has mucho entries for:

Type: warning
Source: MRxSmb
Category: None
Event ID: 3034
Description:
The redirector was unable to initialize security context or query context
attributes.



The Application Log has mucho entries for:

Type: error
Source: Userenv
Category: None
Event ID: 1000
Description:
Windows cannot determine the user or computer name. Return value (1326).



The Application log has 1 entry for:


Type: error
Source: SceSrv
Category: None
Event ID: 1003
Description:
Policy change from LSA/SAM can't be saved in the policy storage. Error
4312
to save policy change for account
S-1-5-21-1220945662-1275210071-725345543-3097 in the default GPOs. For
more
debugging information, please look security\logs\scepol.log under Windows
root.



The last entry logged in scepol.log was on 03/31/2005 14:16:46. After
running NetDiag I found the following fails:

DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to SHIRAZ.vineyard.local (10.5.1.50).
[SEC_E_WRONG_PRINCIPAL]
List of DCs in Domain 'VINEYARD':
SHIRAZ.vineyard.local

LDAP test. . . . . . . . . . . . . : Passed

<snip>

[WARNING] Failed to query SPN registration on DC
'SHIRAZ.vineyard.local'.


Per interface results:

Adapter : Local Area Connection

<snip>

[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenger Service', <20> 'WINS' names is missing.


NetBT name test. . . . . . . . . . : Passed
No NetBT scope defined
[WARNING] You don't have a single interface with the <00> 'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.



I have rebooted and still have these issues. From the domain controller, I
can see the domain and domain controller (including shares) however when
I
try to open one, I get "Logon failure: the target account name is
incorrect".

From another Win2k member server, I can logon to the domain (cached
credentials?), I can see the domain but can't see any shares and when I
try
to map to the default c$ share, I get the same error "Logon failure: the
target account name is incorrect".

Any input is much appreciated, even if only in thought. BTW, I have posted
this to the microsoft.public.win2000.advanced_server group but thought
this
is a better place. Sorry...

Steph.
Click to expand...
 
Hi Andrei,

Andrei Ungureanu said:
"Unable to establish connection with global catalog."

This should say all.

And who is SHIRAZ.vineyard.local? Can you connect to this machine? Is it
listening on port 3268? (global catalog)
Click to expand...

As I mentioned, I was getting the below errors whilst logged on the DC which
is named SHIRAZ. So the errors are being reported by the DC saying it can't
connect to it's own global catalog. It seems user authentication is OK
because I can log on to the DC but I am getting all of these errors related
to AD. This does not seem to be a network issue. I can connect to this
machine. It also is the primary DNS and DNS is functioning correctly. The DC
is being seen by all other machines and is ping-able.

I have the strangest feeling that something went wrong during one of the
times I connected a Linux box to AD via the "ads connect" command. How, why
and what is wrong has got me stumped!
--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au
Click to expand...

Thanks,

Steph.
 
Andrei,

I don't quite know what you are getting at but last night I spent a few
hours trying to fix the problem and I have found out what and why the
problem occurred. I am completely dumfounded as to how this can happen.

I happened to have Ghost backups from just 3 weeks ago and decided to
replace the contents of the global catalogue (which resides on a separate
drive to the log files). I rebooted in AD restore mode to do this. When I
rebooted, the problem was fixed! Well, I couldn't leave it at that and
wanted to know what caused the problem. Because I was fairly sure the
problem first appeared when I was trying to get Samba -> AD happening, I
went back to the Samba configuration files. When I inadvertently changed the
value of "netbios name" to be the name of my DC "shiraz", the problem
occurred again. I'd love to know how this causes corruption of the global
catalogue?

So after I rebooted in AD restore mode and replaced the catalogue again, the
problem was fixed again. To be 100% positive that the corruption was caused
by the above incorrect parameter, I tried it again and sure enough it
happened again. Explain that?

Steph.
 
NEVER use software similar to ghost to backup DCs in a multi DC environment.

Besides the password thing, other issues WILL be experienced -> means bad
headaches

goto my blog and search for BACKUP....you will find an article WHY it is bad

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
Back
Top