Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD/DNS problem
AD/DNS problem [message #157106] Tue, 30 June 2009 11:20 Go to next message
Winston Cheng  is currently offline Winston Cheng  United States
Messages: 3
Registered: June 2009
Junior Member
I have a Windows Server 2008 named "win2008". On the XP clients, "\\win2008"
returns an error "\\win2008 is not accessible. You might not have permission
to use this network resource. Contact the administrator of this server to
find out if you have access permissions. Logon Failure: The target account
name is incorrect."

If I use the IP address though, it works, which leads me to believe there is
something up with the DNS, however, I can't figure out what is wrong with
the DNS. Every other client works, and even another DC on the network works
fine ("\\sbtsvr", which is on a Windows 2000 Server OS, goes straight to the
shared folders). sbtsvr is the secondary DNS server.

The server has had constant problems listed on the Event Viewer about Active
Directory not able to replicate with other DC's, but it never prevented
"\\win2008" from working before.

win2008 is the only machine that can't be reached by name when ran with \\.
All clients get the same error when trying to access win2008.

win2008 replaced a Windows 2003 Server that used to be a DC. I probably
didn't do a good job with the transfer. I've deleted traces as I see them,
and the Windows 2000 Server sees more traces of 2003 than the 2008 Server
does.
Re: AD/DNS problem [message #157648 is a reply to message #157106] Fri, 10 July 2009 13:13 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Winston Cheng schrieb:
> I have a Windows Server 2008 named "win2008". On the XP clients, "\\win2008"
> returns an error "\\win2008 is not accessible. You might not have permission
> to use this network resource. Contact the administrator of this server to
> find out if you have access permissions. Logon Failure: The target account
> name is incorrect."
>
> If I use the IP address though, it works, which leads me to believe there is
> something up with the DNS, however, I can't figure out what is wrong with
> the DNS. Every other client works, and even another DC on the network works
> fine ("\\sbtsvr", which is on a Windows 2000 Server OS, goes straight to the
> shared folders). sbtsvr is the secondary DNS server.

Check your time settings and the DNS settings thereafter. It reads like
you have a Kerberos problem. Kerberos is the authentication protocol
that issues tickets to communication participants. For successful ticket
acquisition, the time between a DC (between DCs) and the ticket
requestor must be within 5 minutes. So check whether there's a time skew.

The fact that you can use the IP address successfully is a sign for
that. Using the IP address creates a fall-back to NTLM auth.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: AD/DNS problem [message #157658 is a reply to message #157106] Fri, 10 July 2009 16:42 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Winston Cheng" <winstonc@ktinet.com> wrote in message news:o3q2m.3489$Jb1.3275@flpi144.ffdc.sbc.com...
>I have a Windows Server 2008 named "win2008". On the XP clients, "\\win2008"
> returns an error "\\win2008 is not accessible. You might not have permission
> to use this network resource. Contact the administrator of this server to
> find out if you have access permissions. Logon Failure: The target account
> name is incorrect."
>
> If I use the IP address though, it works, which leads me to believe there is
> something up with the DNS, however, I can't figure out what is wrong with
> the DNS. Every other client works, and even another DC on the network works
> fine ("\\sbtsvr", which is on a Windows 2000 Server OS, goes straight to the
> shared folders). sbtsvr is the secondary DNS server.
>
> The server has had constant problems listed on the Event Viewer about Active
> Directory not able to replicate with other DC's, but it never prevented
> "\\win2008" from working before.
>
> win2008 is the only machine that can't be reached by name when ran with \\.
> All clients get the same error when trying to access win2008.
>
> win2008 replaced a Windows 2003 Server that used to be a DC. I probably
> didn't do a good job with the transfer. I've deleted traces as I see them,
> and the Windows 2000 Server sees more traces of 2003 than the 2008 Server
> does.
>
>


As Florian mentioned, it seems there may be a Kerberos issue due to a time skew.

Also, I would like to point out, that connecting using a UNC to a server, such as using \\win2008, or using \\win2008\sharename, it first tries to resolve it with DirectSMB, then if it fails, it then tries NetBIOS name resolution, not DNS. That's because Windows 2000 and newer will try to connect simultaneously over NetBIOS (port 139) and DirectSMB (port 445). If no response from the target on 445, it reverts back to 139. This offers legacy support for netBIOS based apps. That is why if you disable NetBIOS on a server, it will
still connect to other servers, but any NetBIOS based apps that require connectivity to that server will fail.

So the above issue is not related to DNS. As for the replication issue, that could be caused be numerous issues and more than likely related to DNS and/or time skew.

Possible causes:

1. Time skew
2. Using your ISP's DNS server as an internal address
3. Multihomed DC (more than one NIC that are not teamed, or multiple IPs)
4. Single label name AD DNS domain name ('domain' rather than the required minimal format of 'domain.com' domain.local' etc).

To better assist you in diagnosing this issue, please post the following:

1. Unedited "ipconfig /all" of all of the DCs and of one sample client. You can change the domain name for security, but keep it's format, please.
2. The Event log EventID# and the SOURCE Name in the event on any of your DCs
3. How long has this been going on?
4. What steps did you follow to replace the 2003 DC with the new 2008 DC? Did you demote the old DC, or just unplug it from the network? Did you seize the roles, or did you transfer the roles?
5. Please elaborate on anything else we may have missed.

Thank you,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Previous Topic:allow iheretable persmission
Next Topic:PC joining domain
Goto Forum:
  


Current Time: Fri Oct 20 10:06:31 EDT 2017

Total time taken to generate the page: 0.03701 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software