Re: netlogon error

From: Brown (fbrown_at_mta-inc.com)
Date: 01/05/05

  • Next message: Steve Clark [MSFT]: "Re: Password rules on Windows 2003"
    Date: Wed, 5 Jan 2005 08:37:19 -0600
    
    

    In the Event Log I get the folloiwing message:

    Event Type: Warning

    Event Source: LSASRV

    Event Category: SPNEGO (Negotiator)

    Event ID: 40960

    Date: 1/5/2005

    Time: 7:18:18 AM

    User: N/A

    Computer: MTA-SERVER02

    Description:

    The Security System detected an authentication error for the server
    cifs/mta-main.MTA-inc.local. The failure code from authentication protocol
    Kerberos was "The attempted logon is invalid. This is either due to a bad
    username or authentication information.

    (0xc000006d)".

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    Data:

    0000: 6d 00 00 c0 m..

    ----------------
    Brown

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:Ot5o7Av8EHA.4004@tk2msftngp13.phx.gbl...
    > '192.168.1.99' is IP of the SBS ?
    > Can you clarify for me a little just what you meant by
    > > It appears that the name for the Win2K3 on the SBS2K3 server is not in
    > sync
    > > with the name on the Win2k3 server, but I cannot locate an occurence
    where
    > > it is different.
    > Names as seen where ?
    > Can you post output from running, on the failing W2k3 (nonSBS)
    > ipconfig /all
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Brown" <fbrown@mta-inc.com> wrote in message
    > news:%23acMnep8EHA.2156@TK2MSFTNGP10.phx.gbl...
    > > OK, I'm back - I have gone through the suggestions and am still at a
    loss.
    > > Netdiag still shows problems on the Win2K3 server:
    > >
    > > Domain membership test . . . . . . : Failed
    > > [WARNING] Ths system volume has not been completely replicated to the
    > local
    > > machine. This machine is not working properly as a DC.
    > > ------
    > > DNS test . . . . . . . . . . . . . : Failed
    > > [FATAL] Failed to fix: DC DNS entry MTA-inc.local. re-registeration on
    DNS
    > > server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry _ldap._tcp.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry
    > > _ldap._tcp.Default-First-Site-Name._sites.MTA-inc.local.
    re-registeration
    > on
    > > DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry
    > >
    >
    _ldap._tcp.206600de-fb91-4786-8e91-7db1704af5a3.domains._msdcs.MTA-inc.local
    > > . re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry
    > > 67f85d0b-43cd-47df-948d-1a165f5851d7._msdcs.MTA-inc.local.
    > re-registeration
    > > on DNS server '192.168.1.99' failed.DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry
    > > _kerberos._tcp.dc._msdcs.MTA-inc.local.re-registeration on DNS server
    > > '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry
    > > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry
    > > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry
    > > _kerberos._tcp.Default-First-Site-Name._sites.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry _kerberos._udp.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.MTA-inc.local.
    > > re-registeration on DNS server '192.168.1.99' failed.
    > >
    > > DNS Error code: 0x00002339
    > >
    > > [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
    for
    > > this DC on DNS server '192.168.1.99'.
    > >
    > > [FATAL] No DNS servers have the DNS records for this DC registered.
    > >
    > > ------
    > > DC list test . . . . . . . . . . . : Failed
    > > [WARNING] Cannot call DsBind to mta-main.MTA-inc.local (192.168.1.99).
    > [SEC_
    > > E_WRONG_PRINCIPAL]
    > > -------
    > > Trust relationship test. . . . . . : Failed
    > > [WARNING] Don't have access to test your domain sid for domain
    'MTA-INC'.
    > > [Test skipped]
    > > [FATAL] Secure channel to domain 'MTA-INC' is broken.
    > > [ERROR_NO_TRUST_SAM_ACCOUNT]
    > > -----
    > > Kerberos test. . . . . . . . . . . : Failed
    > > [FATAL] Kerberos does not have a ticket for
    > host/mta-server02.MTA-inc.local.
    > > -----
    > >
    > > It appears that the name for the Win2K3 on the SBS2K3 server is not in
    > sync
    > > with the name on the Win2k3 server, but I cannot locate an occurence
    where
    > > it is different.
    > >
    > > Brown
    > >
    > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > news:eiCa33w6EHA.1408@TK2MSFTNGP10.phx.gbl...
    > > > No problem Frank. Let us know if you did not get
    > > > fixed up by this.
    > > > BTW, if you can remote into the SBS then you should
    > > > be able to open a remote desktop to the W2k3 from
    > > > within the SBS. Double remote desktop can be a little
    > > > tedious but does work. Also, you can configure the
    > > > SBS to directly mediate remote desktop connection
    > > > to any internal machine should you so choose.
    > > >
    > > > --
    > > > Roger Abell
    > > > Microsoft MVP (Windows Security)
    > > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > > "Brown" <fbrown@knology.net> wrote in message
    > > > news:%23OB%23Mfg6EHA.2032@tk2msftngp13.phx.gbl...
    > > > > Roger, Thanks for the help. I have run the netdiag /fix and it
    looks
    > > like
    > > > > it has cleared up some of the problems. I am back home working via
    > the
    > > > SBS
    > > > > remote access. The 2K3 machine is not available (part of the
    problem)
    > > so
    > > > I
    > > > > will have to try to get back in to the office to do it. I will be
    out
    > > of
    > > > > touch for several days, and may not be able to get back to it until
    > > then.
    > > > I
    > > > > have your suggestions, and will see if that takes care of me when I
    > can
    > > > get
    > > > > back on the machine.
    > > > >
    > > > > I want to make sure you Steven know how much I appreciate your
    > patience
    > > > and
    > > > > assistance.
    > > > >
    > > > > Frank Brown
    > > > >
    > > > >
    > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > > > news:%23v0SqWf6EHA.1392@tk2msftngp13.phx.gbl...
    > > > > > On the SBS first run
    > > > > > netdiag /fix
    > > > > > Verify that the zones supporting the AD are configured for
    > > > > > secured dynamic updates allowed. For this, run the DNS
    > > > > > mgmt UI and highlight each forward zone then rclick into
    > > > > > its properties. They should be AD integrated and allowing
    > > > > > secured dynamic updates.
    > > > > >
    > > > > > On the failing W2k3 check that
    > > > > > - in tcp/ip settings the DNS server is the SBS machine
    > > > > > - in System properties (rclick my computer, properties)
    > > > > > the full computer name is correct, right domain
    > > > > > at cmd prompt run
    > > > > > net stop netlogon
    > > > > > net start netlogon
    > > > > > then rerun netdiag to see if it is clean.
    > > > > >
    > > > > > Once clean, you will want to install DNS on the
    > > > > > second DC (if not already) and have it host the same
    > > > > > AD integrated zones as are on the other DNS service.
    > > > > >
    > > > > > optional/advised:
    > > > > > After you have DNS fault tolerance, you could/should
    > > > > > configure each DC to point first to the other and then
    > > > > > to itself for DNS services in the Tcp/Ip config.
    > > > > >
    > > > > > --
    > > > > > Roger Abell
    > > > > > Microsoft MVP (Windows Security)
    > > > > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > > > > "Brown" <fbrown@mta-inc.com> wrote in message
    > > > > > news:OKNECGf6EHA.1204@TK2MSFTNGP10.phx.gbl...
    > > > > >> OK, I ran dcdiag and netdiag on the 2K3 machine errors
    abound ----
    > > > > >> First: dcdiag > "Although the Guid name <string of stuff here>
    > > > couldn't
    > > > > > be
    > > > > >> resolved, the server name (server02.domain.local) resolved to the
    > IP
    > > > > > address
    > > > > >> (192.168.1.98) and was pingable. Check that the IP address is
    > > > registered
    > > > > >> correctly with the DNS Server."
    > > > > >> The other tests in dcdiag passed
    > > > > >> Then: netdiag:> Domain membership test: Failed "[WARNING] The
    > system
    > > > > >> volumehas not been completely replicated to the local machine.
    > This
    > > > > >> machine is not working properly as a DC."
    > > > > >> DC test: failed "[WARNING] The DNS entries for this DC are not
    > > > > >> registered
    > > > > >> correctly on the DNS server '192.168.1.99'. Please wait for 30
    > > minutes
    > > > > > for
    > > > > >> DNS serfver replication. [FATAL] No DNS servers have the DNS
    > records
    > > > for
    > > > > >> this DC registered."
    > > > > >> DC list test: Failed [WARNING] Cannot call DsBind to
    > > main.domain.local
    > > > > >> (192.168.1.99). [SEC_E_WRONG_PRINCIPAL]
    > > > > >> Trust Relationship test: Failed ....
    > > > > >> Kerberos test: Failed........
    > > > > >>
    > > > > >> OK, HELP!! Where do I start??
    > > > > >>
    > > > > >> Brown
    > > > > >>
    > > > > >>
    > > > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > > > >> news:Oql3Ced6EHA.3124@TK2MSFTNGP11.phx.gbl...
    > > > > >> > and netdiag and dcdiag have told you . . . ?
    > > > > >> >
    > > > > >> > --
    > > > > >> > Roger
    > > > > >> > "Brown" <fbrown@knology.net> wrote in message
    > > > > >> > news:OEn0igV6EHA.2568@TK2MSFTNGP11.phx.gbl...
    > > > > >> > > The SBS machine has 2 NICs but only one is active. The Win2K3
    > has
    > > > one
    > > > > >> NIC.
    > > > > >> > > DHCP is running on an external router.
    > > > > >> > >
    > > > > >> > > Brown
    > > > > >> > >
    > > > > >> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > > > >> > > news:uZpd85T6EHA.2192@TK2MSFTNGP14.phx.gbl...
    > > > > >> > > > For DC communications issues your first stop shop to
    > > > > >> > > > get hints of what may be amiss is by running on each DC
    > > > > >> > > > netdiag and dcdiag utilities (depending on versions, you
    > > > > >> > > > may need to install the optional support tools from the
    CD).
    > > > > >> > > >
    > > > > >> > > > Which, if any, of these machines are multihomed (>1 nic)?
    > > > > >> > > >
    > > > > >> > > > --
    > > > > >> > > > Roger Abell
    > > > > >> > > >
    > > > > >> > > > "Brown" <fbrown@mta-inc.com> wrote in message
    > > > > >> > > > news:O5OJURP6EHA.4008@TK2MSFTNGP15.phx.gbl...
    > > > > >> > > >> I tried that, but since it is a DC (backup) it will not
    > allow
    > > > > >> > > >> this.
    > > > > >> Is
    > > > > >> > > >> there any other way to get them to shake hands?
    > > > > >> > > >> Brown
    > > > > >> > > >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > > > >> > > >> news:%23deks%23L6EHA.3124@TK2MSFTNGP11.phx.gbl...
    > > > > >> > > >> > did I actually forget to mention that you could try
    > > resetting
    > > > > >> > > >> > the machine account (in AD Users and Comps) . . .
    > > > > >> > > >> >
    > > > > >> > > >> > --
    > > > > >> > > >> > Roger Abell
    > > > > >> > > >> >
    > > > > >> > > >> > "Brown" <fbrown@mta-inc.com> wrote in message
    > > > > >> > > >> > news:O2$c8m55EHA.2624@TK2MSFTNGP11.phx.gbl...
    > > > > >> > > >> >> I am running SBS 2003 Pro (MAIN), with a Win2K3
    Standard
    > > > server
    > > > > >> > > >> >> (SERVER02)
    > > > > >> > > >> >> which is providing file server and AD Backup tasks.
    > > > > >> > > >> >> I am getting an error messaage in the System Event
    > Viewer,
    > > > > > source
    > > > > >> > > >> > Netlogon:
    > > > > >> > > >> >> "The session setup from the computer SERVER02 failed to
    > > > > >> > authenticate.
    > > > > >> > > >> >> The
    > > > > >> > > >> >> name(s) of the account(s) referenced in the security
    > > database
    > > > > >> > > >> >> is
    > > > > >> > > >> > SERVER02$.
    > > > > >> > > >> >> The following error occured: Access denied."
    > > > > >> > > >> >>
    > > > > >> > > >> >> What do I need to do to correct this?
    > > > > >> > > >> >>
    > > > > >> > > >> >> Brown
    > > > > >> > > >> >>
    > > > > >> > > >> >>
    > > > > >> > > >> >
    > > > > >> > > >> >
    > > > > >> > > >>
    > > > > >> > > >>
    > > > > >> > > >
    > > > > >> > > >
    > > > > >> > >
    > > > > >> > >
    > > > > >> >
    > > > > >> >
    > > > > >>
    > > > > >>
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >


  • Next message: Steve Clark [MSFT]: "Re: Password rules on Windows 2003"

    Relevant Pages

    • Re: Device continuously prompts for credentials during Sync
      ... So I changed the site over to use Basic Authentication (no problem - using ... port 443) and now I see the credentials coming across. ... > I dug back a bit for the log entry from the last successful sync. ...
      (microsoft.public.pocketpc.activesync)
    • SQLCEReplication over GPRS
      ... I have an application which I am attempting to sync over GPRS. ... I have setup the sqlcesa30.dll within IIS to use basic authentication. ... I am assuming the authentication is there when leaving the PDA basing on it ...
      (microsoft.public.dotnet.framework.compactframework)
    • event id 40960 can someone explain to me this message
      ... The Security System detected an authentication error for the server ... due to a bad username or authentication information. ...
      (microsoft.public.windows.server.general)
    • Re: Send Basic HTTP authentication credential in the first HTTP request
      ... > How can I make the web service proxy class send basic authentication ... > information in the HTTP header of the first request? ... > Althoufh PreAuthenticate is set to true, no authentication information ... > in the header of the first HTTP request. ...
      (microsoft.public.dotnet.framework.aspnet.webservices)
    • Event ID: 40960 (0xc000006d) - logged repetitively
      ... I have tried nlparse.exe to parse the netlogon.log file, ... generated to the output file. ... The Security System detected an authentication error for the server ... a bad username or authentication information. ...
      (microsoft.public.windows.server.general)