Re: Pre-authentication failed for Windows 2008 systems

---

• From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
• Date: Thu, 19 Feb 2009 21:11:23 +0000 (UTC)

---

Hello Brad,

The error states DNS is a problem as you can see in the output.

Are all DNS zones listing the server with it's records, check all levels?

What kind of zones do you run?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Computer Name: DC1
DNS Host Name: dc1.domain.net
System info : Microsoft Windows Server 2003 (Build 3790)
Processor : EM64T Family 15 Model 6 Stepping 4, GenuineIntel
List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Main Connection (Public)

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : dc1
IP Address . . . . . . . . : 192.168.33.103
Subnet Mask. . . . . . . . : 255.255.252.0
Default Gateway. . . . . . : 192.168.33.3
Dns Servers. . . . . . . . : 192.168.33.104
192.168.33.103
AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
No names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{3EFD5D5E-F5B5-4A0B-A5B1-C5F8EB59B504}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation
Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Failed
[FATAL] Could not open file
C:\WINDOWS\system32\config\netlogon.dns for
reading.
[FATAL] Could not open file
C:\WINDOWS\system32\config\netlogon.dns for
reading.
[FATAL] No DNS servers have the DNS records for this DC
registered.
Redir and Browser test . . . . . . : Failed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{3EFD5D5E-F5B5-4A0B-A5B1-C5F8EB59B504}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{3EFD5D5E-F5B5-4A0B-A5B1-C5F8EB59B504}
The browser is bound to 1 NetBt transport.
[FATAL] Cannot send mailslot message to 'domain*' via browser.
[ERROR_INVALID_FUNCTION]
DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed
Secure channel for domain 'domain' is to '\\dc2.domain.net'.
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Cannot lookup package Kerberos.
The error occurred was: (null)
LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed
information

The command completed successfully

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6619e218cb6087847815b0@xxxxxxxxxxxxxxxxxxxxxxx

Hello Brad,

The ipconfigs looks ok. You can check it yourself but at least post a
netdiag, will be smaller.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Domain Controller 1 IPCONFIG
==============================
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc1
Primary Dns Suffix . . . . . . . : domain.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.net
Ethernet adapter Main Connection (Public):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-13-72-F8-27-0C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.33.103
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 192.168.33.3
DNS Servers . . . . . . . . . . . : 192.168.33.104
192.168.33.103
Domain Controller 2 IPCONFIG
==============================
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc2
Primary Dns Suffix . . . . . . . : domain.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.net
Ethernet adapter Main Connection (Public):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-13-72-F8-28-01
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.33.104
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 192.168.33.3
DNS Servers . . . . . . . . . . . : 192.168.33.104
192.168.33.103
Windows 2008 Server IP Config
==============================
Host Name . . . . . . . . . . . . : TS1
Primary Dns Suffix . . . . . . . : domain.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.net
Ethernet adapter Local Area Connection 1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II
GigE
Physical Address. . . . . . . . . : 00-1E-4F-2F-64-E3
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::c883:19c6:61c0:8195%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.33.39(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 192.168.33.3
DNS Servers . . . . . . . . . . . : 192.168.33.103
192.168.33.104
NetBIOS over Tcpip. . . . . . . . : Enabled
netdiag /v
=============================
Are you sure you want me to post this? This command returned over
4500
lines
of text.....
Thanks
Brad
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6619d3d8cb60300fc771a6@xxxxxxxxxxxxxxxxxxxxxxx

Hello Brad,

Make sure the machine is correct registered in your DNS zones.
Please post an unedited ipconfig /all from the existing DC's and
the 2008 machine with the error.

Assuming that you use private ip ranges there is noproblem to post
them here. 10.x.x.x 172.x.x.x or 192.168.x.x are not accessible
form outside.

Also run netdiag /v and post the output also.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Below is the output of the event log. Obviously I scrubbed some of
the data below (such as the PC names, domain controller names,
domain name, ip addresses and other sensitive information). But
the event ID, and failure codes are still as-is etc.

Thanks
Brad
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 2/18/2009
Time: 12:06:19 AM
User: NT AUTHORITY\SYSTEM
Computer: DOMAINCONTROLLER
Description:
Pre-authentication failed:
User Name: WIN2K8SERVER$
User ID: DOMAIN\WIN2K8SERVER$
Service Name: krbtgt/DOMAIN.NET
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 123.123.123.123
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6619b1c8cb5f688339fde0@xxxxxxxxxxxxxxxxxxxxxxx

Hello Brad,

Please post the complete event viewer entry.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm

We are seeing errors similar to the following on our domain
controllers for all of our Windows 2008 (x86 and x64) servers:

Pre-authentication failed:
User Name: SERVERNAME$
User ID: DOMAIN\SERVERNAME$
Service Name: krbtgt/DOMAIN.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: SERVER IP
Our active directory domain consists of two windows 2003 R2 x64
domain
controllers (if that matters).
I've done some searching online and found several other people
seeing similar errors with Windows Vista but no really good
explanation of what's causing them. The best I can find is a
work
around which suggests
1. On the domain controller, run "adsiedit.msc"
2. Locate the computer accounts DOMAIN\EXC$ under the Domain
partition.
3. Right-click on "DOMAIN\EXC$", click Properties.
4. Then locate the attribute "UserAccountControl" in the
Attributes
list.
Click Edit.
5. Modify the value to original value plus 4194304. For example,
if
the
original value is 512, the new value should be
512+4194304=4194816
6. Click OK, click Apply, and click OK.
7. Quit ADSI Edit. Then you can check if the event 675 stops for
these
accounts.
I've done this and it does seem to resolve the issue but I don't
want
to be having to do this for each and every new Windows 2008
server
we
introduce into active directory. Surely there must be some
logical
explanation for what's causing these entries and how we can stop
them
without the elaborate work around above?
If anyone has any suggestions or ideas, please let me know.
Thanks
Brad

.

---

• Follow-Ups:
  • Re: Pre-authentication failed for Windows 2008 systems
    • From: Brad Baker

• References:
  • Re: Pre-authentication failed for Windows 2008 systems
    • From: Brad Baker

• Prev by Date: Re: Network access not working
• Next by Date: Re: NTFS copy/move within partition
• Previous by thread: Re: Pre-authentication failed for Windows 2008 systems
• Next by thread: Re: Pre-authentication failed for Windows 2008 systems
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: NT Domain to AD migration ... Windows 2000/XP always prefer Kerberos authentication, ... Server 2003 Active Directory service, ensure that you have designed a DNS ... (microsoft.public.windows.server.active_directory) Re: Secondary DNS and PIX ... Of course I updated them with the DNS ... WINDOWS SERVER 2003 FOR SMALL BUSINESS SERVER, ... Windows SBS 2003 SP1 is available. ... (microsoft.public.windows.server.sbs) Re: Find AD hostname from Linux command line ... The Windows XP workstation gets an IP ... "Register this connection's addresses in DNS" turned ON. ... If I am on a Linux server and do "ping lancelot.ad.mydomain.com", ... (microsoft.public.win2000.dns) Re: Secondary DNS and PIX ... SBS SP1 was a very specific service pack comprising several ... Root hints for DNS means you leave the forwarders ... WINDOWS SERVER 2003 FOR SMALL BUSINESS SERVER, ... (microsoft.public.windows.server.sbs) Re: Two Win2k3 questions ... Roaming Profiles & Access Privileges ... ... >DHCP, DNS, Print Server, and File Server responsibilities. ... lookup zone on Windows NT" ... http://support.microsoft.com?kbid=229873 "Delegate Control Wizard Cannot Be Used ... (microsoft.public.win2000.advanced_server)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)