XP clients get no logon server error - machine accounts lose password on 2003 AD domain

From: Fred (Fred_at_mailinator.com)
Date: 02/22/05 

Date: Tue, 22 Feb 2005 14:15:04 +1100

Hi, (bit of a long posting but i want to get all the info across)

We have a brand new 2003 AD domain from scratch. We use SMS2004 to push XP
to client PC's on the network.

As far as I can see AD & DNS are functioning properly. (more on this later)

The enterprise consists of one domain of which the HQ site has two DC's with
AD integrated DNS... we have 6 branch locations of which one has a DC and
the others just have normal File/print servers as they have minimal users.

It seems random computers are losing network logon capability because the
password on the local computer and the server differ. Why they are losing
the password I dont know??

My system log on one of the HQ DC's has many of the following criticial
errors for loads of different computers on the network
*****************************************************
source: NETLOGON
event id: 5722

The session setup from the computer COMPUTER1 failed to authenticate. The
name(s) of the account(s) referenced in the security database is COMPUTER1$.
The following error occurred:
Access is denied.
*****************************************************
source: Kerberos
event id: 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
COMPUTER3$. The target name used was cifs/COMPUTER8.domain.com. This
indicates that the password used to encrypt the kerberos service ticket is
different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (DOMAIN.COM), and
the client realm. Please contact your system administrator.
*****************************************************

THERE ARE DEFINITELY NO DUPLICATE NAMES ON THE NETWORK... the two computers
mentioned above are both PC's ... no server is listed in the error

The problem that we are having is totally random and happens once for a user
until we reset the machine account and remove and re-add the PC to the
domain. So it seems the password is being lost between PC and server, i
think it changes it every 30 days by default??

At first glance DC1 was not set to a NTP time source so i followed some KB
article on setting a Win2003 server to look at its own internal clock as a
time source (i will change it to a trusted time source later) I also set the
other DC's to pull the time from DC1 and they are syncing fine. I then added
DC1's IP to DHCP as the Time Server for the network so clients could point
to DC for w32tm. It seems most clients that were having an issue with w32tm
errors in the event log are now fixed. So time should not be an issue
anymore. I know Kerberos authentication requires the w32tm to be in sync
else logon could fail. I thought this might be causing the computers to drop
out of the domain when trying to change the machine password after 30 days
as the w32tm service was not working properly?? Anyway i only changed this
setting yesterday so it might sort things out... as not all users shut down
their machines at night so it might take a while for them to get the time
settings from DHCP and sync their clock with the DC.

Running NetDiag on all 3 DC's produces no errors
Runing DCDiag produces "failed test systemlog" with the same error as
mentioned above

An Error Event occured. EventID: 0x40000004
            Time Generated: 02/22/2005 11:35:02
            Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
AU003C0232$. The target name used was
cifs/AU003C0007.domain.com. This indicates
that the password used to encrypt the kerberos
service ticket is different than that on the
target server. Commonly, this is due to
identically named machine accounts in the target
realm (domain.COM), and the client realm.
Please contact your system administrator

I have also run the Active Directory Replication Monitor tool and can
confirm that all replication is succesful according to the tool. There are
also no name resolution problems on the network between either client/server
or server/server communication that i can see. FQDN resolution seems fine!

FRSDiag passes all tests on DC1 however on Dc2 i get these errors
----------------------------------------------------------------
------------------------------------------------------------
FRSDiag v1.7 on 22/02/2005 1:09:41 PM
.\DC2 on 2005-02-22 at 1.09.41 PM
------------------------------------------------------------

Checking for errors/warnings in FRS Event Log .... passed
Checking for errors in Directory Service Event Log ....
NTDS Replication 19/02/2005 10:03:59 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=ForestDnsZones,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 19/02/2005 10:03:59 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=DomainDnsZones,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 19/02/2005 10:03:59 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: CN=Schema,CN=Configuration,DC=mydom,DC=domain,DC=com
The local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 19/02/2005 10:03:59 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: CN=Configuration,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 19/02/2005 10:03:59 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=mydom,DC=domain,DC=com The local domain
controller has not received replication information from a number of domain
controllers within the configured latency interval. Latency Interval
(Hours): 24 Number of domain controllers in all sites: 1 Number of
domain controllers in this site: 1 The latency interval can be
modified with the following registry key. Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency
error interval (hours) To identify the domain controllers by name,
install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 13/02/2005 10:04:05 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=ForestDnsZones,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 13/02/2005 10:04:05 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=DomainDnsZones,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 13/02/2005 10:04:05 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: CN=Schema,CN=Configuration,DC=mydom,DC=domain,DC=com
The local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 13/02/2005 10:04:05 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: CN=Configuration,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 13/02/2005 10:04:05 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=mydom,DC=domain,DC=com The local domain
controller has not received replication information from a number of domain
controllers within the configured latency interval. Latency Interval
(Hours): 24 Number of domain controllers in all sites: 1 Number of
domain controllers in this site: 1 The latency interval can be
modified with the following registry key. Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency
error interval (hours) To identify the domain controllers by name,
install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 12/02/2005 10:25:06 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=ForestDnsZones,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 12/02/2005 10:25:06 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=DomainDnsZones,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 12/02/2005 10:25:06 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: CN=Schema,CN=Configuration,DC=mydom,DC=domain,DC=com
The local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 12/02/2005 10:25:06 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: CN=Configuration,DC=mydom,DC=domain,DC=com The
local domain controller has not received replication information from a
number of domain controllers within the configured latency interval.
Latency Interval (Hours): 24 Number of domain controllers in all sites:
1 Number of domain controllers in this site: 1 The latency
interval can be modified with the following registry key. Registry
Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) To identify the domain controllers by
name, install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
NTDS Replication 12/02/2005 10:25:06 PM Error 1863 This is the replication
status for the following directory partition on the local domain controller.
Directory partition: DC=mydom,DC=domain,DC=com The local domain
controller has not received replication information from a number of domain
controllers within the configured latency interval. Latency Interval
(Hours): 24 Number of domain controllers in all sites: 1 Number of
domain controllers in this site: 1 The latency interval can be
modified with the following registry key. Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency
error interval (hours) To identify the domain controllers by name,
install the support tools included on the installation CD and run
dcdiag.exe. You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest. The
command is "repadmin /showvector /latency <partition-dn>".
 WARNING: Found Directory Service Errors in the past 15 days! FRS Depends on
AD so Check AD Replication!

 ......... failed 15
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is not
checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
 ERROR on NtFrs_0005.log : "RPC_S_CALL_FAILED_DNE(Indicates RPC Session was
established to target, but there was a failure to send RPC call package.
Check for Networking problems!)" : <SndCsMain: 2760:
874: S0: 11:30:35> :SR: Cmd 0026be18, CxtG f9b52231, WS
RPC_S_CALL_FAILED_DNE, To DC3.mydom.domain.com Len: (376) [SndFail - rpc
exception]
 ERROR on NtFrs_0005.log : "RPC_S_CALL_FAILED_DNE(Indicates RPC Session was
established to target, but there was a failure to send RPC call package.
Check for Networking problems!)" : <SndCsMain: 2760:
873: S0: 11:30:35> ++ ERROR - EXCEPTION (000006bf) : WStatus:
RPC_S_CALL_FAILED_DNE
 ERROR on NtFrs_0005.log : "RPC_S_CALL_FAILED_DNE(Indicates RPC Session was
established to target, but there was a failure to send RPC call package.
Check for Networking problems!)" : <SndCsMain: 2760:
874: S0: 11:30:35> :SR: Cmd 039a9cf0, CxtG e69d5ac5, WS
RPC_S_CALL_FAILED_DNE, To DC3.mydom.domain.com Len: (578) [SndFail - rpc
exception]

 Found 4 RPC_S_CALL_FAILED_DNE error(s)! Latest ones (up to 3) listed above

 ......... failed with 4 error entries
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed

Final Result = failed with 19 error(s)

DC3 (remote branch DC) has this error
------------------------------------
Checking for errors/warnings in FRS Event Log ....
NtFrs 16/01/2005 6:35:00 PM Warning 13508 The File Replication Service is
having trouble enabling replication from DC1 to DC3 for
d:\windows\sysvol\domain using the DNS name DC1.domain.com. FRS will keep
retrying. Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name DC1.domain.com from this
computer. [2] FRS is not running on DC1.domain.com. [3] The topology
information in the Active Directory for this replica has not yet replicated
to all the Domain Controllers. This event log message will appear
once per connection, After the problem is fixed you will see another event
log message indicating that the connection has been established.
 WARNING: Found Event ID 13508 errors without trailing 13509 ... see above
for (up to) the 3 latest entries!

I DO GET THE TRAILING 13509 ERRORS: The File Replication Service has enabled
replication from dc1 to DC3 for d:\windows\sysvol\domain after repeated
retries

Just to add... i see they also have all 3 DC's acting as Global Catalog
servers

If anybody has any insight it would be appreciated!

Thanks Fred