On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Something is dorked over there. I know you said nothing has changed.
It appears to me that netdom is your next option. If "netdom reset"
does not
work (after a reboot) or "netdom verify" keels over, then I'm afraid
you are
looking at a painful "netdom join" exercise.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED]
on behalf of Tom Kern
Sent: Tue 2/21/2006 1:45 PM
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
Yeah, I'm an idiot.
sorry.
That worked.
I still have the same issue though-
Kerberos errors and the "Logon Failure: The target account name is
incorrect."
Thanks
On 2/21/06, Free, Bob <[EMAIL PROTECTED]>
wrote:
Your syntax looks backward....you have the
hostname in front of the
SPN
-A = add arbitrary SPN
Usage:
setspn -A SPN computername
setspn -A http/daserver daserver1
It will register SPN
"http/daserver" for computer "daserver1"
________________________________
From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Tuesday, February 21, 2006 1:26 PM
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
Thank you for the advice.
I will in the future.
This is the output from setspn /A
C:\Program Files\Resource Kit>setspn -A
OP5080570765
host/OP5080570765
Unable to locate account host/OP5080570765
C:\Program Files\Resource Kit>setspn -A
OP5080570765
host/OP5080570765.corp.opro
ot.opco.com
Unable to locate account host/OP5080570765.corp.oproot.opco.com
The weird thing is, these accounts were
migrated months ago and had
no issue till today.
There was no change made to AD by hand or
by app.
Thanks
On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Try
the /A option.
btw,
try munging your resource/domain names when you post to a
forum such as
this.
Sincerely,
Dèjì
Akómöláfé, MCSE+M MCSA+M MCT
Microsoft
MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do
you now realize that Today is the Tomorrow you were worried
about
Yesterday? -anon
________________________________
From:
[EMAIL PROTECTED]
<mailto:
[EMAIL PROTECTED]> on behalf of Tom Kern
Sent:
Tue 2/21/2006 1:01 PM
To:
[email protected]
Subject:
Re: [ActiveDir] SPN issue
I
get this, when I use netbios name-
C:\Program
Files\Resource Kit>setspn -R OP5080570765
Failed
to crack name CORP\OP5080570765 into the FQDN, (0) 1
0x2
I
get this when i use FQDN-
C:\Program
Files\Resource Kit>setspn -R
OP5080570765.corp.oproot.opco.com
Could
not find account OP5080570765.corp.oproot.opco.com
The
name is in DNS and AD.
As
i said, DNS is functioning properly.
Thanks
On
2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:
Try manually resetting or adding the SPN for one of the
computers and
see
if
that takes care of your problem. If it does, the I'd do
the same for
the
rest
or just disjoin and rejoin them to the domain if there
are not too
many
of
them.
you can use setspn to do this. Like so:
setspn /R the_computer_NetBIOS_Name
OR
setspn /A host/NetBIOS_Name the_computer_NetBIOS_Name
setspn /A host/FQDN_NAme the_computer_FQDN
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com < http://www.readymaids.com
<
http://www.readymaids.com <http://www.readymaids.com> >
> -
we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were
worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED]
on behalf of
Tom Kern
Sent: Tue 2/21/2006 11:52 AM
To: activedirectory
Subject: Re: [ActiveDir] SPN issue
Ok, I came up with some more stuff-
If i use the FQDN, I can map a drive without the login
error.
I ran Ethereal will mapping a drive, both ways. With
the flat name
and
fqdn.
When mapping with the flat name, I see a
"KRB5KDC_ERR_PREAUTH_FAILED(24)"
Then later, I see, "KRB5KRB_AP_ERR_MODIFIED,Error:
STATUS_MORE_PROCESSING_REQUIRED(0x0000016)"
When I use FQDN, I see-
"KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN(7)" and then it
defaults to NTLM and
lets
me
in.
With a flat name, it never gets to NTLM.
I've checked the "Troubleshooting Kerberos Errors" MS
whitepaper but
I
can't
find anything to help me there.
The SPN in AD of my box and the server I'm connecting
to seems find.
Both client and server are in the same Domain.
DNS is functioning.
Time is in sync.
Anyplace else I should be looking?
Thanks a lot.
On 2/21/06, Tom Kern < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
wrote:
I'm
at the end of a win2k native to win2k3
win2k3FFL/DFL
migration
using Quest Migration Manager.
I've
noticed we've had many login issues where
users can map
drives
via ip but not hostname(dns is working and you can ping
by name).
Also,
when connecting via a drive mapping, the
error recieved
is
"Login failure: The target name is incorrect".
Now
I know when mapping via ip, you are using
NTLM as opposed
to
Kerberos when you use a hostname.
So
I thought it was a duplicate SPN issue due to
the
migration.
When
I fire up LDP.exe and search for SPN, I see
the pc in
question
has an SPN of the value "host\pc.Old.Domain.Name".
There
is no SPN for the pc to reflect the new
Forest it has
been
migrated to.
This
is sporadic and doesn't affect all migrated
pc's.
Another
symptom is users not getting their home
drive
mappings(via
ADUC).
The
homedir server logs this error in the
Security log-
Event
Type: Failure Audit
Event
Source: Security
Event
Category: Logon/Logoff
Event
ID: 537
Date: 2/21/2006
Time: 11:16:05
AM
User: NT
AUTHORITY\SYSTEM
Computer:
OPNJR01
Description:
Logon
Failure:
Reason: An
unexpected error occurred during
logon
User
Name:
Domain:
Logon
Type: 3
Logon
Process: Kerberos
Authentication
Package: Kerberos
Workstation
Name: -
I
have two questions-
1.
Could the issues I'm having be a symptom of
this SPN
"problem"?
2.
Has anyone faced a simillar issue when
migrating either via
Quest
ot ADMT,etc?
Thanks
a lot.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
<
http://www.activedir.org/ListFAQ.aspx>
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
