Microsoft KB Archive/328701

= Replication Error Message 1326 and Event Message ID 1265 &quot;Unknown User Name or Bad Password&quot; =

Article ID: 328701

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3

-



This article was previously published under Q328701



SYMPTOMS
A Windows 2000 domain controller cannot replicate the configuration or the schema partitions with replication partners that belong to another domain of the forest. If the domain controller is a global catalog server, it also cannot replicate the other domain partitions with these replication partners.

In the following example, MYDC1 is a domain controller that belongs to the mydomain.com domain. MYDC2 is a replication partner of MYDC1 that belongs to the subdom.mydomain.com domain.

The following event is logged every 15 minutes in the Directory Services event log:

Event ID 1265:

Source: NTDS KCC

The attempt to establish a replication link with parameters

Partition: CN=Schema,CN=Configuration,DC=mydomain,DC=com Source DSA DN: CN=NTDS Settings,CN=MYDC1,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM

Source DSA Address: e7453dd3-63b9-4ea1-ab78-e0f16115c84d._msdcs.mydomain.com

Inter-site Transport (if any): failed with the following status:

Logon failure: unknown user name or bad password. The record data is the status code. This operation will be retried.

Data 0000052e

The following event is also logged regularly in the System Event log:

Event ID: 63

Source: W32Time

The time service cannot provide secure (signed) time to client x.x.x.x because the attempt to validate its computer account failed with error 1317. Falling back to insecure (unsigned) time for this client.

If you run the repadmin/showreps command on MYDC1, you receive the following output: ... CN=Configuration,DC=mydomain,DC=com MySite\MYDC2 via RPC objectGuid: a6999e16-99b5-432f-9bc5-3eecf5dc192f Last attempt @ 2002-08-26 17:30.54 failed, result 1326: Logon failure: unknown user name or bad password. Last success @ 2002-08-19 14:42.40. 1995 consecutive failure(s). If you run the dcdiag command on MYDC1, you receive the following output: DC Diagnosis ...     [Replications Check,DC-LV1] A recent replication attempt failed: From MYDC2 to MYDC1 Naming Context: CN=Configuration,DC=mydomain,DC=com The replication generated an error (1326): Logon failure: unknown user name or bad password. The failure occurred at 2002-08-22 14:02.04. The last success occurred at 2002-08-20 17:10.52. 617 failures have occurred since the last success. Kerberos Error. The machine account is not present, or does not match on the. destination, source or KDC servers. Verify domain partition of KDC is in sync with rest of enterprise. The tool repadmin/syncall can be used for this purpose. You can use either of the following two methods to view the trust relationship between the two domains:  Using the Active Directory Domains and Trust Snap-in:  Start the Active Directory Domains and Trust snap-in. Right-click  , and then click the Trusts tab. Click '''sub. .com in the Domains trusted by this domain list, click Edit, and then click Verify'''.</li></ol>

You receive the following message:

The trust has been verified. It is in place and active.

</li> Using the netdom command-line utility: At a command prompt, type the following command:

c:\>netdom trust domdid /domain:sub /verify

You receive the following output:

The trust between domdid and sub has been successfully verified

The command completed successfully.

</li></ul>

Although the tools that you use to check the trust relationship status say the trust relationship is okay, you receive an error message during the authentication between the domain controller and its replication partner over the trust.

<div class="resolution_section">

RESOLUTION
To resolve this behavior, reset the trust relationship: <ol> Run the following command from a command prompt:

c:\>netdom trust mydomain /domain:subdom /reset

You receive the following output:

Resetting the trust passwords between mydomain and subdom

The trust between domdid and sub has been successfully reset and verified

The command completed successfully.

</li> Verify that replication occurs properly between the two replication partners. To do so, run the following command from a command prompt:

C:\repadmin/sync CN=Configuration,DC=mydomain,DC=com MYDC1 a6999e16-99b5-432f-9bc5-3eecf5dc192f

You receive the following output:

Sync from a6999e16-99b5-432f-9bc5-3eecf5dc192f to mydc1 completed successfully.

</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
MYDC1 must authenticate against MYDC2 before MYDC1 replicates from MYDC2. To authenticate, MYDC1 sends a Kerberos KRB_TGS_REQ request to the key distribution center of the subdom domain. The service principal name that MYDC1 uses for this authentication is the same one that it uses for replication (E3514235-4B06-11D1-AB04-00C04FC2DCD2/a6999e16-99b5-432f-9bc5-3ee//mydomain.com).

The key distribution center of the child domain returns the following KRB_ERROR error message to this request:

Message stream modified.

This error message means that the key distribution center cannot decrypt the data included in the request (primarily the ticket-granting ticket). Because the key that is used to decrypt this data derives from the password of the inter-domain trust account, resetting the key resynchronizes the password on both sides and fixes the problem.

Keywords: kberrmsg kbprb KB328701

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.