Microsoft KB Archive/816577

= Replication Error 1326 and Event ID 1265 Message &quot;Unknown User Name or Bad Password&quot; =

Article ID: 816577

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-





For a Microsoft Windows 2000 version of this article, see 328701.



SYMPTOMS
A Windows Server 2003 domain controller cannot replicate the configuration or the schema partitions with replication partners that belong to another domain of the forest. If the domain controller is a global catalog server, it also cannot replicate the other domain partitions with these replication partners.

Additionally, an event similar to the following is logged every 15 minutes in the Directory Services event log: Event ID: 1265

Source: NTDS KCC

The attempt to establish a replication link with parameters

Partition: CN=Schema,CN=Configuration,DC=mydomain,DC=com Source DSA DN: CN=NTDS Settings,CN=MYDC1,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM

Source DSA Address: e7453dd3-63b9-4ea1-ab78-e0f16115c84d._msdcs.mydomain.com

Inter-site Transport (if any): failed with the following status:

Logon failure: unknown user name or bad password. The record data is the status code. This operation will be retried. Data 0000052e

The following event is also logged regularly in the System event log: Event ID: 63

Source: W32Time

The time service cannot provide secure (signed) time to client x.x.x.x because the attempt to validate its computer account failed with error 1317. Falling back to insecure (unsigned) time for this client.

If you run the repadmin/showreps command on MYDC1, you may receive output similar to the following: CN=Configuration,DC=mydomain,DC=com MySite\MYDC2 via RPC objectGuid: a6999e16-99b5-432f-9bc5-3eecf5dc192f Last attempt @ 2003-03-28 00:05.30 failed, result 1326: Logon failure: unknown user name or bad password. Last success @ 2003-03-27 23:15.14. 3 consecutive failure(s). If you run the dcdiag command on MYDC1, you may receive output similar to the following: DC Diagnosis [Replications Check,DC-LV1] A recent replication attempt failed: From MYDC2 to MYDC1 Naming Context: CN=Configuration,DC=mydomain,DC=com The replication generated an error (1326): Logon failure: unknown user name or bad password. The failure occurred at 2003-03-28 00:09.09. The last success occurred at 2003-03-27 23:15.14. 3 failures have occurred since the last success. Kerberos Error. The machine account is not present, or does not match on the destination, source or KDC servers. Verify domain partition of KDC is in sync with rest of enterprise. The tool repadmin/syncall can be used for this purpose. ...



CAUSE
This problem can occur when the password of the inter-domain trust account is not synchronized on both sides of the trust relationship.



RESOLUTION
To resolve this problem, reset the trust relationship.

Note In the sample messages and the examples presented in this article,  is a domain controller that belongs to the   domain. is a replication partner of  that belongs to the   domain.

Step 1: Install Windows Support Tools
To install Windows Support Tools, follow these steps:
 * 1) Insert the CD for Windows Server 2003 in the CD-ROM drive.
 * 2) Click Start, click Run, type  :\support\tools\suptools.msi, and then click OK.
 * 3) Follow the online instructions to complete the installation of Windows Support Tools.

Step 2: Reset the Trust Relationship
To reset the trust relationship, follow these steps:  Click Start, click Run, type cmd in the Open box, and then click OK. Type netdom trust mydomain /domain:subdom /reset, and then press ENTER.

You receive the following message:

Resetting the trust passwords between  and.

The trust between  and   has been successfully reset and verified.

The command completed successfully.

Note is the trusting domain, and   is the trusted domain.

Step 3: Verify That Replication Occurs Correctly
You can use the Repadmin or Replmon replication tools to verify that replication occurs correctly. For detailed information about the syntax of the repadmin command, type repadmin /? at the command line, and then press ENTER. To verify that replication occurs correctly if you are using the Repadmin tool, do the following:
 * Click Start, click Run, and type repadmin /replicate , and then click OK.

Note  is the destination domain controller and   is the source domain controller.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
You can use either of the following two methods to view the trust relationship between the two domains:  Use the Active Directory Domains and Trusts:  Start Active Directory Domains and Trusts.</li> Right-click the domain name, and then click the Trusts tab.</li> Click  in the Domains trusted by this domain list, click Edit, and then click Verify.

You receive the following message:

The trust has been verified. It is in place and active.

</li></ol> </li> Use the netdom command:  Click Start, click Run, type cmd, and then click OK.</li> At the command prompt, type netdom trust  /domain:subdom /verify, and then press ENTER.

You receive the following message:

The trust between  and subdom has been successfully verified. The command completed successfully.

</li></ol> </li></ul>

When you use these methods to view the trust relationship status, each method reports that the trust relationship functions correctly. However, you receive an error message during authentication between the domain controller and its replication partner because of the trust.

DC1 must authenticate against DC2 before DC1 can replicate from DC2. To authenticate, DC1 sends a Kerberos KRB_TGS_REQ request to the key distribution center of the  domain. The service principal name that DC1 uses for this authentication is the service principal name that DC1 uses for replication.

The key distribution center of the child domain returns the following KRB_ERROR error message to this request:

Message stream modified.

This error message means that the key distribution center cannot decrypt the data included in the request. Most of the time, this data is the ticket-granting ticket (TGT). Because the key that is used to decrypt this data is derived from the password of the inter-domain trust account, when you reset the key, the passwords are resynchronized on both sides.

<div class="idea_section">

Keywords: kbprb kbnofix KB816577

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.