Replication error message 1326 and event message ID 1265 "Unknown user name or bad password" on Windows 2000 (892426)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
For a Microsoft Windows Server 2003 version of this article, see 816577.

SYMPTOMS

A Windows 2000-based domain controller cannot replicate the configuration or the schema partitions with replication partners that belong to another domain of the forest. Additionally, if the domain controller is a global catalog server, it cannot replicate the other domain partitions with these replication partners.

In the following example, MYDC1 is a domain controller that belongs to the mydomain.com domain. MYDC2 is a replication partner of MYDC1 that belongs to the subdom.mydomain.com domain.

The following event is logged every 15 minutes in the Directory Services event log: Event ID 1265:
Source: NTDS KCC
Description:
The attempt to establish a replication link with parameters Partition: CN=Schema,CN=Configuration,DC=mydomain,DC=com Source DSA DN: CN=NTDS Settings,CN=MYDC1,CN=Servers,CN=MYSITE,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=COM Source DSA Address: e7453dd3-63b9-4ea1-ab78-e0f16115c84d._msdcs.mydomain.com Inter-site Transport (if any): failed with the following status: Logon failure: unknown user name or bad password. The record data is the status code. This operation will be retried. Data 0000052e Additionally, the following event is regularly logged in the System log: Event ID: 63
Source: W32Time
Description:
The time service cannot provide secure (signed) time to client ClientIPAddress because the attempt to validate its computer account failed with error 1317. Falling back to insecure (unsigned) time for this client. If you run the repadmin /showreps command on MYDC1, you receive the following output: 
...
CN=Configuration,DC=mydomain,DC=com
    MySite\MYDC2 via RPC
        objectGuid: a6999e16-99b5-432f-9bc5-3eecf5dc192f<BR/>
        Last attempt @ 2002-08-26 17:30.54 failed, result 1326:<BR/>
        Logon failure: unknown user name or bad password.<BR/>
        Last success @ 2002-08-19 14:42.40.<BR/>
        1995 consecutive failure(s).
If you run the dcdiag command on MYDC1, you receive the following output: 
DC Diagnosis
... 
     [Replications Check,DC-LV1] A recent replication attempt failed:
            From MYDC2 to MYDC1
            Naming Context: CN=Configuration,DC=mydomain,DC=com
            The replication generated an error (1326):
            Logon failure: unknown user name or bad password.
            The failure occurred at 2002-08-22 14:02.04.
            The last success occurred at 2002-08-20 17:10.52.
            617 failures have occurred since the last success.
            Kerberos Error.
            The machine account is not present, or does not match on the.
            destination, source or KDC servers.
            Verify domain partition of KDC is in sync with rest of enterprise.
            The repadmin /syncall command can be used for this purpose.

CAUSE

This issue occurs if the password of the inter-domain trust account is not synchronized on both sides of the trust relationship.

RESOLUTION

To resolve this issue, reset the trust relationship. To do this, follow these steps:
  1. At a command prompt, type c:\>netdom trust domain on which the trust is created /domain:the parent, child, or tree root domain being trusted /reset, and then press ENTER.

    Important You must use the fully qualified domain names (FQDNs) in this command.

    After you run this command, you receive the following message: Resetting the trust passwords between domain on which the trust is created and the parent, child, or tree root domain being trusted The trust between domain on which the trust is created and the parent, child, or tree root domain being trusted has been successfully reset and verified The command completed successfully.
  2. Obtain the domain on which the trust is created domain controller object GUID. To do this, follow these steps:
    1. At the command prompt, type repadmin /showreps mydc1, and then press ENTER, where mydc1 is the computer name of the domain on which the trust is created domain controller.
    2. Note the objectGUID line at the top of the output. The object GUID looks similar to the following object GUID:

      a6999e16-99b5-432f-9bc5-3eecf5dc192f

  3. Make sure that replication occurs correctly between the two replication partners. To do this, run the c:\repadmin /sync cn=configuration,dc=mydomain,dc=com mydc1objectGUID command at a command prompt by using the object GUID that you noted in step 2. You receive output that is similar to the following output: Sync from a6999e16-99b5-432f-9bc5-3eecf5dc192f to mydc1 completed successfully.

MORE INFORMATION

You can use either of the following two methods to view the trust relationship between the two domains.

Use the Active Directory Domains and Trust Snap-in

  1. Start the Active Directory Domains and Trust snap-in.
  2. Right-click Mydomain, and then click the Trusts tab.
  3. Click subdom. mydomain .com in the Domains trusted by this domain list, click Edit , and then click Verify.
You receive the following message: The trust has been verified.
It is in place and active.

Use the Netdom.exe command-line utility

At a command prompt, type netdom trust MyDomain /domain:subdom /verify, and then press ENTER. You receive the following output: The trust between MyDomain and subdom has been successfully verified The command completed successfully. Although the tools that you use to examine the trust relationship status say that the trust relationship is okay, you receive an error message during the authentication between the domain controller and its replication partner over the trust.

MYDC1 must authenticate against MYDC2 before MYDC1 replicates from MYDC2. To authenticate, MYDC1 sends a Kerberos KRB_TGS_REQ request to the key distribution center of the subdom domain. The service principal name that MYDC1 uses for this authentication is the same one that it uses for replication. For example, the service principal name is E3514235-4B06-11D1-AB04-00C04FC2DCD2/a6999e16-99b5-432f-9bc5-3ee//mydomain.com.

The key distribution center of the child domain returns the following KRB_ERROR error message to this request:
Message stream modified.
This error message means that the key distribution center cannot decrypt the ticket-granting ticket data that is included in the request. Because the key that is used to decrypt this data comes from the password of the inter-domain trust account, resetting the key resynchronizes the password on both sides and fixes the problem.
Modification Type:MajorLast Reviewed:2/1/2005
Keywords:kbwinservds kbActiveDirectory kbprb kbtshoot KB892426 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.