Failed to add domain to the client host with error 'Target account error’

Question

My domain controller connection failed with the following situation:

1. When the client intentionally enters the wrong password, it will prompt login failure and the username or password is incorrect.
2. When both the user and password are entered correctly, a login failure message will be displayed: the target account is not clear, and the system log displays the error message as follows:

1、 The dynamic registration or deletion of one or more DNS records related to the DNS domain 'tri biotech. com.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

Possible causes of the malfunction include:

-The TCP/IP properties of this computer's network connection contain incorrect IP addresses for the preferred and backup DNS servers

-The specified preferred and backup DNS servers are not running

-The DNS server host for this record to be registered is not running

-Preferred and backup DNS servers configured with incorrect root hints

-The parent DNS zone contains incorrect delegation to the child zone authorization, which is used to register failed DNS records

User Action

Fix the possible misconfiguration and initial registration or deletion of DNS records specified above by running 'nltest. exe/dsregdns' from the command line prompt on the domain controller or restarting the Net Login service on the domain controller.

Run 'nltest. exe/dsregdns'

Then I run C: Users administrator. TRI-IBIOTECH>nltest.exe/dsregdns

Flag: 0

Connection Status=0 0x0 NERR_ Success

This command completed successfully

2、 The kerberos client received a KRB from server ad2 $_ AP_ ERR_ MODIFIED error. The target name used is ldap/AD2. tri ibiotech.com. This indicates that the target server is unable to decrypt the ticket provided by the client. If the target server principal name (SPN) is not registered on the account being used by the target service, this issue will occur. Please ensure that the target SPN is only registered on the account used by the server. If the target service account password used by the target service is different from the password configured on the Kerberos Key Distribution Center, this issue can also occur. Please ensure that the services on both the server and KDC are configured to use the same password. If the server name is not fully qualified and the target domain (TRI-IBIOTECH. COM) is different from the client domain (TRI-IBIOTECH. COM), check if there are server accounts with the same name in both domains, or use a fully qualified name to identify the server.

3. The domain server has served as a master slave, with one master and one slave.

My client is currently unable to add domains, and every time I add domains, I report 'The target account name is incorrect'

Request guidance

Answer 1

Please run;

Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log (run on PDC emulator)
repadmin /showrepl >C:\repl.txt (run on any domain controller)
ipconfig /all > C:\%computername%.txt (run on EVERY domain controller)
ipconfig /all > C:\problemworkstation.txt (run on problem pc)

Also check the domain controller System and Replication (DFS or FRS) event logs for errors since last boot. Post the Event Source and Event IDs of any found. (no evtx files)

then put unzipped text files up on OneDrive and share a link.

Answer 2

Sorry, I was not able to translate the files but something here might help.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/newly-promoted-domain-controller-fail-advertise

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

These two domain controllers do not communicate on any level. I wonder how long this has been going on? Has the tombstone has been exceeded?

no more endpoints available from the endpoint mapper

replication appears to be blocked due to wrong firewall profiles other network issues.

netstat -aon

should show this result and a reboot may be needed to clear.

I'd check that both got the domain network profile, possibly restart the Network Location Awareness service.

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 4

I'd still check that both got the domain network profile, possibly restart the Network Location Awareness service. If you can get connectivity going then you could try a non-authoritative sync

https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 5

Sounds good, restarting them both at the same time could cause a race condition.

When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.

If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public, likely defaulting to Public

--please don't forget to upvote and Accept as answer if the reply is helpful--