複製錯誤 1396 年登入失敗目標帳號不正確Replication error 1396 Logon Failure The target account name is incorrect

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

此文章將描述,包括症狀原因,以及如何解析 Active Directory 複寫失敗 Win32 錯誤 1396 年:「登入失敗:目標帳號不正確。」症狀造成解析度This article describes the symptoms, cause and how to resolve Active Directory replication failing with Win32 error 1396: "Logon failure: The target account name is incorrect." Symptoms Causes Resolutions
症狀 的測試 Active Directory 複寫失敗,錯誤 1396 DCDIAG 報告:登入失敗:目標帳號不正確。」Testing server: <Site name><DC Name> Starting test: Replications [Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: CN=<DN path of naming context> The replication generated an error (1396): Logon Failure: The target account name is incorrect. The failure occurred at <date> <time>. The last success occurred at <date> <time>. XX failures have occurred since the last successREPADMIN。EXE 報告的最後一個︰ 複寫失敗 1396 年狀態。REPADMIN 命令通常引用 1396 年狀態,包括但不是限於: Symptoms DCDIAG reports that the Active Directory Replications test has failed with error 1396: Logon failure: The target account name is incorrect."Testing server: <Site name><DC Name> Starting test: Replications [Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: CN=<DN path of naming context> The replication generated an error (1396): Logon Failure: The target account name is incorrect. The failure occurred at <date> <time>. The last success occurred at <date> <time>. XX failures have occurred since the last successREPADMIN.EXE reports that the last replication attempt has failed with status 1396.REPADMIN commands that commonly cite the 1396 status include but are not limited to:
REPADMIN 命令REPADMIN /REPLSUMREPADMIN /REHOSTREPADMIN /SHOWVECTOR /LATENCYREPADMIN /ADDREPADMIN /REPLSUMREPADMIN /REHOSTREPADMIN /SHOWVECTOR /LATENCYREPADMIN 進行REPADMIN /SHOWREPLREPADMIN /SYNCALLREPADMIN /SHOWREPSREPADMIN /SHOWREPLREPADMIN /SYNCALL
範例描述輸入的複寫失敗,以 CONTOSO DC1 CONTOSO-DC2 從「REPADMIN 進行」的輸出「登入失敗:目標帳號不正確。」錯誤如下所示:110::Default-First-Site-NameCONTOSO-DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: b6dc8589-7e00-4a5d-b688-045aef63ec01 DSA invocationID: b6dc8589-7e00-4a5d-b688-045aef63ec01 ==== INBOUND NEIGHBORS ====================================== DC=contoso,DC=com Default-First-Site-NameCONTOSO-DC2 via RPC DSA object GUID: 74fbe06c-932c-46b5-831b-af9e31f496b2 Last attempt @ <date> <time> failed, result 1396 (0x574): Logon Failure: The target account name is incorrect. <#> consecutive failure(s). Last success @ <date> <time>. 複製現在命令 Active Directory 網站和服務會傳回」登入失敗:目標帳號不正確。」連接物件來源俠上按一下滑鼠右鍵,然後選擇複製現在會失敗,且「登入失敗:目標帳號不正確。」螢幕上顯示如下的錯誤訊息:對話方塊的標題文字:立即複寫對話的訊息文字:下列錯誤同步命名操作時發生<磁碟分割 DNS 路徑>網域控制站的<來源俠>網域控制站<目標 DC>:登入失敗:目標帳號不正確。將不會繼續這項操作。NTDS KCC、NTDS 一般或 Microsoft-Windows-ActiveDirectory_DomainService 事件 1396 年狀態的登入 Directory 服務登入事件檢視器中。Active Directory 事件通常引用 1396 年狀態,包括但不是限於:Sample output from "REPADMIN /SHOWREPS" depicting inbound replication from CONTOSO-DC2 to CONTOSO-DC1 failing with the "Logon Failure: The target account name is incorrect." error is shown below::Default-First-Site-NameCONTOSO-DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: b6dc8589-7e00-4a5d-b688-045aef63ec01 DSA invocationID: b6dc8589-7e00-4a5d-b688-045aef63ec01 ==== INBOUND NEIGHBORS ====================================== DC=contoso,DC=com Default-First-Site-NameCONTOSO-DC2 via RPC DSA object GUID: 74fbe06c-932c-46b5-831b-af9e31f496b2 Last attempt @ <date> <time> failed, result 1396 (0x574): Logon Failure: The target account name is incorrect. <#> consecutive failure(s). Last success @ <date> <time>. The Replicate now command in Active Directory Sites and Services returns "Logon Failure: The target account name is incorrect."Right-clicking on the connection object from a source DC and choosing Replicate now fails with "Logon Failure: The target account name is incorrect." The on-screen error message is shown below:Dialog title text:Replicate NowDialog message text: The following error occurred during the attempt to synchronize naming context <partition DNS path> from domain controller <source DC> to domain controller <destination DC>: Logon Failure: The target account name is incorrect. This operation will not continue. NTDS KCC, NTDS General or Microsoft-Windows-ActiveDirectory_DomainService events with the 1396 status are logged in the Directory Services log in Event Viewer.Active Directory events that commonly cite the 1396 status include but are not limited to:
事件編號Event ID事件來源Event Source事件字串Event String
11251125Microsoft-Windows-ActiveDirectory_DomainServiceMicrosoft-Windows-ActiveDirectory_DomainServiceActive Directory Domain Services 安裝精靈(帶領)無法使用下列的網域控制站連接。The Active Directory Domain Services Installation Wizard (Dcpromo) was unable to establish connection with the following domain controller.
1645此事件列出的三個部分 SPN。1645This event lists the three-part SPN.NTDS 複寫NTDS ReplicationActive Directory 有其他網域控制站進行驗證遠端程序呼叫 (RPC),因為解析 SPN 金鑰 Distribution 中心 (KDC) 網域控制站在不登記目的地網域控制站您想要的服務主體名稱 (SPN)。Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
16551655Microsoft-Windows-ActiveDirectory_DomainServiceMicrosoft-Windows-ActiveDirectory_DomainServiceActive Directory Domain Services 嘗試使用下列的通用通訊,嘗試已失敗。Active Directory Domain Services attempted to communicate with the following global catalog and the attempts were unsuccessful.
28472847Microsoft-Windows-ActiveDirectory_DomainServiceMicrosoft-Windows-ActiveDirectory_DomainService認知一致性檢查位於複寫本機唯讀 directory 服務連接,嘗試從遠端下列 directory 服務執行個體上更新。The Knowledge Consistency Checker located a replication connection for the local read-only directory service and attempted to update it remotely on the following directory service instance. 操作失敗。The operation failed. 它將會重試。It will be retried.
19251925NTDS KCCNTDS KCC建立下列寫入 directory 磁碟分割的連結︰ 複寫失敗。The attempt to establish a replication link for the following writable directory partition failed.
19261926NTDS KCCNTDS KCC嘗試使用下列的參數,無法建立複寫唯讀 directory 磁碟分割的連結。The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
57815781NETLOGONNETLOGON 伺服器無法在 DNS 登記其名稱。The server cannot register its name in DNS.
帶領失敗,錯誤螢幕小對話的標題文字:Active Directory 安裝失敗對話方塊訊息文字:操作失敗:Directory 服務無法建立 DATA-CN 伺服器物件 = NTDS 設定 DATA-CN = ServerBeingPromoted,DATA-CN = 伺服器,DATA-CN = 網站 DATA-CN = DATA-CN 的網站,= 設定,俠 = contoso 俠 = com ReplicationSourceDC.contoso.com 伺服器上。請確保所提供的網路認證有不足存取新增複本。 [登入失敗:目標帳號不正確。」在這種情形下,1645 年、1168,以及 1125 年事件 ID 登入正在升級的伺服器。地圖磁碟機,使用網路使用:C:>net use z: <server_name>c$ System error 1396 has occurred. Logon Failure: The target account name is incorrect.在此案例,也登入系統事件登入的事件編號 333 伺服器可並使用高空間不足的應用程式,例如 SQL Server。DC 次不正確。\ [KDC 將不開始 RODC krbtgt account 還原後的 RODC,必須被。例如,還原,錯誤 1396 年就會出現。事件 ID 1645 登入 RODC。也會 Dcdiag 報告,就無法更新 RODC krbtgt account 錯誤。DCPROMO fails with an onscreen errorDialog Title Text:Active Directory Installation FailedDialog Message text:The operation failed because: The Directory Service failed to create the server object for CN=NTDS Settings,CN=ServerBeingPromoted,CN=Servers,CN=Site,CN=Sites,CN=Configuration,DC=contoso,DC=com on server ReplicationSourceDC.contoso.com. Please ensure the network credentials provided have sufficient access to add a replica. "Logon Failure: The target account name is incorrect. "In this case, Event ID 1645, 1168, and 1125 are logged on the server that is being promoted.Map a drive using net use:C:>net use z: <server_name>c$ System error 1396 has occurred. Logon Failure: The target account name is incorrect.In this case, the server can also logging Event ID 333 in the system event log and use a high amount of virtual memory for an application such as SQL Server.The DC time is incorrect.The KDC will not start on an RODC after a restore of the krbtgt account for the RODC, which had been deleted. For example, after a restore, error 1396 appears. Event ID 1645 is logged on the RODC. Dcdiag also reports an error that it cannot update the RODC krbtgt account.
SPN 不存在於通用代表嘗試驗證使用 Kerberos client KDC 搜尋。 在複寫 Active Directory 中,Kerberos client 是目的 DC,執行 SPN 查詢 KDC 可能目的本身 DC,但無法將遠端 DC。 的使用者或服務帳號應包含主體名稱所尋找的服務不存在於通用代表目的地俠想複製 KDC 搜尋。 在複寫 Active Directory 中,來源俠電腦 account 不存在於通用 DC 代表目的地俠執行輸入複寫搜尋。 目的 DC 缺少來源 Dc 網域 LSA 密碼。 所要尋找 SPN 存在於比來源俠不同的電腦 account。 Causes The SPN does not exist on the global catalog searched by the KDC on behalf of the client attempting to authenticate using Kerberos. In the context of Active Directory replication, the Kerberos client is the destination DC, the KDC performing the SPN lookup is likely the destination DC itself but could be a remote DC. The user or service account that should contain the service principal name being looked up does not exist on the global catalog searched by the KDC on behalf of destination DC attempting to replicate. In the context of Active Directory replication, the source DC computer account does not exist on the global catalog searched by the DC on behalf of the destination DC performing inbound replication. The destination DC lacks an LSA secret for the source DCs domain. The SPN being looked up exists on a different computer account than the source DC.
解析度 檢查 NTDS 複寫事件 1645 年目的 DC Directory 服務事件登入,並記下下列: 的目標 DC 名稱 SPN 正在尋找 (E3514235-4B06-11D1-AB04-00C04FC2DCD2 日<物件 guid 來源網域控制站 NTDS 設定物件&gt;/&lt;目標網域&gt;。&lt;tld&gt;@<目標網域>。<tld> 所使用的目的地俠 KDC 從 KDC 步驟 1 中的「主控台中,輸入: nltest /dsgetdc <forest root DNS domain name > /gc 執行緊接目的地 DC 1396 年錯誤而失敗複寫嘗試 NLTEST 定位器測試。 這應該找出 KDC 執行 SPN 查詢針對該 GC。 GC KDC 搜尋可能也會在 Microsoft 的 Windows-ActiveDirectory_DomainService 事件 1655 年擷取。 SPN 發現通用中執行「步驟 2 發現在步驟 1 中搜尋。 C:>repadmin /showattr Server_Name DC=corp,DC=contoso,dc=com <GC used by KDC> <DN path of forest root domain> /filter:"(serviceprincipalname=<SPN cited in the NTDS Replication event 1645>)" /gc /subtree /atts:cn,serviceprincipalname 或者 C:>dsquery * forestroot -scope subtree -filter "(serviceprincipalname=E3514235-4B06-11D1-AB04-00C04FC2DCD2/65cead9f-4949-46a3-a49a-f1fbfe13d2b3)" -attr * -s Server_Name.europe.corp.contoso.com 主機物件 spn 存在的驗證。 確認主機物件,包括是否是 CNF / 受損衝突,或位於找回容器 DN 路徑。 確認來源網域控制站 Active Directory 複寫 SPN 係只在 Dc 電腦 account 來源。 如果複寫 SPN,判斷是否來源 DC 已經登記 SPN 其本身的以及是否 SPN 為使用 \ [KDC 因為簡單複寫延遲或︰ 複寫失敗 GC 遺失。 檢查安全通道健康狀態,並信任狀態。 Resolutions Check the Directory Service event log on the destination DC for NTDS Replication event 1645 and note the following: The name of the destination DC The SPN being looked up (E3514235-4B06-11D1-AB04-00C04FC2DCD2/<object guid for source DCs NTDS Settings object>/<target domain&gt;.&lt;tld&gt;@<target domain>.<tld> The KDC being used by the destination DC From the console of the KDC identified in step 1, type: nltest /dsgetdc <forest root DNS domain name > /gc Run the NLTEST locator test immediately following a replication attempt that fails with the 1396 error on the destination DC. This should identify that GC that the KDC is performing SPN lookups against. The GC being searched by the KDC may also be captured in Microsoft-Windows-ActiveDirectory_DomainService event 1655. Search for the SPN discovered in step 1 on the global catalog discovered in step 2. C:>repadmin /showattr Server_Name DC=corp,DC=contoso,dc=com <GC used by KDC> <DN path of forest root domain> /filter:"(serviceprincipalname=<SPN cited in the NTDS Replication event 1645>)" /gc /subtree /atts:cn,serviceprincipalname OR C:>dsquery * forestroot -scope subtree -filter "(serviceprincipalname=E3514235-4B06-11D1-AB04-00C04FC2DCD2/65cead9f-4949-46a3-a49a-f1fbfe13d2b3)" -attr * -s Server_Name.europe.corp.contoso.com Verify that the host object for the SPN exists. Verify the DN path for the host object including whether the object is CNF / conflict mangled or resides in the lost and found container. Verify that the source DCs Active Directory Replication SPN is registered only on the source DCs computer account. If the replication SPN is missing, determine if the source DC has registered its SPN with itself, and whether the SPN is missing on the GC used by the KDC due to simple replication latency or a replication failure. Check the secure channel health and trust health.
疑難排解 Active Directory 操作失敗的錯誤 1396 年:登入失敗:目標帳號不正確。 http://support.microsoft.com/kb/2183411/en-gb Troubleshooting Active Directory operations that fail with error 1396: Logon Failure: The target account name is incorrect. http://support.microsoft.com/kb/2183411/en-gb