Target name resolution error в windows server

In Servers --- all servers I get a target name resolution error
  • Remove From My Forums
  • Question

  • In Servers — all servers I get a target name resolution error

     configuration refresh failed with the following error: the metadata failed to be retrieved from the server with the following error: the WinRM client cannot process the request because the server name cannot be resolved

    Any Ideas I tried to add a VM to the servers in the server manager.

Answers

  • Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

    If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

    -Greg

    • Proposed as answer by

      Thursday, September 20, 2012 6:41 AM

    • Marked as answer by
      MedicalSMicrosoft contingent staff
      Thursday, September 20, 2012 7:22 AM

  • Hi, 

    Try with the IP address…if you are  able to connect… then the issue with DNS !!!

    • Proposed as answer by
      Aiden_Cao
      Thursday, September 20, 2012 6:41 AM
    • Marked as answer by
      MedicalSMicrosoft contingent staff
      Thursday, September 20, 2012 7:22 AM


Posted by SpicySoulJah 2019-08-18T10:30:08Z

Good Morning from my side of the world fellas!

I have a problem stopping me from progressing in my learning, my test bench in hyperv gives me this error when I add the 2nd domain controller

Any help is greatly appreciated, I will pay you in coffee when I get my super SysAdmin gig lol

Image: post content

4 Replies

  • Author Amirhossein Karimpour

    EminentX


    This person is a Verified Professional

    This person is a verified professional.

    Verify your account
    to enable IT peers to see that you are a professional.

    ghost chili

    Windows Server Expert

    • check
      31
      Best Answers
    • thumb_up
      116
      Helpful Votes

    If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct. Could you ping NU-DC2 by name? If not, check A record for that server in the DNS Zone. Do ipconfig /flushdns and ipconfig /registerdns and then try again.


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Nathan Sodja

    Yes Sir


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Shaun Mitchell

    Make sure that the new server is using the existing server as its dns server


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Victor Chupov

    taurex


    This person is a Verified Professional

    This person is a verified professional.

    Verify your account
    to enable IT peers to see that you are a professional.

    tabasco

    As others said, make sure that neither of your DCs is pointing to any external DNS servers. They have to point to each other as the primary DNS and their loopbacks as the secondary DNS. You must only use AD DNS servers on your entire network otherwise you’ll get all sorts of issues. You only set up external DNS servers in the Forwarders tab in DNS Manager. 


    1 found this helpful
    thumb_up
    thumb_down

  • Remove From My Forums
  • Question

  • In Servers — all servers I get a target name resolution error

     configuration refresh failed with the following error: the metadata failed to be retrieved from the server with the following error: the WinRM client cannot process the request because the server name cannot be resolved

    Any Ideas I tried to add a VM to the servers in the server manager.

Answers

  • Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

    If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

    -Greg

    • Proposed as answer by

      Thursday, September 20, 2012 6:41 AM

    • Marked as answer by
      MedicalSMicrosoft contingent staff
      Thursday, September 20, 2012 7:22 AM

  • Hi, 

    Try with the IP address…if you are  able to connect… then the issue with DNS !!!

    • Proposed as answer by
      Aiden_Cao
      Thursday, September 20, 2012 6:41 AM
    • Marked as answer by
      MedicalSMicrosoft contingent staff
      Thursday, September 20, 2012 7:22 AM

  • Remove From My Forums
  • Question

  • In Servers — all servers I get a target name resolution error

     configuration refresh failed with the following error: the metadata failed to be retrieved from the server with the following error: the WinRM client cannot process the request because the server name cannot be resolved

    Any Ideas I tried to add a VM to the servers in the server manager.

Answers

  • Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

    If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

    -Greg

    • Proposed as answer by

      Thursday, September 20, 2012 6:41 AM

    • Marked as answer by
      MedicalSMicrosoft contingent staff
      Thursday, September 20, 2012 7:22 AM

  • Hi, 

    Try with the IP address…if you are  able to connect… then the issue with DNS !!!

    • Proposed as answer by
      Aiden_Cao
      Thursday, September 20, 2012 6:41 AM
    • Marked as answer by
      MedicalSMicrosoft contingent staff
      Thursday, September 20, 2012 7:22 AM

I have just set up a new Hyper-V 2012 Server and connected it to the domain. I attempted to follow the Microsoft documentation to allow remote management via server manager. I enabled remote management in the server configuration command menu.

I also allowed the server to respond to ping requests. When I search for the server in server manager from my windows 8 desktop it is found by name and added to the servers list. Under the manageability column I get the message «Target name resolution error.» I’m able to ping the server by ip address but not by name. Both the server and my desktop are connected to the domain.

I tried adding the server name to my deskops hosts file in which case I can now ping the server by name but I still get the same error in server manager. The documentation simply states that I should have to enable remote management on the server, add any user accounts that should be allowed remote access to the local administrator group, and then connect to it from server manager.

  • http://technet.microsoft.com/en-us/library/jj647788.aspx

I don’t know if the documentation is incomplete or I may have something mis-configured?

slm's user avatar

slm

7,49516 gold badges54 silver badges74 bronze badges

asked Aug 7, 2013 at 20:40

esgeroth's user avatar

It sounds from the error description that you have a DNS problem. Is the DNS configured correctly on your Hyper-V host?

Both Host and Client should be able to resolve the opposite’s IP address by name.

answered Aug 7, 2013 at 20:54

john's user avatar

johnjohn

1,9951 gold badge17 silver badges30 bronze badges

7

Содержание

  1. Target name resolution error
  2. Answered by:
  3. Question
  4. Answers
  5. All replies
  6. Target name resolution error
  7. Answered by:
  8. Question
  9. Answers
  10. All replies

Target name resolution error

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

In Servers — all servers I get a target name resolution error

configuration refresh failed with the following error: the metadata failed to be retrieved from the server with the following error: the WinRM client cannot process the request because the server name cannot be resolved

Any Ideas I tried to add a VM to the servers in the server manager.

Answers

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

How to Setup Windows, Network, VPN & Remote Access on

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

same here- if using AD, «target name resolution error»

if added using IP/DNS, «Kerberos target resolution error»

same AD domain, same DNS domain, can resolve each other by nslookup, find each other in ‘add servers’ by AD and DNS/IP, etc.

Refresh fails after adding, too. both come up as online and have remote management installed.

All fixes say to ensure DNS is working. It is — now what? Nothing in documentation.

I had the same problem with a build I did. To resolve the problem I reconfigured the network interface cards (NIC) so that each NIC could communication with the correct network. I’m fairly certain that the network interface cards are not configured correctly.

Mark R Bracking

I faced the same issue after renaming the Win2012 4 node cluster.

Solution is : Just open Server Manager Console, click All Server and Right click and Remove the Previous Cluster Name Entry and clear task from Flag.

You need to do it on all cluster nodes.

I have the same issue

2 node cluster with 8 nic cards

2 x iSCSI private IP

2 x Live Migration -Cluster comms Teamed private IP

3 x Hyper-V teamed no ip settings for hyper-v guests

1 x MGT Lan port with dns and lan access

I can ping the cluster name the servers name and IP address from each server and all okay. So it does not look like a DNS issue

On my windows 8 pc I can add all the server and they show okay. So it only displays the error on both nodes of the cluster

the strange thing is that I can right click the server and computer management and it opens the computer management of the server it can’t resolve

I have created 2 VMs on my windows 8 Hyper-V. On first VM, I have installed windows server 2012 full GUI (server 1) and on second VM windows server 2012 core (server 2) and both virtual machines are in workgroup. I configured static IP on both machines and they are pinging fine to each other. I want to configure and manage server 2 (core) from server 1 (GUI) with the help of server manager but when I add server 2, server 1’s server manager throws an error with error message «DNS name resolution error»

Let me know if you need any other information.

Please give me a solution.

I solved my experience with this error by removing the server from server manager and adding it back. This seems to have resolved DNS issues related to the computer name change I performed on my target server.

If you are on your Active Directory domain controller with integrated DNS, check if your primary DNS server is 127.0.0.1 in your network adapter settings.

In your DNS settings, you should setup an external DNS server as forwarder. (for instance, 8.8.8.8 for google DNS server)

To be honest, im just a new learner in Window Server 2012. Apart of that, currently I’m working in Server Manager for connecting two servers namely primary and secondary. But the problem arises when I’m need to configure the two servers, I unable to find the secondary server when dealing in primary server and vice versa for clustering .

The error came out is «Kerberos Target Resolution Error». How to solve this kind of problem?

— «Manage As» that i required to insert the username and password to another server
— «RPC» to remote another server
— disable firewall

but its still unsuccessful..

At the All Server of the Server manager, it unable to detect IP Address of the secondary server as depicted above. Is it the cause of an error?

I also had this error. Solved by removing server and adding it using DNS query (not AD)

hi guys. i am having the same error. what do you mean there is a dns problem? how do i resulve it?

When you add a Server, it has a name.

But to use that name, it needs to go through a Dynamic Name Server, to lookup the proper address.

A computer only understands 01010101010011111010000111010101.

So a name like: MyServerToBeManaged, although you understand the name, the computer will start doing. nothing! Because it needs this name to be translated into bits, zeros and ones.

To make even this more visuable to a human reader, you get IP Addresses in the sense of

172.22.x.x for a class B network on the Netmask 255.255.0.0 or if you like class A you get 192.168.x.x on the 255.255.255.0

But although the computer can translate Hex into binary automatically, it can’t with the names.

Thus you need a server, a dynamic name server, to translate the name for the computer.

I have an easy setup with only 2 AD DC, so I have one as first DNS for the 2nd and the 2nd has the first DNS pointing the first.

i.e. DC 172.22.56.2, router at 172.22.56.1

The other computer on the other subnet is at 172.22.57.2 and it’s router at 172.22.57.1

They are bind by oVPN to a class B network.

To make sure they see each other, the first DC has 2 DNS:

and the 2nd DC has also 2 DNS:

So both first look for their partner for DNS queries *had to do that to make sure the local.domain.com would be resolved properly, because if you have the routers DNS first, your DC start looking for each other in online DNS resolvers for the WWW, which you don’t want them to!

You first point them to each other, and first if THEY can’t resolve it, they look online..

This setup is very bad practice if you have more then 2 DC though, but it’s an easy setup for home users.

Источник

Target name resolution error

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

In Servers — all servers I get a target name resolution error

configuration refresh failed with the following error: the metadata failed to be retrieved from the server with the following error: the WinRM client cannot process the request because the server name cannot be resolved

Any Ideas I tried to add a VM to the servers in the server manager.

Answers

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

How to Setup Windows, Network, VPN & Remote Access on

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

  • Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
  • Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

same here- if using AD, «target name resolution error»

if added using IP/DNS, «Kerberos target resolution error»

same AD domain, same DNS domain, can resolve each other by nslookup, find each other in ‘add servers’ by AD and DNS/IP, etc.

Refresh fails after adding, too. both come up as online and have remote management installed.

All fixes say to ensure DNS is working. It is — now what? Nothing in documentation.

I had the same problem with a build I did. To resolve the problem I reconfigured the network interface cards (NIC) so that each NIC could communication with the correct network. I’m fairly certain that the network interface cards are not configured correctly.

Mark R Bracking

I faced the same issue after renaming the Win2012 4 node cluster.

Solution is : Just open Server Manager Console, click All Server and Right click and Remove the Previous Cluster Name Entry and clear task from Flag.

You need to do it on all cluster nodes.

I have the same issue

2 node cluster with 8 nic cards

2 x iSCSI private IP

2 x Live Migration -Cluster comms Teamed private IP

3 x Hyper-V teamed no ip settings for hyper-v guests

1 x MGT Lan port with dns and lan access

I can ping the cluster name the servers name and IP address from each server and all okay. So it does not look like a DNS issue

On my windows 8 pc I can add all the server and they show okay. So it only displays the error on both nodes of the cluster

the strange thing is that I can right click the server and computer management and it opens the computer management of the server it can’t resolve

I have created 2 VMs on my windows 8 Hyper-V. On first VM, I have installed windows server 2012 full GUI (server 1) and on second VM windows server 2012 core (server 2) and both virtual machines are in workgroup. I configured static IP on both machines and they are pinging fine to each other. I want to configure and manage server 2 (core) from server 1 (GUI) with the help of server manager but when I add server 2, server 1’s server manager throws an error with error message «DNS name resolution error»

Let me know if you need any other information.

Please give me a solution.

I solved my experience with this error by removing the server from server manager and adding it back. This seems to have resolved DNS issues related to the computer name change I performed on my target server.

If you are on your Active Directory domain controller with integrated DNS, check if your primary DNS server is 127.0.0.1 in your network adapter settings.

In your DNS settings, you should setup an external DNS server as forwarder. (for instance, 8.8.8.8 for google DNS server)

To be honest, im just a new learner in Window Server 2012. Apart of that, currently I’m working in Server Manager for connecting two servers namely primary and secondary. But the problem arises when I’m need to configure the two servers, I unable to find the secondary server when dealing in primary server and vice versa for clustering .

The error came out is «Kerberos Target Resolution Error». How to solve this kind of problem?

— «Manage As» that i required to insert the username and password to another server
— «RPC» to remote another server
— disable firewall

but its still unsuccessful..

At the All Server of the Server manager, it unable to detect IP Address of the secondary server as depicted above. Is it the cause of an error?

I also had this error. Solved by removing server and adding it using DNS query (not AD)

hi guys. i am having the same error. what do you mean there is a dns problem? how do i resulve it?

When you add a Server, it has a name.

But to use that name, it needs to go through a Dynamic Name Server, to lookup the proper address.

A computer only understands 01010101010011111010000111010101.

So a name like: MyServerToBeManaged, although you understand the name, the computer will start doing. nothing! Because it needs this name to be translated into bits, zeros and ones.

To make even this more visuable to a human reader, you get IP Addresses in the sense of

172.22.x.x for a class B network on the Netmask 255.255.0.0 or if you like class A you get 192.168.x.x on the 255.255.255.0

But although the computer can translate Hex into binary automatically, it can’t with the names.

Thus you need a server, a dynamic name server, to translate the name for the computer.

I have an easy setup with only 2 AD DC, so I have one as first DNS for the 2nd and the 2nd has the first DNS pointing the first.

i.e. DC 172.22.56.2, router at 172.22.56.1

The other computer on the other subnet is at 172.22.57.2 and it’s router at 172.22.57.1

They are bind by oVPN to a class B network.

To make sure they see each other, the first DC has 2 DNS:

and the 2nd DC has also 2 DNS:

So both first look for their partner for DNS queries *had to do that to make sure the local.domain.com would be resolved properly, because if you have the routers DNS first, your DC start looking for each other in online DNS resolvers for the WWW, which you don’t want them to!

You first point them to each other, and first if THEY can’t resolve it, they look online..

This setup is very bad practice if you have more then 2 DC though, but it’s an easy setup for home users.

Источник

Hey all, I’ve come here to plea for help. I’m not the best with windows as most of my study has been in linux and networking, but I’m dealing with migrating a DC/dhcp/DNS combo server here. Everything seems to have gone well however I need to use server manager on a specific machine to handle the servers from now on. Sometimes it works just fine, sometimes it error’s with Target name resolution error. Here are the clues below…. All information is coming from the machine I’m trying to manage the servers from.

The system log shows «DCOM was unable to communicate with the computer name.domain.toplevel using any of the configureed protocols»

I’m able to resolve the servername.domain.toplevel via nslookup, and it’s verified that there is an entry on the DNS server

When I ping just servername, it responds in IPv6, which is strange, but adding the -4 flag causing it to respond in IPv4.

When I ping servername.domain.toplevel I get «could not find host»

If I try «Manage As» and input bogus credentials, I get the correct kerberos error. Switching back to valid credentials returns to the target name resolution error.

I have no idea what makes it start working, but sometimes it just does.

Any ideas? anything else I could provide? Any help would be appreciated, not quite sure where to look next


First published on TechNet on May 14, 2008

Hi

Rob

here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot Kerberos; one could use the Kerberos event logging outlined in KB

262177

. Although you could rely on this method, it will take longer to resolve the issue and involves making some educated guesses without the network trace.

I am going to layout my

lab configuration

in case you want to reproduce the problem and look at the network traces on your own.


Forest layout:

The root domain litwareinc.com has one domain controller in the domain, and one member server.


Domain Controller network configuration:

Host Name:  LTWRE-RT-DC1

IP Address: 10.10.100.20

DNS:  10.10.100.20

WINS: 10.10.100.60


Member Server network configuration:

Host Name:  LTWRE-RT-MEM1

IP Address: 10.10.100.21

DNS:  10.10.100.20

WINS: 10.10.100.60

The child domain litware-chld.litwareinc.com has one domain controller in the domain, and one member server.


Domain Controller network configuration:

Host Name:  LTWRE-CHD-DC1

IP Address: 10.10.200.20

DNS:  10.10.200.20

WINS: 10.10.100.60


Member Server network configuration:

Host Name:  LTWRE-CHD-MEM1

IP Address: 10.10.200.21

DNS:  10.10.100.20

WINS: 10.10.100.60

NOTE: I’m stating the obvious here, I know, but this configuration is for testing only. Having only one DC per domain usually means you’ll be rebuilding the forest at some point.

Network based troubleshooting (network captures) is the fastest way to determine the problem, and by learning a few short filters you can effectively troubleshoot most Kerberos-related problems.

You can use any network capture utility that you feel comfortable with. I prefer

Netmon

, nmcap (part of Netmon 3.x) or

netcap

(XP and 2003 support tools) to collect the network trace, and I use

Wireshark

to view the network capture. This is in no way an endorsement of Wireshark – feel free to use

Ethereal

,

Packetyzer

,

etc

.


Problem scenario:

There is a service running on LTWRE-RT-MEM1 server that runs starts /runs as “LocalSystem” account. This service connects to a file share on LTWRE-CHD-MEM1 named “AppShare” to access some files. The Service is failing to retrieve the files and is giving you an error of “Access is denied”. When you attempt to access the share as a domain user account on LTWRE-RT-MEM1 you are able to access the share.

Auditing for Logon/Logoff was enabled on LTWRE-CHD-MEM1, so you start by examining the security event log.

When the LITWAREINCAdministrator attempts to access the share we get the following Audit Event:

Notice how the user that authenticated to the server is the “LITWAREINCAdministrator” account. It used NTLM authentication and the source machine name is LTWRE-RT-MEM1.

When the Service attempts to access the share we get the following Audit Event:

Notice that when the service attempts to authenticate to the server it is doing it anonymously.

Hey, why is the computer authenticating to the other machine using NTLM authentication?

I thought we were in the 21

st

century with Kerberos authentication?

As it turns out, starting with Windows XP and Windows Server 2003 a computer cannot not use NTLM authentication when accessing a remote resource. If it does, it will use Anonymous Logon credentials and typically fail.

That means we have to figure out why Kerberos authentication is failing on LTWRE-RT-MEM1 when accessing a share on LTWRE-CHD-MEM1.

Typically when you troubleshoot using network captures, you want to install the network capture utility on both ends of the communications to make sure that there are no network devices (firewalls, routers, switches, VPN appliances, etc.) that are manipulating the packet in between the two systems. We call this taking a double-sided trace.

When working with a customer, we will typically request a double-sided network capture be taken. In this scenario I would start with installing the network capture utility on the source and destination server to see what is going on.

So the next question I guess becomes what are the steps to taking a good network capture?

Well, we want to see all name resolution, and we will also want to ensure that we see the Kerberos tickets (Authentication) in the capture. We also want to make sure that we can reproduce this problem at will to see this problem for ourselves.


So, how can we reproduce the problem?

1. Get a command prompt as the “SYSTEM” and attempt to access the remote system.

On Windows 2000, Windows XP, and Windows Server 2003 we can use the AT command to get a command prompt as the “SYSTEM” account by type the following command:

AT

<Military Time in Future>

/Interactive “cmd.exe”

i.e.  if the time is currently 7:04 PM you would type in:

AT 19:06 /Interactive “cmd.exe”

Then at 7:06 PM you should see a command prompt pop up

NOTE:  You have to do this while logged into the console session.  If you are RDP’ed in you need to start the RDP session with the /console switch otherwise you will never see the command window start.

2. Start the network capture utility.

3. Clear all name resolution cache as well as all cached Kerberos tickets.

  • To clear DNS name cache you type in: IPConfig /FlushDNS
  • To clear NetBIOS name cache you type in: NBTStat –R
  • To clear Kerberos tickets will need KList.exe: KList purge

The above commands need to be done in the command prompt that came up for “SYSTEM”

4. Now you need to run a command that will require authentication to the target server. Either of the following will do:

  • Net View

    \LTWRE-CHD-MEM1

  • Dir

    \ltwre-chd-mem1AppShare

5. Once you get the error message, stop and save the network captures.


Reviewing the network capture:

If you are using Wireshark to view the trace, the Filter is simple: “dns || Kerberos || ip.addr==

<IP Address of Target machine>

”. Basically, this filter means “Show me all packets sent to or from the target machine, all DNS name queries and responses, and all Kerberos authentication.”

It should look similar to this:

Once you have the network capture, you should see all DNS, Kerberos Authentication (As well as Packets that have Kerberos tickets in them), and anything destined for the remote system.

Before we go over the capture too much, we should probably cover at a high level the steps taken to connect to a remote file share.

1. Resolve the host name for the target system to an IP address.

a. Look in the HOSTS file.

b. Query DNS.

c. Look in the LMHOSTS file.

d. Query WINS / NBNS.

2. Ping the remote system.

3. Negotiate an Authentication protocol. Kerberos is preferred for Windows hosts.

4. Request a Kerberos Ticket.

5. Perform an SMB “Session Setup and AndX request” request and send authentication data (Kerberos ticket or NTLM response).

Let’s look at those steps in more detail.

Step 1 — resolve the name:

Remember, we did “IPConfig /FlushDNS” so that we can see name resolution on the wire. Frame 1 is the query out. Hmm, this looks kind of funny: querying for LTWRE-CHD-MEM1.litwareinc.com. Well, that part should be fine, I suppose, since the DNS server should not find the record. But wait Frame 6 shows that the DNS Server responded to the query with 10.10.200.21, and sure enough that is the correct IP Address for the target server.

Step 2 — ping the remote system:

Yep, the remote system is ping able. See the Echo request and reply. So the system is up and available.

Step 3 — Negotiate Authentication:

So now we negotiate the authentication protocol and the remote system responded; the response is the more important part of the packet. We see that it supports MS KRB5, KRB5, and NTLMSSP; it even gave us the principal name of the system.

Step 4 — Request a Kerberos ticket:

Alright, now to the meat of Kerberos authentication and viewing it in a network trace. If you remember, we used

KList Purge

command to clear out all tickets on the system. That means that the server has to get a Ticket Granting Ticket (TGT) first, and this is why you are seeing the AS-REQ and AS-REP frames. If Kerberos ticketing is new to you, I would suggest reviewing the blog on how

Kerberos works

.

Next, we see the TGS-REQ in Frame 18; let’s take a closer look at this packet in the details pane.

You can see that the system is handing its TGT to the Kerberos Key Distribution Center (KDC) under “padata: PA-TGS-REQ” section, and requesting a ticket for server “cifs/LTWRE-CHD-MEM1.litwareinc.com” in the LITWAREINC.COM realm (Windows Domain) under “KDC_REQ_BODY” section.

OK, since we now know that we are requesting a Kerberos ticket for

“cifs/LTWRE-CHD-MEM1.litwareinc.com”

in the litwareinc.com domain. This will not work since the remote system actually lives in the

“litwareinc-chld.litwareinc.com”

domain. So you see why the KDC responded back with


KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN


. Again, if you do not understand this please review the blog on how Kerberos works.

Step 5 — Perform a SMB “Session Setup AndX request”:

So we see in the following Frames:

  • Frame 20 shows that, since Kerberos failed due to an unknown service principal name, the NTLMSSP_NEGOTIATE authentication package is selected. Frame 21 shows that the remote system sending the NTLMSSP_CHALLENGE (this is typical) back.
  • Frame 22 shows that the system sent no NTLM credentials to the remote system. It is authenticating as NT AUTHORITYAnonymous.
  • Frame 23 shows that the remote system allowed the session to be created.
  • Frame 24 & 25 shows that we do a Tree connect to the IPC$ share and get a response.
  • Frame 26 & 27 shows that we connect the SRVSVC named pipe and get STATUS_ACCESS_DENIED back.

So where do you think things start to go wrong here in the trace?

If you answered DNS name resolution you would be correct. If name resolution is not working properly in the environment it will cause the application requesting a Kerberos ticket to actually request a Service ticket for the wrong service principal name. So if you remember the remote file server I am attempting to connect to “

ltwre-chd-mem1.chd.litwareinc.com”

, however the DNS Server found a record for

“ltwre-chd-mem1.litware.com”

. Since we found the remote file server in the “litwareinc.com” domain the Kerberos client requests a service ticket for “cifs/ltwre-chd-mem1.litwareinc.com” as noted in the Kerberos ticket request, and the KDC responds with


KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.

I did another

net view

specifying the FQDN of LTWRE-CHD-MEM1 and

WOW

, look at the output:

That actually worked! So, how can we fix this problem?

Actually, there are several different ways to “fix” the problem:

a. Find out why DNS is resolving the machine name incorrectly.

i. Is there a HOST or CNAME record for this name?

ii. Did you configure the DNS Zone for WINS lookup?

b. Configure your application to use the FQDN of the system instead of NetBIOS name.

c. We could add an Service Principal Name to LTWRE-CHD-MEM1 for “CIFS/LTWRE-CHD-MEM1.litwareinc.com”

The best way to “Fix” the problem is to actually fix DNS name resolution. By the way, the lab was configured with “WINS Lookup” enabled on the litwareinc.com DNS Zone. If you are failing to use Kerberos authentication using the LocalSystem account, you are more than likely failing to use Kerberos authentication when users are going to the remote system. However, they are not getting “Access is denied” because user accounts, unlike machine accounts, can fail over to NTLM and authenticate with credentials rather than as Anonymous.

If you find that fixing the DNS problem is not possible, then the next best solution would be to make the application use the FQDN of the server. Keep in mind that the application vendor would need to be involved to use this fix.

The least favorite method to resolve the issue would be to add the SPN to the destination server using the SetSPN.exe tool. This is the least favorite because you are adding another name to the machine account in another domain. What would happen if in the future you bring up a new computer in the root domain with the same name? Now you have a duplicate SPN and this will lead to other Kerberos authentication problems.

Well, I hope that you have learned a few new things like:

  • How name resolution problems could cause Kerberos authentication to fail.
  • How to easily filter network traces to confidently determine where Kerberos authentication is failing.
  • How the SMB protocol and authentication look in a network trace.

Please keep in mind that there are several other ways that name resolution could cause Kerberos authentication to fail. You could have static WINS entries in the database, or you could have wrong entries in HOSTS / LMHOSTS files. You could be failing because of a CNAME / “A” (HOST) record within your DNS zone, or simply because of the DNS Zone is configured for “WINS Lookup”.

Robert Greene

  • Home
  • Forums
  • Technical
  • Windows Server 2012
  • Server Manager — Target Name Resolution Error

  • Data loading…

Windows Server 2012 Thread, Server Manager — Target Name Resolution Error in Technical; Morning,

I currently have a 2012R2 DC servicing a small network of about 50 PCs.

I’m trying to add a …

  1. 8th July 2015, 09:31 AM #1

    Morning,

    I currently have a 2012R2 DC servicing a small network of about 50 PCs.

    I’m trying to add a second, so installed Windows Server on the second machine — set it’s IP and DNS entries etc. When trying to access it in server manager — I receive an error, «Target Name Resolution Error». When I try to connect via PS, «…the server name cannot be resolved».

    On both servers, running an NSLOOKUP on both the IP and PC Name show the correct info:

    nslookup servername
    Server: FQDN
    Address: w.x.y.x

    nslookup w.x.y.z
    Server: FQDN
    Address: w.x.y.z

    It’s got me stumped. I’ve restarted both servers, flushed the DNS caches, I can PING bother servers from each other etc., no firewall, WINRM is running and enabled, -no avail.

    Any help would
    be great.

    Cheers,
    Paul.


  2. 8th July 2015, 12:59 PM #2

    So then I try to enter-psession on the existing server to itself and it gives the same: «..server name cannot be resolved»

    So it can’t resolve it’s own name through server manager or PS — but can via NSLOOKUP. Cleared the DNS cache etc.

    I tried to add a role to itself and it gave an error suggesting it can’t modify the registry settings because «the serv…..»

    Grrrr.


  3. 8th July 2015, 03:03 PM #3


  4. 8th July 2015, 03:05 PM #4

    Already tried that Ian,

    As I say, everything resolves via DNS, both NETBIOS name, FQDN and IP all resolve each other properly.


SHARE:

Similar Threads

  1. Replies: 2

    Last Post: 16th August 2013, 01:59 PM

  2. Replies: 0

    Last Post: 21st July 2008, 02:11 AM

  3. Replies: 5

    Last Post: 17th June 2008, 03:01 PM

  4. Replies: 4

    Last Post: 21st May 2008, 06:09 PM

  5. Replies: 6

    Last Post: 26th July 2007, 12:35 PM

  • Home
  • Server Manager — Target Name Resolution Error

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Like this post? Please share to your friends:
  • Tar gz how to extract windows
  • Taptiles скачать бесплатно для windows 10
  • Tapo tp link приложение для windows скачать
  • Tap0901 что это за устройство windows 10
  • Tap0901 драйвер скачать windows 7 x64