Target name resolution error в windows server

Target name resolution error

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

In Servers — all servers I get a target name resolution error

configuration refresh failed with the following error: the metadata failed to be retrieved from the server with the following error: the WinRM client cannot process the request because the server name cannot be resolved

Any Ideas I tried to add a VM to the servers in the server manager.

Answers

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

How to Setup Windows, Network, VPN & Remote Access on

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

same here- if using AD, «target name resolution error»

if added using IP/DNS, «Kerberos target resolution error»

same AD domain, same DNS domain, can resolve each other by nslookup, find each other in ‘add servers’ by AD and DNS/IP, etc.

Refresh fails after adding, too. both come up as online and have remote management installed.

All fixes say to ensure DNS is working. It is — now what? Nothing in documentation.

I had the same problem with a build I did. To resolve the problem I reconfigured the network interface cards (NIC) so that each NIC could communication with the correct network. I’m fairly certain that the network interface cards are not configured correctly.

Mark R Bracking

I faced the same issue after renaming the Win2012 4 node cluster.

Solution is : Just open Server Manager Console, click All Server and Right click and Remove the Previous Cluster Name Entry and clear task from Flag.

You need to do it on all cluster nodes.

I have the same issue

2 node cluster with 8 nic cards

2 x iSCSI private IP

2 x Live Migration -Cluster comms Teamed private IP

3 x Hyper-V teamed no ip settings for hyper-v guests

1 x MGT Lan port with dns and lan access

I can ping the cluster name the servers name and IP address from each server and all okay. So it does not look like a DNS issue

On my windows 8 pc I can add all the server and they show okay. So it only displays the error on both nodes of the cluster

the strange thing is that I can right click the server and computer management and it opens the computer management of the server it can’t resolve

I have created 2 VMs on my windows 8 Hyper-V. On first VM, I have installed windows server 2012 full GUI (server 1) and on second VM windows server 2012 core (server 2) and both virtual machines are in workgroup. I configured static IP on both machines and they are pinging fine to each other. I want to configure and manage server 2 (core) from server 1 (GUI) with the help of server manager but when I add server 2, server 1’s server manager throws an error with error message «DNS name resolution error»

Let me know if you need any other information.

Please give me a solution.

I solved my experience with this error by removing the server from server manager and adding it back. This seems to have resolved DNS issues related to the computer name change I performed on my target server.

If you are on your Active Directory domain controller with integrated DNS, check if your primary DNS server is 127.0.0.1 in your network adapter settings.

In your DNS settings, you should setup an external DNS server as forwarder. (for instance, 8.8.8.8 for google DNS server)

To be honest, im just a new learner in Window Server 2012. Apart of that, currently I’m working in Server Manager for connecting two servers namely primary and secondary. But the problem arises when I’m need to configure the two servers, I unable to find the secondary server when dealing in primary server and vice versa for clustering .

The error came out is «Kerberos Target Resolution Error». How to solve this kind of problem?

— «Manage As» that i required to insert the username and password to another server
— «RPC» to remote another server
— disable firewall

but its still unsuccessful..

At the All Server of the Server manager, it unable to detect IP Address of the secondary server as depicted above. Is it the cause of an error?

I also had this error. Solved by removing server and adding it using DNS query (not AD)

hi guys. i am having the same error. what do you mean there is a dns problem? how do i resulve it?

When you add a Server, it has a name.

But to use that name, it needs to go through a Dynamic Name Server, to lookup the proper address.

A computer only understands 01010101010011111010000111010101.

So a name like: MyServerToBeManaged, although you understand the name, the computer will start doing. nothing! Because it needs this name to be translated into bits, zeros and ones.

To make even this more visuable to a human reader, you get IP Addresses in the sense of

172.22.x.x for a class B network on the Netmask 255.255.0.0 or if you like class A you get 192.168.x.x on the 255.255.255.0

But although the computer can translate Hex into binary automatically, it can’t with the names.

Thus you need a server, a dynamic name server, to translate the name for the computer.

I have an easy setup with only 2 AD DC, so I have one as first DNS for the 2nd and the 2nd has the first DNS pointing the first.

i.e. DC 172.22.56.2, router at 172.22.56.1

The other computer on the other subnet is at 172.22.57.2 and it’s router at 172.22.57.1

They are bind by oVPN to a class B network.

To make sure they see each other, the first DC has 2 DNS:

and the 2nd DC has also 2 DNS:

So both first look for their partner for DNS queries *had to do that to make sure the local.domain.com would be resolved properly, because if you have the routers DNS first, your DC start looking for each other in online DNS resolvers for the WWW, which you don’t want them to!

You first point them to each other, and first if THEY can’t resolve it, they look online..

This setup is very bad practice if you have more then 2 DC though, but it’s an easy setup for home users.

Источник

Target name resolution error

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

In Servers — all servers I get a target name resolution error

configuration refresh failed with the following error: the metadata failed to be retrieved from the server with the following error: the WinRM client cannot process the request because the server name cannot be resolved

Any Ideas I tried to add a VM to the servers in the server manager.

Answers

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on

How to Setup Windows, Network, VPN & Remote Access on

Bob is correct, based on the error message it is a DNS issue. Any news on this issue?

If you are getting the error for all servers, the problem is likely related to the DNS server settings on the NIC. Check these to make sure they are correct.

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

Try with the IP address. if you are able to connect. then the issue with DNS .

• Proposed as answer by Aiden_Cao Thursday, September 20, 2012 6:41 AM
• Marked as answer by MedicalS Microsoft contingent staff Thursday, September 20, 2012 7:22 AM

same here- if using AD, «target name resolution error»

if added using IP/DNS, «Kerberos target resolution error»

same AD domain, same DNS domain, can resolve each other by nslookup, find each other in ‘add servers’ by AD and DNS/IP, etc.

Refresh fails after adding, too. both come up as online and have remote management installed.

All fixes say to ensure DNS is working. It is — now what? Nothing in documentation.

I had the same problem with a build I did. To resolve the problem I reconfigured the network interface cards (NIC) so that each NIC could communication with the correct network. I’m fairly certain that the network interface cards are not configured correctly.

Mark R Bracking

I faced the same issue after renaming the Win2012 4 node cluster.

Solution is : Just open Server Manager Console, click All Server and Right click and Remove the Previous Cluster Name Entry and clear task from Flag.

You need to do it on all cluster nodes.

I have the same issue

2 node cluster with 8 nic cards

2 x iSCSI private IP

2 x Live Migration -Cluster comms Teamed private IP

3 x Hyper-V teamed no ip settings for hyper-v guests

1 x MGT Lan port with dns and lan access

I can ping the cluster name the servers name and IP address from each server and all okay. So it does not look like a DNS issue

On my windows 8 pc I can add all the server and they show okay. So it only displays the error on both nodes of the cluster

the strange thing is that I can right click the server and computer management and it opens the computer management of the server it can’t resolve

I have created 2 VMs on my windows 8 Hyper-V. On first VM, I have installed windows server 2012 full GUI (server 1) and on second VM windows server 2012 core (server 2) and both virtual machines are in workgroup. I configured static IP on both machines and they are pinging fine to each other. I want to configure and manage server 2 (core) from server 1 (GUI) with the help of server manager but when I add server 2, server 1’s server manager throws an error with error message «DNS name resolution error»

Let me know if you need any other information.

Please give me a solution.

I solved my experience with this error by removing the server from server manager and adding it back. This seems to have resolved DNS issues related to the computer name change I performed on my target server.

If you are on your Active Directory domain controller with integrated DNS, check if your primary DNS server is 127.0.0.1 in your network adapter settings.

In your DNS settings, you should setup an external DNS server as forwarder. (for instance, 8.8.8.8 for google DNS server)

To be honest, im just a new learner in Window Server 2012. Apart of that, currently I’m working in Server Manager for connecting two servers namely primary and secondary. But the problem arises when I’m need to configure the two servers, I unable to find the secondary server when dealing in primary server and vice versa for clustering .

The error came out is «Kerberos Target Resolution Error». How to solve this kind of problem?

— «Manage As» that i required to insert the username and password to another server
— «RPC» to remote another server
— disable firewall

but its still unsuccessful..

At the All Server of the Server manager, it unable to detect IP Address of the secondary server as depicted above. Is it the cause of an error?

I also had this error. Solved by removing server and adding it using DNS query (not AD)

hi guys. i am having the same error. what do you mean there is a dns problem? how do i resulve it?

When you add a Server, it has a name.

But to use that name, it needs to go through a Dynamic Name Server, to lookup the proper address.

A computer only understands 01010101010011111010000111010101.

So a name like: MyServerToBeManaged, although you understand the name, the computer will start doing. nothing! Because it needs this name to be translated into bits, zeros and ones.

To make even this more visuable to a human reader, you get IP Addresses in the sense of

172.22.x.x for a class B network on the Netmask 255.255.0.0 or if you like class A you get 192.168.x.x on the 255.255.255.0

But although the computer can translate Hex into binary automatically, it can’t with the names.

Thus you need a server, a dynamic name server, to translate the name for the computer.

I have an easy setup with only 2 AD DC, so I have one as first DNS for the 2nd and the 2nd has the first DNS pointing the first.

i.e. DC 172.22.56.2, router at 172.22.56.1

The other computer on the other subnet is at 172.22.57.2 and it’s router at 172.22.57.1

They are bind by oVPN to a class B network.

To make sure they see each other, the first DC has 2 DNS:

and the 2nd DC has also 2 DNS:

So both first look for their partner for DNS queries *had to do that to make sure the local.domain.com would be resolved properly, because if you have the routers DNS first, your DC start looking for each other in online DNS resolvers for the WWW, which you don’t want them to!

You first point them to each other, and first if THEY can’t resolve it, they look online..

This setup is very bad practice if you have more then 2 DC though, but it’s an easy setup for home users.

Источник

Hey all, I’ve come here to plea for help. I’m not the best with windows as most of my study has been in linux and networking, but I’m dealing with migrating a DC/dhcp/DNS combo server here. Everything seems to have gone well however I need to use server manager on a specific machine to handle the servers from now on. Sometimes it works just fine, sometimes it error’s with Target name resolution error. Here are the clues below…. All information is coming from the machine I’m trying to manage the servers from.

The system log shows «DCOM was unable to communicate with the computer name.domain.toplevel using any of the configureed protocols»

I’m able to resolve the servername.domain.toplevel via nslookup, and it’s verified that there is an entry on the DNS server

When I ping just servername, it responds in IPv6, which is strange, but adding the -4 flag causing it to respond in IPv4.

When I ping servername.domain.toplevel I get «could not find host»

If I try «Manage As» and input bogus credentials, I get the correct kerberos error. Switching back to valid credentials returns to the target name resolution error.

I have no idea what makes it start working, but sometimes it just does.

Any ideas? anything else I could provide? Any help would be appreciated, not quite sure where to look next

First published on TechNet on May 14, 2008

Hi

Rob

here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot Kerberos; one could use the Kerberos event logging outlined in KB

262177

. Although you could rely on this method, it will take longer to resolve the issue and involves making some educated guesses without the network trace.

I am going to layout my

lab configuration

in case you want to reproduce the problem and look at the network traces on your own.

Forest layout:

The root domain litwareinc.com has one domain controller in the domain, and one member server.

Domain Controller network configuration: Host Name:  LTWRE-RT-DC1 IP Address: 10.10.100.20 DNS:  10.10.100.20 WINS: 10.10.100.60

Member Server network configuration: Host Name:  LTWRE-RT-MEM1 IP Address: 10.10.100.21 DNS:  10.10.100.20 WINS: 10.10.100.60

The child domain litware-chld.litwareinc.com has one domain controller in the domain, and one member server.

Domain Controller network configuration: Host Name:  LTWRE-CHD-DC1 IP Address: 10.10.200.20 DNS:  10.10.200.20 WINS: 10.10.100.60

Member Server network configuration: Host Name:  LTWRE-CHD-MEM1 IP Address: 10.10.200.21 DNS:  10.10.100.20 WINS: 10.10.100.60

NOTE: I’m stating the obvious here, I know, but this configuration is for testing only. Having only one DC per domain usually means you’ll be rebuilding the forest at some point.

Network based troubleshooting (network captures) is the fastest way to determine the problem, and by learning a few short filters you can effectively troubleshoot most Kerberos-related problems.

You can use any network capture utility that you feel comfortable with. I prefer

Netmon

, nmcap (part of Netmon 3.x) or

netcap

(XP and 2003 support tools) to collect the network trace, and I use

Wireshark

to view the network capture. This is in no way an endorsement of Wireshark – feel free to use

Ethereal

,

Packetyzer

,

etc

.

Problem scenario:

There is a service running on LTWRE-RT-MEM1 server that runs starts /runs as “LocalSystem” account. This service connects to a file share on LTWRE-CHD-MEM1 named “AppShare” to access some files. The Service is failing to retrieve the files and is giving you an error of “Access is denied”. When you attempt to access the share as a domain user account on LTWRE-RT-MEM1 you are able to access the share.

Auditing for Logon/Logoff was enabled on LTWRE-CHD-MEM1, so you start by examining the security event log.

When the LITWAREINCAdministrator attempts to access the share we get the following Audit Event:

Notice how the user that authenticated to the server is the “LITWAREINCAdministrator” account. It used NTLM authentication and the source machine name is LTWRE-RT-MEM1.

When the Service attempts to access the share we get the following Audit Event:

Notice that when the service attempts to authenticate to the server it is doing it anonymously.

Hey, why is the computer authenticating to the other machine using NTLM authentication?

I thought we were in the 21

^st

century with Kerberos authentication?

As it turns out, starting with Windows XP and Windows Server 2003 a computer cannot not use NTLM authentication when accessing a remote resource. If it does, it will use Anonymous Logon credentials and typically fail.

That means we have to figure out why Kerberos authentication is failing on LTWRE-RT-MEM1 when accessing a share on LTWRE-CHD-MEM1.

Typically when you troubleshoot using network captures, you want to install the network capture utility on both ends of the communications to make sure that there are no network devices (firewalls, routers, switches, VPN appliances, etc.) that are manipulating the packet in between the two systems. We call this taking a double-sided trace.

When working with a customer, we will typically request a double-sided network capture be taken. In this scenario I would start with installing the network capture utility on the source and destination server to see what is going on.

So the next question I guess becomes what are the steps to taking a good network capture?

Well, we want to see all name resolution, and we will also want to ensure that we see the Kerberos tickets (Authentication) in the capture. We also want to make sure that we can reproduce this problem at will to see this problem for ourselves.

So, how can we reproduce the problem?

1. Get a command prompt as the “SYSTEM” and attempt to access the remote system.

2. Start the network capture utility.

3. Clear all name resolution cache as well as all cached Kerberos tickets.

• To clear DNS name cache you type in: IPConfig /FlushDNS
• To clear NetBIOS name cache you type in: NBTStat –R
• To clear Kerberos tickets will need KList.exe: KList purge

The above commands need to be done in the command prompt that came up for “SYSTEM”

4. Now you need to run a command that will require authentication to the target server. Either of the following will do:

• Net View

  \LTWRE-CHD-MEM1

• Dir

  \ltwre-chd-mem1AppShare

5. Once you get the error message, stop and save the network captures.

Reviewing the network capture:

If you are using Wireshark to view the trace, the Filter is simple: “dns || Kerberos || ip.addr==

<IP Address of Target machine>

”. Basically, this filter means “Show me all packets sent to or from the target machine, all DNS name queries and responses, and all Kerberos authentication.”

It should look similar to this:

Once you have the network capture, you should see all DNS, Kerberos Authentication (As well as Packets that have Kerberos tickets in them), and anything destined for the remote system.

Before we go over the capture too much, we should probably cover at a high level the steps taken to connect to a remote file share.

1. Resolve the host name for the target system to an IP address.

a. Look in the HOSTS file.

b. Query DNS.

c. Look in the LMHOSTS file.

d. Query WINS / NBNS.

2. Ping the remote system.

3. Negotiate an Authentication protocol. Kerberos is preferred for Windows hosts.

4. Request a Kerberos Ticket.

5. Perform an SMB “Session Setup and AndX request” request and send authentication data (Kerberos ticket or NTLM response).

Let’s look at those steps in more detail.

Step 1 — resolve the name:

Remember, we did “IPConfig /FlushDNS” so that we can see name resolution on the wire. Frame 1 is the query out. Hmm, this looks kind of funny: querying for LTWRE-CHD-MEM1.litwareinc.com. Well, that part should be fine, I suppose, since the DNS server should not find the record. But wait Frame 6 shows that the DNS Server responded to the query with 10.10.200.21, and sure enough that is the correct IP Address for the target server.

Step 2 — ping the remote system:

Yep, the remote system is ping able. See the Echo request and reply. So the system is up and available.

Step 3 — Negotiate Authentication:

So now we negotiate the authentication protocol and the remote system responded; the response is the more important part of the packet. We see that it supports MS KRB5, KRB5, and NTLMSSP; it even gave us the principal name of the system.

Step 4 — Request a Kerberos ticket:

Alright, now to the meat of Kerberos authentication and viewing it in a network trace. If you remember, we used

KList Purge

command to clear out all tickets on the system. That means that the server has to get a Ticket Granting Ticket (TGT) first, and this is why you are seeing the AS-REQ and AS-REP frames. If Kerberos ticketing is new to you, I would suggest reviewing the blog on how

Kerberos works

.

Next, we see the TGS-REQ in Frame 18; let’s take a closer look at this packet in the details pane.

You can see that the system is handing its TGT to the Kerberos Key Distribution Center (KDC) under “padata: PA-TGS-REQ” section, and requesting a ticket for server “cifs/LTWRE-CHD-MEM1.litwareinc.com” in the LITWAREINC.COM realm (Windows Domain) under “KDC_REQ_BODY” section.

OK, since we now know that we are requesting a Kerberos ticket for

“cifs/LTWRE-CHD-MEM1.litwareinc.com”

in the litwareinc.com domain. This will not work since the remote system actually lives in the

“litwareinc-chld.litwareinc.com”

domain. So you see why the KDC responded back with


KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN


. Again, if you do not understand this please review the blog on how Kerberos works.

Step 5 — Perform a SMB “Session Setup AndX request”:

So we see in the following Frames:

• Frame 20 shows that, since Kerberos failed due to an unknown service principal name, the NTLMSSP_NEGOTIATE authentication package is selected. Frame 21 shows that the remote system sending the NTLMSSP_CHALLENGE (this is typical) back.
• Frame 22 shows that the system sent no NTLM credentials to the remote system. It is authenticating as NT AUTHORITYAnonymous.
• Frame 23 shows that the remote system allowed the session to be created.
• Frame 24 & 25 shows that we do a Tree connect to the IPC$ share and get a response.
• Frame 26 & 27 shows that we connect the SRVSVC named pipe and get STATUS_ACCESS_DENIED back.

So where do you think things start to go wrong here in the trace?

If you answered DNS name resolution you would be correct. If name resolution is not working properly in the environment it will cause the application requesting a Kerberos ticket to actually request a Service ticket for the wrong service principal name. So if you remember the remote file server I am attempting to connect to “

ltwre-chd-mem1.chd.litwareinc.com”

, however the DNS Server found a record for

“ltwre-chd-mem1.litware.com”

. Since we found the remote file server in the “litwareinc.com” domain the Kerberos client requests a service ticket for “cifs/ltwre-chd-mem1.litwareinc.com” as noted in the Kerberos ticket request, and the KDC responds with


KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.

I did another

net view

specifying the FQDN of LTWRE-CHD-MEM1 and

WOW

, look at the output:

That actually worked! So, how can we fix this problem?

Actually, there are several different ways to “fix” the problem:

a. Find out why DNS is resolving the machine name incorrectly.

i. Is there a HOST or CNAME record for this name?

ii. Did you configure the DNS Zone for WINS lookup?

b. Configure your application to use the FQDN of the system instead of NetBIOS name.

c. We could add an Service Principal Name to LTWRE-CHD-MEM1 for “CIFS/LTWRE-CHD-MEM1.litwareinc.com”

The best way to “Fix” the problem is to actually fix DNS name resolution. By the way, the lab was configured with “WINS Lookup” enabled on the litwareinc.com DNS Zone. If you are failing to use Kerberos authentication using the LocalSystem account, you are more than likely failing to use Kerberos authentication when users are going to the remote system. However, they are not getting “Access is denied” because user accounts, unlike machine accounts, can fail over to NTLM and authenticate with credentials rather than as Anonymous.

If you find that fixing the DNS problem is not possible, then the next best solution would be to make the application use the FQDN of the server. Keep in mind that the application vendor would need to be involved to use this fix.

The least favorite method to resolve the issue would be to add the SPN to the destination server using the SetSPN.exe tool. This is the least favorite because you are adding another name to the machine account in another domain. What would happen if in the future you bring up a new computer in the root domain with the same name? Now you have a duplicate SPN and this will lead to other Kerberos authentication problems.

Well, I hope that you have learned a few new things like:

• How name resolution problems could cause Kerberos authentication to fail.
• How to easily filter network traces to confidently determine where Kerberos authentication is failing.
• How the SMB protocol and authentication look in a network trace.

Please keep in mind that there are several other ways that name resolution could cause Kerberos authentication to fail. You could have static WINS entries in the database, or you could have wrong entries in HOSTS / LMHOSTS files. You could be failing because of a CNAME / “A” (HOST) record within your DNS zone, or simply because of the DNS Zone is configured for “WINS Lookup”.

Robert Greene

Windows Server 2012 Thread, Server Manager — Target Name Resolution Error in Technical; Morning,

I currently have a 2012R2 DC servicing a small network of about 50 PCs.

I’m trying to add a …