This was one of the problems I worked on 1 years ago…
When some users logon to their workstation, they receive the error “Logon Failure: The target account name is incorrect” when trying to map to any shares in \\<domain>\dfsroot. As such, non of their network drives were mapped.
For some workstations, they could still map to the network drives after logon manually, but for some they received the same errors when trying to map manually. For some workstations, a secure channel reset to another DC and a reboot seems to work.
The eventlogs on the clients contains the following:
Event ID: 3034
The redirector was unable to initialize security context or query context attributes.
0000: 00080000 00560002 00000000 80000bda
0010: 00000000 80090322 00000000 00000000
0020: 00000000 00000000 0000046c 80090322
The KB seems to point to the reason for it: http://support.microsoft.com/default.aspx?scid=kb;en-us;263208
Diagnosis and Resolution:
From a network monitor capture, it seems like the clients were referring to Server1 for DFS referral, but the IP address resolved to Server2 which is not a DFS replica, which rejected their request. Turning off Server2, seems to have resolved the issue, as client referred to an alternative DFS working replica instead.
The problem started when one of our team member built Server1 and added it as a DFS replica in our dfsroot. It was then turned off as its not in use yet. The SAME IP address was then used to build Server2. Server2 is not a DFS replica.
When client does a dfs referral for dfsroot, some of them got referred to Server1. Also the WINS entry of Server1 was still alive and not expired nor tomestoned. Thus, Server1 name was resolved to the IP address that was held by Server2 and hence the clients tried to make dfs referrals with Server2, which rejected the rejected the request. As a result, users could not map drives via our dfsroot.