RE: [ActiveDir] KRB_AP_ERR_MODIFIED error

Rich Milburn Fri, 20 Feb 2004 06:58:28 -0800

I think I’m making a little progress… we have not yet enabled scavenging on DNS and there seems to be a pattern with duplicate registrations in DNS. For example, in the one below, there are two A records with the same IP address – REM4649XP and REM4724. These two clients happen to be remote, coming in through the VPN or RAS. But not all clients with duplicates are remote – some are local. So… you ping REM4649XP and you get 192.168.20.20, and you ping REM4724 and you get 192.168.20.20. “So what?” someone asked. We have had a problem with remote users over the VPN having really slow response on Exchange – it asks Retry, Work offline, or Cancel the first time Outlook 2000 tries to contact the Exchange server, click Retry and it comes up, minutes later.

What am I getting at? Two things:

1) What are the ramifications of having duplicates in DNS for workstations?

2) Is Kerberos doing a DNS lookup on the SMS server, or is the client itself confused, and do I care? Seems to me this situation could have strange and sometimes serious implications to the clients involved. ??

Thanks – I imagine Kerberos is very few people’s favorite subject, but maybe it’s good for me to have to learn more about it! J

Rich

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Tuesday, February 17, 2004 11:12 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] KRB_AP_ERR_MODIFIED error

AD 2003, 2003 domain mode, 2000 forest mode

I just installed SMS 2003 and started seeing the following on the SMS server (running W2K3). I am trying to chase this down but the stuff I’m finding online is not helpful. I have a large (over 50) number of errors like the following on the SMS server in the System log:

Event Type: Error

Event Source: Kerberos

Event Category: None

Event ID: 4

Date: 2/17/2004

Time: 8:22:12 AM

User: N/A

Computer: AIISMS

Description:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server REM4649XP$. The target name used was cifs/REM4724.CORPORATE.DOMAIN. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (CORPORATE.DOMAIN), and the client realm. Please contact your system administrator. (that’s me, thanks a lot)

Well, there would have to be an awful lot of “identically named computers” on our network if that is the case, and they were fine before SMS… but it seems strange they are showing a different FQDN than the server name shown – which is not a server but a workstation (not that it cares here I think). I don’t know enough about Kerberos to know if that is important, but I have printed out the RFC. Fun. Anyone know anything about this error? Hint – I’m pretty certain the answer is not to re-add all those workstations to the domain….

Thanks

Rich

Rich Milburn

MS MVP – Directory Services

MCSE NT4/2000

-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.

RE: [ActiveDir] KRB_AP_ERR_MODIFIED error

Reply via email to