|
Ok sorry if I beat a dead horse here Lana but I have found
if the domain controller policy isn't set on DCs then any K3 DCs have a local
policy that will kick in SMB Signing. You can verify by going to the K3 DC and
running from the command line secpol.msc and then looking at the actual current
settings on the machine.
The policies are
Domain Member: Digitally encrypt or sign
secure channel (always)
Microsoft Network Server: Digitally sign
communications (always)
The replicating successfully message on the K3 server when
pressing replicate now simply means it PULLED changes from its partners ok. All
AD replication is pull based. The K3 server when IT replicates uses its single
inbound replication thread to connect to one of the 25 listening threads on the
other DCs to pull the info. It doesn't push anything out to the other DCs or
force them to replicate. This just further indicates that the K3 server can talk
to the rest of the DCs ok when it initiates. The issues all sound like nothing
can talk to the K3 server ok when they initiate.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Friday, May 21, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Ok, guys, I
really run out of any ideas with this now:
I've tried
everything from KB article, Al suggested, I've also tried what's Joe mentioned,
as a possibility
At this point I would do two things. Please note I
don't have great reasons for suggesting them, just gut
feeling.
1. I would check the SMB signing policies to see if
they are aligned. Most likely if you don't have that set at the domain
controller policy level you have signing on on the K3 machine and undefined on
the 2K. Yes, this shouldn't be an issue with 2K machines but I have seen it be
an issue with 2K and XP machines touching K3.
SMB signing was undefined on both W2K3 and
W2K DCs, checked all the local security, just in case - everything
identical across the whole AD
2. I would verify that the SPNs for the DCs are
identical on all of the DCs.... I.E. DC1 has the same SPNs registered on every
DC. Ditto DC2, DC3, DCn. I have seen these out of sync before and causing
interesting replication issues. It took manual editing of the SPNs to
correct.
yep, here everything is neat there as well...
still - W2K3 server seems very lonely in respect of
replication, i.e : on this server itself NTDS settings show all replication
links as it should, clicking "replicate now" - - "yep,"- it says-"replicating
successfully"...in replmon - it sees all the partners and tells that "all
objects have been replicated"...but its a lie! - none of the partners can see
this DC in theirs replmon or NTDS settings in
ADSS...:((
On W2K DCs
this server shown as outbound partner. On the offending server there are no
outbound partners at all...(the question here -maybe I must create them
manually then?)
And
also now I've got something new in event logs - when running net stop
kdc--> repadmin/kcc -->net start kdc (trying to purge the ticket
cache and recreate replication):
"...The kerberos subsystem
encountered a PAC verification failure. This indicates that the PAC from the
client W2K3 DC in
realm DOMAIN.COM had a PAC which
failed to verify or was modified. Contact your system administrator..."
What is that about then?
:-/
Thanks in advance for any
suggestions.
Lana
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
Al
Sent: 19 May 2004 22:18 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server This may be helpful then
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Wednesday, May 19, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server on W2K3 (new
DC):
in FRS
event viewer there are only warnings 13508 ("having troubles to
replicate..../sysvol...etc"); dcdiag shows [FAILED] on test
frsevent;
netdiag - PASSED
all tests
on W2K (old DC in
the same domain) :
No errors in FRS;
in Directory
Service: warning NTDS KCC 1265 :
"The attempt to
establish a replication link with parameters
Partition: CN=Schema,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=uk Source DSA DN: CN=NTDS Settings,CN=SERS016,CN=Servers,CN=Oxford,CN=Sites,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=uk Source DSA Address: a2bdda54-6d14-40ae-842f-eb32df2dfb75._msdcs.ulib.ox.ac.uk Inter-site Transport (if any): failed with the following status: There are no more endpoints available from the endpoint mapper. The record data is the status code. This operation will be retried. " (SERS016 = new
W2K3 DC in ULIB domain.)
dcdiag
shows [FAILED] on kccevent test;
netdiag - PASSED all
tests
{Is it just me or does this sounds like a
replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but
they never get out.)
Yes,
Wook, when I look at NTDS settings in ADSS
on W2K3 server - I can see all links there <automatically
generated>;
when I look at the same
on other W2K DC - for this particular server there are no links in NTDS settings
shown...
same with replmon -
when looking into it on W2K3 server - it sees itself and the rest of DCs fine,
but replmon on W2K DC can't see W2K3 at all
..for some reason your
notice reminded me good old "Hotel California" song...("you can check out any
time you like, but you can never leave")
Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 19 May 2004 20:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server What was it you said was the errors logged in the FRS event
viewer? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Wednesday, May 19, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Well, endpoint
mapper error message is actually, in event log for the W2K domain controller,
which started to complain only after W2K3 DC appeared in the
domain...
Interesting that
I've run all tests possible in dcdiag separately, testing connectivity,
replications, security discriptors, frsevent, etc, etc on both DC - w2k (old
one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has
been only discovered after replication to the new DC didn't take place and
I went on checking old DCs.
On the new W2K3
DC - sysvol permissions, etc - everything, as it should be, but - all the data
hangs in staging and staging area since first time replication (after
dcpromo).
Replmon shows
that W2K3 server has up to date data replicated from other DCs, but on other DC
replmon doesn't show that this new server is a replication partner...Also - no
NTDS links shown for W2K3 in ADSS ... (hmmm..looks a bit a mess, huh?)
netdiag on W2K3
server only shows frsevent as FAILED.
To be honest, I
don't know where else to look now...:-/
RE: The fact that you had machines not getting tickets before but are now is a wee bit scary as well.
Lana.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, May 19, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Debugging lsass is highly underrated. That's right, under. Sure it's
not for the faint of heart, but man the fun stuff you get in there. I say just
attach and have fun just for the heck of it. That's what I do on my weekends
(sad yet true). So the error below, is that from netdiag?
Or another tool? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I hate to say it but
when I see endpoint mapper issues one of my first responses is a reboot of the
offensive box. Hopefully ~Eric or others will come along and club me for
that and say a good way to troubleshoot it that doesn't include debugging LSASS.
The fact that you had
machines not getting tickets before but are now is a wee bit scary as well.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Svetlana
Kouznetsova No, actually, we haven't disjointed
namespace in the first place. This kerberos error was on every W2K3 member
server only. I've promoted one of them to DC and that made keberos
happy - no more complains... No erorrs reported in dcpromo logs
either...Although I do have an issue with replication to this new DC -for
some reason NTDS settings in ADSS are empty and the event log on the DC,
from which it suppossed to replicate, mentions "there are no more endpoints
available from an endpoints mapper", which I am currently trying to sort out,
but no problems in netdiag and dcdiag
anymore... Lana From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Oh, so did you have a
disjoint on the namespace? And if so is this intentional? Is it on all machines
or just this one? If not intentional and just on that one you should pop the NV
DomainName attribute and bring it in line with the rest of the environment. If
it is on all machines, you will most likely find you have the same kerberos
errors on them unless this one computer object was set up
incorrectly.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Svetlana
Kouznetsova You right about DC, Joe. Guess what
happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now -
imagine how I feel after wasting so much time trying to fix
it! Wish Microsoft could warn about such
"little" things... Lana
|
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Eric Fleischman
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Mulnick, Al
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Mulnick, Al
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
