|
Lana,
I'm going to go out on a limb here and say that it's probably a good idea to demote the Win2K3 DC and repromote while making sure that the DNS resolver is pointed at a Win2K DC/DNS server that host the _msdcs zone for the forest. I think that server is in a sufficiently weird state that it would be better off going back to member server status and starting again rather than trying to figure out what's going on here. If the demote doesn't work, then do a forced demote and clean up metadata before trying to repromote. I don't recall how long you said this server has been a DC or how long it has been since any of the Win2K DCs have been able to replicate with it. If the answers are more than 60 days, then you will definitely need to force the demotion. Good thing Win2K3 allows you to do that.
It seems likely to me that there are multiple problems with this system and until you are at a point where you are sure the DC is fully participating in replication with the existing DCs, all other service problems are going to be suspect. I'm sure there are those who'd like to continue to wrestle with it, but to use an American football analogy, it's 4th down and long, so at this point my call is to drop back and punt.
Wook From: Svetlana Kouznetsova Sent: Fri 5/21/2004 5:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Ok, guys, I really run out of any ideas with this now:
I've tried everything from KB article, Al suggested, I've also tried what's Joe mentioned, as a possibility
At this point I would do two things. Please note I don't have great reasons for suggesting them, just gut feeling.
1. I would check the SMB signing policies to see if they are aligned. Most likely if you don't have that set at the domain controller policy level you have signing on on the K3 machine and undefined on the 2K. Yes, this shouldn't be an issue with 2K machines but I have seen it be an issue with 2K and XP machines touching K3.
SMB signing was undefined on both W2K3 and W2K DCs, checked all the local security, just in case - everything identical across the whole AD
2. I would verify that the SPNs for the DCs are identical on all of the DCs.... I.E. DC1 has the same SPNs registered on every DC. Ditto DC2, DC3, DCn. I have seen these out of sync before and causing interesting replication issues. It took manual editing of the SPNs to correct.
yep, here everything is neat there as well...
still - W2K3 server seems very lonely in respect of replication, i.e : on this server itself NTDS settings show all replication links as it should, clicking "replicate now" - - "yep,"- it says-"replicating successfully"...in replmon - it sees all the partners and tells that "all objects have been replicated"...but its a lie! - none of the partners can see this DC in theirs replmon or NTDS settings in ADSS...:((
On W2K DCs this server shown as outbound partner. On the offending server there are no outbound partners at all...(the question here -maybe I must create them manually then?)
And also now I've got something new in event logs - when running net stop kdc--> repadmin/kcc -->net start kdc (trying to purge the ticket cache and recreate replication):
"...The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client W2K3 DC in realm DOMAIN.COM had a PAC which failed to verify or was modified. Contact your system administrator..."
What is that about then? :-/
Thanks in advance for any suggestions.
Lana
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: 19 May 2004 22:18 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server This may be helpful then
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Wednesday, May 19, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server on W2K3 (new DC):
in FRS event viewer there are only warnings 13508 ("having troubles to replicate..../sysvol...etc"); dcdiag shows [FAILED] on test frsevent;
netdiag - PASSED all tests
on W2K (old DC in the same domain) :
No errors in FRS;
in Directory Service: warning NTDS KCC 1265 :
"The attempt to establish a replication link with parameters
Partition: CN=Schema,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=uk Source DSA DN: CN=NTDS Settings,CN=SERS016,CN=Servers,CN=Oxford,CN=Sites,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=uk Source DSA Address: a2bdda54-6d14-40ae-842f-eb32df2dfb75._msdcs.ulib.ox.ac.uk Inter-site Transport (if any): failed with the following status: There are no more endpoints available from the endpoint mapper. The record data is the status code. This operation will be retried. " (SERS016 = new W2K3 DC in ULIB domain.)
dcdiag shows [FAILED] on kccevent test;
netdiag - PASSED all tests
{Is it just me or does this sounds like a replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but they never get out.)
Yes, Wook, when I look at NTDS settings in ADSS on W2K3 server - I can see all links there <automatically generated>;
when I look at the same on other W2K DC - for this particular server there are no links in NTDS settings shown...
same with replmon - when looking into it on W2K3 server - it sees itself and the rest of DCs fine, but replmon on W2K DC can't see W2K3 at all
..for some reason your notice reminded me good old "Hotel California" song...("you can check out any time you like, but you can never leave")
Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 19 May 2004 20:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server What was it you said was the errors logged in the FRS event viewer? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Wednesday, May 19, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Well, endpoint mapper error message is actually, in event log for the W2K domain controller, which started to complain only after W2K3 DC appeared in the domain...
Interesting that I've run all tests possible in dcdiag separately, testing connectivity, replications, security discriptors, frsevent, etc, etc on both DC - w2k (old one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has been only discovered after replication to the new DC didn't take place and I went on checking old DCs.
On the new W2K3 DC - sysvol permissions, etc - everything, as it should be, but - all the data hangs in staging and staging area since first time replication (after dcpromo).
Replmon shows that W2K3 server has up to date data replicated from other DCs, but on other DC replmon doesn't show that this new server is a replication partner...Also - no NTDS links shown for W2K3 in ADSS ... (hmmm..looks a bit a mess, huh?)
netdiag on W2K3 server only shows frsevent as FAILED.
To be honest, I don't know where else to look now...:-/
RE: The fact that you had machines not getting tickets before but are now is a wee bit scary as well.
Lana.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, May 19, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Debugging lsass is highly underrated. That's right, under. Sure it's not for the faint of heart, but man the fun stuff you get in there. I say just attach and have fun just for the heck of it. That's what I do on my weekends (sad yet true). So the error below, is that from netdiag? Or another tool? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe I hate to say it but when I see endpoint mapper issues one of my first responses is a reboot of the offensive box. Hopefully ~Eric or others will come along and club me for that and say a good way to troubleshoot it that doesn't include debugging LSASS. The fact that you had machines not getting tickets before but are now is a wee bit scary as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova No, actually, we haven't disjointed namespace in the first place. This kerberos error was on every W2K3 member server only. I've promoted one of them to DC and that made keberos happy - no more complains... No erorrs reported in dcpromo logs either...Although I do have an issue with replication to this new DC -for some reason NTDS settings in ADSS are empty and the event log on the DC, from which it suppossed to replicate, mentions "there are no more endpoints available from an endpoints mapper", which I am currently trying to sort out, but no problems in netdiag and dcdiag anymore... Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Oh, so did you have a disjoint on the namespace? And if so is this intentional? Is it on all machines or just this one? If not intentional and just on that one you should pop the NV DomainName attribute and bring it in line with the rest of the environment. If it is on all machines, you will most likely find you have the same kerberos errors on them unless this one computer object was set up incorrectly. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova You right about DC, Joe. Guess what happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now - imagine how I feel after wasting so much time trying to fix it! Wish Microsoft could warn about such "little" things... Lana
|
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Mulnick, Al
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Mulnick, Al
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
- RE: [ActiveDir] FATAL kerberos error on W2K3 server Svetlana Kouznetsova
- RE: [ActiveDir] FATAL kerberos error on W2K3 ser... joe
- Lee, Wook
