|
This article may provide some help.
The DNS suffix of the computer name of a new domain
controller may not match the name of the domain after you install upgrade a
Windows NT 4.0 Primary domain controller to Windows 2000
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Friday, July 29, 2005 1:44 PM To: [email protected] Subject: [ActiveDir] Question about Kerberos Errors I have a question about Kerberos that I hope you guy can
help me with. In our environment, our client base (servers and
workstations) has a different DNS name than the domain where their
authenticating DCs reside. They are members of the same Active Directory
domain, but due to decisions made a long time ago, their DNS information does
not match the AD domain where they reside. As an
example: DC1 is in CHILD.DOMAIN.COM but all
application servers are listed (in DNS only) as being in DOMAIN.COM even though
their computer objects are in CHILD.DOMAIN.COM. This is for ease of
lookup, I'm told. Additionally, workstations have a location code added so
that they show up as LOCATION.DOMAIN.COM. Both the servicePrincipalName and the
dNSHostName report the server and workstation objects as being in the domain
mentioned above. I have checked, and the primary DNS suffix for each
machine maps to the dNSHostName. So, my workstation has the following
SPN: HOST/<workstationname>.LOCATION.DOMAIN.COM HOST//<workstationname> And one of our Exchange Servers has the
following SPN: SMTPSVC/<servername> SMTPSVC/<servername>.DOMAIN.COM HOST/<servername> HOST/<servername>.DOMAIN.COM Now the
problem: We
are getting floods of Audit Failures (Event ID 675 and 676) and also NETLOGON
failures (5722, 5723, and 5790) on a regular basis on all of our DCs. In
some cases, a single computer will log literally thousands of these events and
still not get locked out (which I would expect if they are attempting to
authenticate and failing). It has been hinted to me multiple times that
one of the reasons we are experiencing this is due to the way our
servers/workstations are set up in DNS. Can someone confirm or deny this for
me? If there is any published literature that I can look at or show my
management, that would also be very helpful. Thanks! Scott
Rachui |
