Right, I wasn't going to go in to the level of detail in that article. But is you were going to call MS about a Kerberos issue one of the first questions they would ask is "is time synching correct?"
Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] <http://www.berbee.com/> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 16, 2006 12:05 PM To: [email protected] Subject: RE: [ActiveDir] Strange DC behavior and error That's not entirely accurate, which may be why you see it not working "as advertised". :-) http://technet2.microsoft.com/WindowsServer/en/library/71e76587-28f4-4272-a3d7-7f44ca50c0181033.mspx?mfr=true Laura ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony Sent: Thursday, November 16, 2006 10:55 AM To: [email protected] Subject: RE: [ActiveDir] Strange DC behavior and error Windows is supposed to get it's time from the PDC role holder, sometimes though this does not work as advertised. So I usually issue this command on any new DCs I bring up: W32tm /config /synchfromflags:DOMHIER /update Then: Net stop w32time & net start w32time Thanks, Anthony Scott From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 10:21 AM To: [email protected] Subject: Re: [ActiveDir] Strange DC behaviour and error the same issue started happening last night about 10:35 last night. this was after i plugged in my DR link to the ad box out at my disaster recovery site. I came in this morning only to find that when i run a NET TIME from my DC's it was resolving this DR Domain Controller. i disconnected the link, reset the local machine passwords, rebooted and all is up now. what gives ? anyone have any ideas ? On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote: Hey Guys, Thanks for responses. I've been stuck in the data center for the past few hours. Here goes: It all started with this error in the event log: Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 11/15/2006 Time: 03:17:45 PM User: N/A Computer: PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was cifs/PHMAINDC1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Then it became all of these: Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 Date: 11/15/2006 Time: 03:13:19 PM User: N/A Computer: PHMAINDC1 Description: The Security System detected an authentication error for the server cifs/PHMAINDC1.phippsny.org. The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)". For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . Data: 0000: 6d 00 00 c0 m..À Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 11/15/2006 Time: 02:58:23 PM User: PHIPPSNY\Administrator Computer: PHMAINDC1 Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1053 Date: 11/15/2006 Time: 03:03:19 PM User: NT AUTHORITY\SYSTEM Computer: PHMAINDC1 Description: Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) and it's reverse lookup zone ( ad-int ) but my second DC maintained them. I tried adding the zones back into phmaind1, only to get an error indicating "invalid data". So, what i did was make all working zones on the working DC primary ( non-ad) and added secondary zones into phmaindc1. i tried, dcdiag /fix and netdiag /fix - but nothing. tried restarting the netlogon service - nothing. I came across the forums that indicated the PTR and A record entries -- didn't find any duplicates or wrong entries, everything is a one-to-one mapping. I then looked inside wins, and didn't see any conflicts. Because I've had issues with wins in the past, i deleted both wins databases and created new ones from scratch. That didn't work. i then attmpeted a net time from the DC in question and got another DC in our DR site. This DR server is not holding any roles and isn't accessible to all of our workstations. I tried to force this server as the authoritative Time server settings the annouceFlags to A, but it didn't take. I disabled the link to the DR site, but the problems persisted. Every time i would attempt a Net Time from a client workstation, i would get a "Access Denied" grr I then came across the recommendation to reset the local machine account password of the DC's. using the NETBIOS name of phmaindc1 didn't work, i needed to use the IP. netdom resetpwd /s:192.168.1.1 /ud:domain\username /pd:* rebooted ( ran above while KDC service was running ) That didn't work. I then needed to reset the local machine account for the other DC that was working fine once i reset that using netdom and rebooted, everything came back up. whew! Now that i've created non AD-int dns zones, i saw somewhere someone recommended deleting my previous created dns partititions and recreating them and making the zones AD-int again. i've tried -- DNSCMD /DELETEDIRECTORYPARTITION but i need the FQDN of the partition, which i dont know ? any ideas on what to do to cleanup what's going on ? or any insight as to why this happened and what design,implementation change i could do to prevent it ? Thanks for the responses, On 11/15/06, Scott, Anthony < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Verify DNS is working properly and that DCs are synching time. These are two things that can cause Kerberos/ log on problems. Also, make sure there is not another computer object in AD, DNS record, WINS record named phmaindc1. LMK if you need help in doing these tasks. Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] <http://www.berbee.com/> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of hboogz Sent: Wednesday, November 15, 2006 12:43 PM To: [email protected] Subject: [ActiveDir] Strange DC behaviour and error Hey Guys, I receive this error on my DC and my newly created Citrix Server. Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 11/15/2006 Time: 12:30:17 PM User: N/A Computer: PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was DNS/phmaindc1.phippsny.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp . The citrix server can't connect to the termincal server licensing component on here and everytime a user logs in, they receive an access denied indicated that they could retrieve their TS profile information. everytime i try to run dsa.msc on the citrix box, i get an error. I'm running windows 2003 standard R2 on AD and standard w/ SP1 on the citrix box. I also get this error/message when i run dcdiag on the dc The account PHMAINDC1 is not a DC account. It cannot replicate. Warning: Attribute userAccountControl of PHMAINDC1 is: 0x1000 = ( UF_W ORKSTATION_TRUST_ACCOUNT ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR USTED_FOR_DELEGATION ) This may be affecting replication? any ideas ? i'm stuck with all my citrix users being denied logon! -- HBooGz:\> -- HBooGz:\> -- HBooGz:\>
image001.gif
Description: image001.gif
