Thanks guys that clears up a lot. I followed this article from Jorge's blog that has helped me resolve the net time issue on my clients and servers.
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx I'm using the PDCe as the forest root and using the internal clock. however, i have another thread whereby Kerberos is just killing me. On 11/16/06, Paul Williams <[EMAIL PROTECTED]> wrote:
Pay no attention to NET TIME. It's using legacy APIs and isn't an accurate depiction of what w32time is doing. If you want to know what server is being used, crank up the logging of w32time (there's a KB that explains how to do this). Otherwise, run nltest /dsgetdc:domain-name.com(or SET LOG if you logged on without cached credentials) and that will give you a better idea of which DC is being used. Note. If there are several DCs in the site, the above might not be indicative of the actual DC, but will give you a better idea than NET TIME. As a quick note on time sync. The PDCe is the authoritative root. Clients will use any DC. DCs use the PDCe in their domain. The PDCes use the forest root PDCe. --Paul ----- Original Message ----- *From:* hboogz <[EMAIL PROTECTED]> *To:* [email protected] *Sent:* Thursday, November 16, 2006 3:20 PM *Subject:* Re: [ActiveDir] Strange DC behaviour and error the same issue started happening last night about 10:35 last night. this was after i plugged in my DR link to the ad box out at my disaster recovery site. I came in this morning only to find that when i run a NET TIME from my DC's it was resolving this DR Domain Controller. i disconnected the link, reset the local machine passwords, rebooted and all is up now. what gives ? anyone have any ideas ? On 11/15/06, hboogz <[EMAIL PROTECTED]> wrote: > > Hey Guys, > > Thanks for responses. > > I've been stuck in the data center for the past few hours. > > Here goes: > > It all started with this error in the event log: > > Event Type: Error > Event Source: Kerberos > Event Category: None > Event ID: 4 > Date: 11/15/2006 > Time: 03:17:45 PM > User: N/A > Computer: PHMAINDC1 > Description: > The kerberos client received a KRB_AP_ERR_MODIFIED error from the server > host/phmaindc1.phippsny.org. The target name used was cifs/PHMAINDC1. This > indicates that the password used to encrypt the kerberos service ticket is > different than that on the target server. Commonly, this is due to > identically named machine accounts in the target realm ( PHIPPSNY.ORG), > and the client realm. Please contact your system administrator. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > Then it became all of these: > > Event Type: Warning > Event Source: LSASRV > Event Category: SPNEGO (Negotiator) > Event ID: 40960 > Date: 11/15/2006 > Time: 03:13:19 PM > User: N/A > Computer: PHMAINDC1 > Description: > The Security System detected an authentication error for the server > cifs/PHMAINDC1.phippsny.org. The failure code from authentication protocol > Kerberos was "The attempted logon is invalid. This is either due to a bad > username or authentication information. > (0xc000006d)". > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp . > Data: > 0000: 6d 00 00 c0 m..À > > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1030 > Date: 11/15/2006 > Time: 02:58:23 PM > User: PHIPPSNY\Administrator > Computer: PHMAINDC1 > Description: > Windows cannot query for the list of Group Policy objects. Check the > event log for possible messages previously logged by the policy engine that > describes the reason for this. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1053 > Date: 11/15/2006 > Time: 03:03:19 PM > User: NT AUTHORITY\SYSTEM > Computer: PHMAINDC1 > Description: > Windows cannot determine the user or computer name. (Access is denied. > ). Group Policy processing aborted. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > Strangely, the maindc, phmaindc1, lost its forward lookup zone (ad-int) > and it's reverse lookup zone ( ad-int ) but my second DC maintained them. I > tried adding the zones back into phmaind1, only to get an error indicating > "invalid data". > > So, what i did was make all working zones on the working DC primary ( > non-ad) and added secondary zones into phmaindc1. > > i tried, dcdiag /fix and netdiag /fix - but nothing. > > tried restarting the netlogon service - nothing. > > I came across the forums that indicated the PTR and A record entries -- > didn't find any duplicates or wrong entries, everything is a one-to-one > mapping. > > I then looked inside wins, and didn't see any conflicts. Because I've > had issues with wins in the past, i deleted both wins databases and created > new ones from scratch. > > That didn't work. > > i then attmpeted a net time from the DC in question and got another DC > in our DR site. This DR server is not holding any roles and isn't accessible > to all of our workstations. I tried to force this server as the > authoritative Time server settings the annouceFlags to A, but it didn't > take. > > I disabled the link to the DR site, but the problems persisted. > > Every time i would attempt a Net Time from a client workstation, i would > get a "Access Denied" > > grr > > I then came across the recommendation to reset the local machine account > password of the DC's. > > using the NETBIOS name of phmaindc1 didn't work, i needed to use the IP. > > netdom resetpwd /s:192.168.1.1 /ud:domain\username /pd:* > > rebooted ( ran above while KDC service was running ) > > That didn't work. > > I then needed to reset the local machine account for the other DC that > was working fine > > once i reset that using netdom and rebooted, everything came back up. > > > whew! > > Now that i've created non AD-int dns zones, i saw somewhere someone > recommended deleting my previous created dns partititions and recreating > them and making the zones AD-int again. > > i've tried -- DNSCMD /DELETEDIRECTORYPARTITION > > but i need the FQDN of the partition, which i dont know ? > > any ideas on what to do to cleanup what's going on ? > > or any insight as to why this happened and what design,implementation > change i could do to prevent it ? > > Thanks for the responses, > > > > > > > > > > > > > > > On 11/15/06, Scott, Anthony < [EMAIL PROTECTED]> wrote: > > > > Verify DNS is working properly and that DCs are synching time. These > > are two things that can cause Kerberos/ log on problems. Also, make sure > > there is not another computer object in AD, DNS record, WINS record named > > phmaindc1. > > > > LMK if you need help in doing these tasks. > > > > > > > > > > > > Thanks, > > > > *Anthony Scott*** > > > > *Microsoft Consultant* > > > > Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] > > > > [image: Berbee] <http://www.berbee.com/> > > > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > *On Behalf Of *hboogz > > *Sent:* Wednesday, November 15, 2006 12:43 PM > > *To:* [email protected] > > *Subject:* [ActiveDir] Strange DC behaviour and error > > > > > > > > Hey Guys, > > > > > > > > I receive this error on my DC and my newly created Citrix Server. > > > > > > > > Event Type: Error > > Event Source: Kerberos > > Event Category: None > > Event ID: 4 > > Date: 11/15/2006 > > Time: 12:30:17 PM > > User: N/A > > Computer: PHMAINDC1 > > Description: > > The kerberos client received a KRB_AP_ERR_MODIFIED error from the > > server host/phmaindc1.phippsny.org. The target name used was > > DNS/phmaindc1.phippsny.org. This indicates that the password used to encrypt > > the kerberos service ticket is different than that on the target server. > > Commonly, this is due to identically named machine accounts in the target > > realm ( PHIPPSNY.ORG), and the client realm. Please contact your > > system administrator. > > > > For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp > > . > > > > > > > > The citrix server can't connect to the termincal server licensing > > component on here and everytime a user logs in, they receive an access > > denied indicated that they could retrieve their TS profile information. > > > > > > > > everytime i try to run dsa.msc on the citrix box, i get an error. > > > > > > > > I'm running windows 2003 standard R2 on AD and standard w/ SP1 on the > > citrix box. > > > > > > > > I also get this error/message when i run dcdiag on the dc > > > > > > > > > > > > The account PHMAINDC1 is not a DC account. It cannot > > replicate. > > Warning: Attribute userAccountControl of PHMAINDC1 is: > > 0x1000 = ( UF_W > > ORKSTATION_TRUST_ACCOUNT ) > > Typical setting for a DC is 0x82000 = ( > > UF_SERVER_TRUST_ACCOUNT | UF_TR > > USTED_FOR_DELEGATION ) > > This may be affecting replication? > > > > > > > > any ideas ? i'm stuck with all my citrix users being denied logon! > > > > > > > > > > > > > > > > > > > > > > > > -- > > HBooGz:\> > > > > > > -- > HBooGz:\> -- HBooGz:\>
-- HBooGz:\>
