**Update***
i changed the user account control attribute using the following direction:
Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the DC for which you want to change the
UserAccountControl value and select properties
* Goto the UserAccountControl attribute
* You should see a value (from what you have described):
536576<javascript:void(0)>
* Change that value to: 532480 <javascript:void(0)>
i teh followed the instructions found here: Re: access denied
http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true
i did this from the phmaindc1 server
net stop kdc
clear ticket cache
reset machine pawd
open sites and services and forced replication with phprint -- which
succeced
opened replmon and synchronized with phprint1.
net start kdc
ran: repadmin /showreps.
replication to phprint1 came up as succesfull
however, i still get an error to the child domain indicating access denied.
should i wait for AD replication for this to work ?
On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
when i run a
dcdiag /test:replications from the problematic controller, i get something
i've seen before.
The machine account for the destination PHMAINDC1.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.
i think this may be the source of my issue, the useraccountcontrol field
and adjusting it to reflect that the computer account PHMAINDC1 is actually
a server account.
I also get this related message from DCDAIG:
Starting test: MachineAccount
Checking machine account for DC PHMAINDC1 on DC PHMAINDC1.
The account PHMAINDC1 is not trusted for delegation. It cannot
replica
te.
The account PHMAINDC1 is not a DC account. It cannot replicate.
Warning: Attribute userAccountControl of PHMAINDC1 is: 0x1000 =
( UF_W
ORKSTATION_TRUST_ACCOUNT )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT |
UF_TR
USTED_FOR_DELEGATION )
This may be affecting replication?
* SPN found :LDAP/PHMAINDC1.phippsny.org/phippsny.org
* SPN found :LDAP/PHMAINDC1.phippsny.org
* SPN found :LDAP/PHMAINDC1
* SPN found :LDAP/PHMAINDC1.phippsny.org/PHIPPSNY
* SPN found
:LDAP/f1da285e-a98b-40d3-abcc-f69057435ed8._msdcs.phippsny.
org
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1da285e-a98b-40d3-ab
cc-f69057435ed8/phippsny.org
* SPN found :HOST/PHMAINDC1.phippsny.org/phippsny.org
* SPN found :HOST/PHMAINDC1.phippsny.org
* SPN found :HOST/PHMAINDC1
* SPN found :HOST/PHMAINDC1.phippsny.org/PHIPPSNY
* SPN found :GC/PHMAINDC1.phippsny.org/phippsny.org
......................... PHMAINDC1 failed test MachineAccount
i aslo get this meesage when running a netdiag:
The Record is different on DNS server '192.168.1.1'.
DNS server has more than one entries for this name, usually this means
there are
multiple DCs for this domain.
Your DC entry is one of them on DNS server '192.168.1.1', no need to
re-register
but the i dont have multiple records associating with 192.168.1.1, i just
don't see them..
should i manually delete all records and PTR's to 1.1 and registrdns ?
On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
>
> Hey Laura,
>
> this is the strange DC error guy...unfortunately.
>
> This DC existed for about 4 months. I did a parralle upgrade to 2003
> with a new box and promoting it into a windows 2000 domain using adprep
> /forestprep and adprep /domainprep:gprep.
>
> There has never been use of duplicate names.
>
> this DC was never restored from a backup.
>
> there never has been a duplicate name for any member servers nor have
> their been any backup restores...
>
> I'm able to update DNS registration from this maindc now, because i
> needed to enable the DHCP client service on the machine.
>
> I've tried the following from the problmatic DC:
>
> net stop kdc
>
> purge kerberos ticket cache using kerbtray
>
> reset pwd using netdom
>
> net start kdc
>
> reboot
>
> but i continue to get Replication access denied from one DC to all three
> of my DC's.
>
> I've tried the same as above from a second DC without removing the
> ticket cahce, but still get the same errors from the phmaindc1 DC.
>
>
>
> All other DC's replicate with this DC just fine.
>
> i've checked the zones through dnscmd and made sure they are alike with
> regard to zone type.dnscmd /enumzones
>
> C:\>dnscmd /enumzones
> Enumerated zone list:
>
> Zone count = 5
>
> Zone name Type Storage Properties
>
> . Cache AD-Domain
> 168.192.in-addr.arpa Primary AD-Domain Update Rev
> Aging
> 31.168.192.in-addr.arpa Secondary File Rev
> jacwf.phippsny.org Secondary File
> phippsny.org Primary AD-Domain Update Aging
>
> Command completed successfully.
>
> above is PHMAINDC1
>
> Below is PHPRINT1
>
> C:\>dnscmd /enumzones
> Enumerated zone list:
>
> Zone count = 5
>
> Zone name Type Storage Properties
>
> . Cache AD-Domain
> 168.192.in-addr.arpa Primary AD-Domain Update Rev
> Aging
> 31.168.192.in-addr.arpa Secondary File Rev
> jacwf.phippsny.org Secondary File
> phippsny.org Primary AD-Domain Update Aging
>
> Command completed successfully.
>
>
>
> =\
>
> i'm stuck.
>
>
>
> On 11/16/06, Laura A. Robinson < [EMAIL PROTECTED]> wrote:
> >
> > Is this the same set of machines that are being talked about in the
> > "strange DC error" thread? I don't remember who it was who originated that
> > one and I want to make sure I'm not asking for something you've already
> > provided.
> >
> > So, if the answer to the above is "no", my next question is, can you
> > provide a little more information about the environment? How long has this
> > DC existed as a DC? Was there ever another DC with the same name? Was this
> > DC at any point restored from a backup? Has it been consistently connected
> > to the network? How about the member server- same questions as the DC
> > questions.
> >
> > Thanks,
> >
> > Laura
> >
> > ------------------------------
> > *From:* [EMAIL PROTECTED] [mailto:
> > [EMAIL PROTECTED] *On Behalf Of *hboogz
> > *Sent:* Thursday, November 16, 2006 12 :09 PM
> > *To:* [email protected]
> > *Subject:* [ActiveDir] Kerberos is Killing Me!
> >
> >
> > I am having continued issues with Kerberos. I tried running tokensz
> > against the problem server and i get this error message..
> >
> > C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
> > /target_s
> > erver:host/phmaindc1
> >
> > Name: Negotiate Comment: Microsoft Package Negotiator
> > Current PackageInfo->MaxToken: 12128
> >
> > Asked for delegate, but didn't get it.
> > Check if server is trusted for delegation.
> >
> > QueryKeyInfo:
> > Signature algorithm =
> > Encrypt algorithm = RSADSI RC4
> > KeySize = 128
> > Flags = 2001c
> > Signature Algorithm = -138
> > Encrypt Algorithm = 26625
> > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302
> > SEC_E_NOT_SUPP
> > ORTED
> >
> >
> > any ideas ?
> >
> > I keep getting the following event log message on a domain controller
> > which prevents users from accessing it and authenticating to it.
> >
> > Event Type: Error
> > Event Source: Kerberos
> > Event Category: None
> > Event ID: 4
> > Date: 11/16/2006
> > Time: 12:02:37 PM
> > User: N/A
> > Computer: PHMAINDC1
> > Description:
> > The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > server host/phmaindc1.phippsny.org. The target name used was host/phprint1.
> > This indicates that the password used to encrypt the kerberos service ticket
> > is different than that on the target server. Commonly, this is due to
> > identically named machine accounts in the target realm ( PHIPPSNY.ORG),
> > and the client realm. Please contact your system administrator.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> >
> >
> > Help!
> >
> >
> >
> > --
> > HBooGz:\>
> >
> >
>
>
> --
> HBooGz:\>
--
HBooGz:\>
--
HBooGz:\>
