Replcation only from the DsnDomainPartition came up as succesfull, everything else still failed with an access denied.
and it gets better. when i reun an nltest /sc_query:phippsny from phmaindc1, i get this. C:\>nltest /sc_query:phippsny I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote:
**Update*** i changed the user account control attribute using the following direction: Did you follow: When using adsiedit: * Connect to the domain NC * Navigate to the Domain Controllers OU * Right click on the DC for which you want to change the UserAccountControl value and select properties * Goto the UserAccountControl attribute * You should see a value (from what you have described): 536576 * Change that value to: 532480 i teh followed the instructions found here: Re: access denied http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true i did this from the phmaindc1 server net stop kdc clear ticket cache reset machine pawd open sites and services and forced replication with phprint -- which succeced opened replmon and synchronized with phprint1. net start kdc ran: repadmin /showreps. replication to phprint1 came up as succesfull however, i still get an error to the child domain indicating access denied. should i wait for AD replication for this to work ? On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote: > > when i run a > > dcdiag /test:replications from the problematic controller, i get > something i've seen before. > > The machine account for the destination PHMAINDC1. > is not configured properly. > Check the userAccountControl field. > Kerberos Error. > > i think this may be the source of my issue, the useraccountcontrol field > and adjusting it to reflect that the computer account PHMAINDC1 is actually > a server account. > > I also get this related message from DCDAIG: > > Starting test: MachineAccount > Checking machine account for DC PHMAINDC1 on DC PHMAINDC1. > The account PHMAINDC1 is not trusted for delegation. It cannot > replica > te. > The account PHMAINDC1 is not a DC account. It cannot > replicate. > Warning: Attribute userAccountControl of PHMAINDC1 is: 0x1000 > = ( UF_W > ORKSTATION_TRUST_ACCOUNT ) > Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT > | UF_TR > USTED_FOR_DELEGATION ) > This may be affecting replication? > * SPN found :LDAP/PHMAINDC1.phippsny.org/phippsny.org > * SPN found :LDAP/PHMAINDC1.phippsny.org > * SPN found :LDAP/PHMAINDC1 > * SPN found :LDAP/PHMAINDC1.phippsny.org/PHIPPSNY > * SPN found > :LDAP/f1da285e-a98b-40d3-abcc-f69057435ed8._msdcs.phippsny. > org > * SPN found > :E3514235-4B06-11D1-AB04-00C04FC2DCD2/f1da285e-a98b-40d3-ab > cc-f69057435ed8/phippsny.org > * SPN found :HOST/PHMAINDC1.phippsny.org/phippsny.org > * SPN found :HOST/PHMAINDC1.phippsny.org > * SPN found :HOST/PHMAINDC1 > * SPN found :HOST/PHMAINDC1.phippsny.org/PHIPPSNY > * SPN found :GC/PHMAINDC1.phippsny.org/phippsny.org > ......................... PHMAINDC1 failed test MachineAccount > > i aslo get this meesage when running a netdiag: > > The Record is different on DNS server ' 192.168.1.1'. > DNS server has more than one entries for this name, usually this means > there are > multiple DCs for this domain. > Your DC entry is one of them on DNS server ' 192.168.1.1', no need to > re-register > > but the i dont have multiple records associating with 192.168.1.1, i > just don't see them.. > > should i manually delete all records and PTR's to 1.1 and registrdns ? > > > > On 11/16/06, hboogz <[EMAIL PROTECTED]> wrote: > > > > Hey Laura, > > > > this is the strange DC error guy...unfortunately. > > > > This DC existed for about 4 months. I did a parralle upgrade to 2003 > > with a new box and promoting it into a windows 2000 domain using adprep > > /forestprep and adprep /domainprep:gprep. > > > > There has never been use of duplicate names. > > > > this DC was never restored from a backup. > > > > there never has been a duplicate name for any member servers nor have > > their been any backup restores... > > > > I'm able to update DNS registration from this maindc now, because i > > needed to enable the DHCP client service on the machine. > > > > I've tried the following from the problmatic DC: > > > > net stop kdc > > > > purge kerberos ticket cache using kerbtray > > > > reset pwd using netdom > > > > net start kdc > > > > reboot > > > > but i continue to get Replication access denied from one DC to all > > three of my DC's. > > > > I've tried the same as above from a second DC without removing the > > ticket cahce, but still get the same errors from the phmaindc1 DC. > > > > > > > > All other DC's replicate with this DC just fine. > > > > i've checked the zones through dnscmd and made sure they are alike > > with regard to zone type.dnscmd /enumzones > > > > C:\>dnscmd /enumzones > > Enumerated zone list: > > > > Zone count = 5 > > > > Zone name Type Storage Properties > > > > . Cache AD-Domain > > 168.192.in-addr.arpa Primary AD-Domain Update Rev > > Aging > > 31.168.192.in-addr.arpa Secondary File Rev > > jacwf.phippsny.org Secondary File > > phippsny.org Primary AD-Domain Update > > Aging > > > > Command completed successfully. > > > > above is PHMAINDC1 > > > > Below is PHPRINT1 > > > > C:\>dnscmd /enumzones > > Enumerated zone list: > > > > Zone count = 5 > > > > Zone name Type Storage Properties > > > > . Cache AD-Domain > > 168.192.in-addr.arpa Primary AD-Domain Update Rev > > Aging > > 31.168.192.in-addr.arpa Secondary File Rev > > jacwf.phippsny.org Secondary File > > phippsny.org Primary AD-Domain Update > > Aging > > > > Command completed successfully. > > > > > > > > =\ > > > > i'm stuck. > > > > > > > > On 11/16/06, Laura A. Robinson < [EMAIL PROTECTED]> wrote: > > > > > > Is this the same set of machines that are being talked about in the > > > "strange DC error" thread? I don't remember who it was who originated that > > > one and I want to make sure I'm not asking for something you've already > > > provided. > > > > > > So, if the answer to the above is "no", my next question is, can you > > > provide a little more information about the environment? How long has this > > > DC existed as a DC? Was there ever another DC with the same name? Was this > > > DC at any point restored from a backup? Has it been consistently connected > > > to the network? How about the member server- same questions as the DC > > > questions. > > > > > > Thanks, > > > > > > Laura > > > > > > ------------------------------ > > > *From:* [EMAIL PROTECTED] [mailto: > > > [EMAIL PROTECTED] *On Behalf Of *hboogz > > > *Sent:* Thursday, November 16, 2006 12 :09 PM > > > *To:* ActiveDir@mail.activedir.org > > > *Subject:* [ActiveDir] Kerberos is Killing Me! > > > > > > > > > I am having continued issues with Kerberos. I tried running tokensz > > > against the problem server and i get this error message.. > > > > > > C:\Tools>tokensz /compute_tokensize /package:negotiate > > > /use_delegation /target_s > > > erver:host/phmaindc1 > > > > > > Name: Negotiate Comment: Microsoft Package Negotiator > > > Current PackageInfo->MaxToken: 12128 > > > > > > Asked for delegate, but didn't get it. > > > Check if server is trusted for delegation. > > > > > > QueryKeyInfo: > > > Signature algorithm = > > > Encrypt algorithm = RSADSI RC4 > > > KeySize = 128 > > > Flags = 2001c > > > Signature Algorithm = -138 > > > Encrypt Algorithm = 26625 > > > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 > > > SEC_E_NOT_SUPP > > > ORTED > > > > > > > > > any ideas ? > > > > > > I keep getting the following event log message on a domain > > > controller which prevents users from accessing it and authenticating to it. > > > > > > Event Type: Error > > > Event Source: Kerberos > > > Event Category: None > > > Event ID: 4 > > > Date: 11/16/2006 > > > Time: 12:02:37 PM > > > User: N/A > > > Computer: PHMAINDC1 > > > Description: > > > The kerberos client received a KRB_AP_ERR_MODIFIED error from the > > > server host/phmaindc1.phippsny.org. The target name used was host/phprint1. > > > This indicates that the password used to encrypt the kerberos service ticket > > > is different than that on the target server. Commonly, this is due to > > > identically named machine accounts in the target realm ( > > > PHIPPSNY.ORG), and the client realm. Please contact your system > > > administrator. > > > > > > For more information, see Help and Support Center at > > > http://go.microsoft.com/fwlink/events.asp. > > > > > > > > > Help! > > > > > > > > > > > > -- > > > HBooGz:\> > > > > > > > > > > > > -- > > HBooGz:\> > > > > > -- > HBooGz:\> -- HBooGz:\>
-- HBooGz:\>
