Thanks Laura. I've been thinking about the demotion, but one question would be is should i keep the same computer name ?
I consider myself a geek, probably not an AD-geek, but i try =\ Re: parallel upgrade. In other words what i did was--- Introduce a new box with a freshly installed win 2003 standard r2 OS and adprep the win2k domain before introducing this new box into the win2k domain. by parallel i meant to say i was running win2k3 and win2kd parallel to each other before i decommissioned the win2k DC's. On 11/16/06, Laura A. Robinson <[EMAIL PROTECTED]> wrote:
Okay, so basically I can think of a few quickish options: 1. Let somebody who geeks out on this stuff poke around in your DCs. There are obviously lots of caveats around that one (like, why would you let a stranger poke around in your AD, why would somebody want to take on that liability, how would you determine that somebody wasn't a cluebie, etc.) 2. Call PSS and get the benefit of all the warranties and liabilities that come with the support agreement, and let them poke around in your AD. 3. Find a willing geek to get on the phone with you, 'cause typing all this stuff up has to be as difficult for you as it is for the people trying to make heads or tails of the situation. 4. Scrap trying to track down the problem and demote the problem DC, then re-promote it. I hate offering that as a solution as I usually like to dig around and figure out what's causing things, but in this situation it's really hard to troubleshoot your environment simply because there are so many different factors that could come into play that would need to be looked at. And honestly, this smells like there was an imaged DC or something similar somewhere along the line. I believe you that there wasn't; it's just the same kind of behavior that you see in scenarios like that. Wait, hold on a sec... what does "a parallel upgrade" mean? Laura ------------------------------ *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *hboogz *Sent:* Thursday, November 16, 2006 5:10 PM *To:* [email protected] *Subject:* Re: [ActiveDir] Kerberos is Killing Me! Hey Laura, this is the strange DC error guy...unfortunately. This DC existed for about 4 months. I did a parralle upgrade to 2003 with a new box and promoting it into a windows 2000 domain using adprep /forestprep and adprep /domainprep:gprep. There has never been use of duplicate names. this DC was never restored from a backup. there never has been a duplicate name for any member servers nor have their been any backup restores... I'm able to update DNS registration from this maindc now, because i needed to enable the DHCP client service on the machine. I've tried the following from the problmatic DC: net stop kdc purge kerberos ticket cache using kerbtray reset pwd using netdom net start kdc reboot but i continue to get Replication access denied from one DC to all three of my DC's. I've tried the same as above from a second DC without removing the ticket cahce, but still get the same errors from the phmaindc1 DC. All other DC's replicate with this DC just fine. i've checked the zones through dnscmd and made sure they are alike with regard to zone type.dnscmd /enumzones C:\>dnscmd /enumzones Enumerated zone list: Zone count = 5 Zone name Type Storage Properties . Cache AD-Domain 168.192.in-addr.arpa Primary AD-Domain Update Rev Aging 31.168.192.in-addr.arpa Secondary File Rev jacwf.phippsny.org Secondary File phippsny.org Primary AD-Domain Update Aging Command completed successfully. above is PHMAINDC1 Below is PHPRINT1 C:\>dnscmd /enumzones Enumerated zone list: Zone count = 5 Zone name Type Storage Properties . Cache AD-Domain 168.192.in-addr.arpa Primary AD-Domain Update Rev Aging 31.168.192.in-addr.arpa Secondary File Rev jacwf.phippsny.org Secondary File phippsny.org Primary AD-Domain Update Aging Command completed successfully. =\ i'm stuck. On 11/16/06, Laura A. Robinson < [EMAIL PROTECTED]> wrote: > > Is this the same set of machines that are being talked about in the > "strange DC error" thread? I don't remember who it was who originated that > one and I want to make sure I'm not asking for something you've already > provided. > > So, if the answer to the above is "no", my next question is, can you > provide a little more information about the environment? How long has this > DC existed as a DC? Was there ever another DC with the same name? Was this > DC at any point restored from a backup? Has it been consistently connected > to the network? How about the member server- same questions as the DC > questions. > > Thanks, > > Laura > > ------------------------------ > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *hboogz > *Sent:* Thursday, November 16, 2006 12 :09 PM > *To:* [email protected] > *Subject:* [ActiveDir] Kerberos is Killing Me! > > > I am having continued issues with Kerberos. I tried running tokensz > against the problem server and i get this error message.. > > C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation > /target_s > erver:host/phmaindc1 > > Name: Negotiate Comment: Microsoft Package Negotiator > Current PackageInfo->MaxToken: 12128 > > Asked for delegate, but didn't get it. > Check if server is trusted for delegation. > > QueryKeyInfo: > Signature algorithm = > Encrypt algorithm = RSADSI RC4 > KeySize = 128 > Flags = 2001c > Signature Algorithm = -138 > Encrypt Algorithm = 26625 > QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 > SEC_E_NOT_SUPP > ORTED > > > any ideas ? > > I keep getting the following event log message on a domain controller > which prevents users from accessing it and authenticating to it. > > Event Type: Error > Event Source: Kerberos > Event Category: None > Event ID: 4 > Date: 11/16/2006 > Time: 12:02:37 PM > User: N/A > Computer: PHMAINDC1 > Description: > The kerberos client received a KRB_AP_ERR_MODIFIED error from the server > host/phmaindc1.phippsny.org. The target name used was host/phprint1. This > indicates that the password used to encrypt the kerberos service ticket is > different than that on the target server. Commonly, this is due to > identically named machine accounts in the target realm ( PHIPPSNY.ORG), > and the client realm. Please contact your system administrator. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > Help! > > > > -- > HBooGz:\> > > -- HBooGz:\> -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition.
-- HBooGz:\>
