Dean has found a thread with 2003 and 2012 dc's in the same domain that is exactly what was happening to me.
From: [email protected] [mailto:[email protected]] On Behalf Of Melvin Backus Sent: Monday, October 06, 2014 11:18 AM To: [email protected] Subject: RE: [NTSysADM] Win 7 workstations losing trust I was under the impression that the last password was supposed to be usable as well to prevent this sort of thing. Sort of on the order of "Something hiccups, passwords are no longer synced, the server checks to see if the last password prior to the current one matches, OK, do some validation then let the machine connect". Did I dream that or has it changed? I can see where it might be a security issue if there weren't sufficient validations, but for some reason I seem to recall reading something along that line. -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jesse Rink Sent: Monday, October 06, 2014 11:06 AM To: ntsysadm Subject: Re: [NTSysADM] Win 7 workstations losing trust We've seen it that Win 7 machines lose their trust relationship in cases where perhaps a machine was powered down incorrectly, and when it reboots, a system restore is done from the last recovery point. Once the machine comes back, it won't work on the domain anymore because the AD server(s) have a newer computer-password than the one from the system restore itself. Machine has to be unjoined and rejoined at that point to get it working. Jesse Rink Source One Technology, Inc. HP Partner 262 993 2231 ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Dean Cunningham <[email protected]<mailto:[email protected]>> Sent: Sunday, October 5, 2014 9:12 PM To: ntsysadm Subject: Re: [NTSysADM] Win 7 workstations losing trust Got any 2003DCs *and* 2012 R2 DCs in the AD environment? Getting Event ID: 4 The Kerberos client received a KRB_AP_ERR_MODIFIED <http://britv8.com/event-id-4-the-kerberos-client-received-a-krb_ap_err_modified-windows-2003-and-windows-2012-r2-dc-environment/> http://britv8.com/event-id-4-the-kerberos-client-received-a-krb_ap_err_modified-windows-2003-and-windows-2012-r2-dc-environment/ hotfix available On Thu, Oct 2, 2014 at 10:55 PM, David McSpadden <[email protected]<mailto:[email protected]>> wrote: Why does this happen? I get them rejoined but why do they lose their trust relationship in the first place? Sent from my iPhone This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
