@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos is Killing Me!
Yes if you want to focus on a specific domain, use the -b and the NC you
want. However the SPNs are across all NCs so when you do an SPN lookup,
look at the GC and search across all NCs. It is unlikely to get duped
HOST entries in a single
From: Laura A. Robinson
Sent: Thu 11/16/2006 11:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos is Killing Me!
You can leave the IP the same. If the demotion fails or goes awry in some
respect, you may have to do some metadata cleanup in addition to the DNS
cleanup
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 2:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
Joe,
how do i find out if there are any duplicate SPN's ?
On 11/16/06, joe [EMAIL PROTECTED] wrote
] On Behalf Of hboogz
Sent: Friday, November 17, 2006 2:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
Thanks Deji.
I understand.
I will re-examine the event log in the morning and plan for a demotion over
the weekend.
besides removing the reference from
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!
Joe,
how do i find out if there are any duplicate SPN's ?
On 11/16/06, joe [EMAIL PROTECTED] wrote:
Do you have any duplicate SPNs? Well specifically the SPNs mentioned in
the error?
--
O'Reilly Active
.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Friday, November 17, 2006 10:26 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
Thanks Joe.
if i
Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the
error?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 12:09 PM
Is this the same set of machines that are being talked about in the strange
DC error thread? I don't remember who it was who originated that one and I
want to make sure I'm not asking for something you've already provided.
So, if the answer to the above is no, my next question is, can you
Joe,
how do i find out if there are any duplicate SPN's ?
On 11/16/06, joe [EMAIL PROTECTED] wrote:
Do you have any duplicate SPNs? Well specifically the SPNs mentioned in
the error?
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
Thanks Michael,
I ran the following command and got the following output.
C:\dsquery * (dc=phippsny,dc=org) -filter
(servicePrincipalName=host/phmaindc1)
dsquery failed:A referral was returned from the server.
type dsquery /? for help.
On 11/16/06, hboogz [EMAIL PROTECTED] wrote:
Joe,
how
This is the output i received from adfind.
C:\Tools\AdFindadfind -default -f
(servicePrincipalName=host/phmaindc1.phippsny
.org) cn
AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED]) November 2006
Using server: PHMAINDC1.phippsny.org:389
Directory: Windows Server 2003
Base DN:
This is the output from the child domain controller.
C:\Tools\AdFindadfind -default -f
(servicePrincipalName=host/phjacdc1.jacwf.p
ppsny.org) cn
AdFind V01.34.00cpp Joe Richards ([EMAIL PROTECTED]) November 2006
Using server: phjacdc1.jacwf.phippsny.org:389
Directory: Windows Server 2003
Base
Just to add another wrench, i get this DNS error from phmaindc1 when tryin
gto registerdns.
C:\ipconfig /registerdns
Windows IP Configuration
Registration of DNS records failed: The RPC server is unavailable.
=)
On 11/16/06, hboogz [EMAIL PROTECTED] wrote:
This is my kerbtry output, i
Hey Laura,
this is the strange DC error guy...unfortunately.
This DC existed for about 4 months. I did a parralle upgrade to 2003 with a
new box and promoting it into a windows 2000 domain using adprep /forestprep
and adprep /domainprep:gprep.
There has never been use of duplicate names.
this
Try it again but specify the full DN to the Comptuers container.
Mike
On Thu, 16 Nov 2006 14:41:41 -0500
hboogz [EMAIL PROTECTED] wrote:
Thanks Michael,
I ran the following command and got the following output.
C:\dsquery * (dc=phippsny,dc=org) -filter
2:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
Thanks Michael,
I ran the following command and got the following output.
C:\dsquery * (dc=phippsny,dc=org) -filter
(servicePrincipalName=host/phmaindc1)
dsquery failed:A referral was returned from
, November 16, 2006 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
Thanks Michael,
I ran the following command and got the following output.
C:\dsquery * (dc=phippsny,dc=org) -filter
(servicePrincipalName=host/phmaindc1)
dsquery failed:A referral
when i run a
dcdiag /test:replications from the problematic controller, i get something
i've seen before.
The machine account for the destination PHMAINDC1.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.
i think this may be the source of my issue, the
**Update***
i changed the user account control attribute using the following direction:
Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the DC for which you want to change the
UserAccountControl value and select properties
Replcation only from the DsnDomainPartition came up as succesfull,
everything else still failed with an access denied.
and it gets better.
when i reun an
nltest /sc_query:phippsny from phmaindc1, i get this.
C:\nltest /sc_query:phippsny
I_NetLogonControl failed: Status = 1355 0x54b
: [ActiveDir] Kerberos is Killing Me!
Thanks Michael,
I ran the following command and got the following output.
C:\dsquery * (dc=phippsny,dc=org) -filter
(servicePrincipalName=host/phmaindc1)
dsquery failed:A referral was returned from the server.
type dsquery /? for help.
On 11/16/06, hboogz [EMAIL
@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
Hey Laura,
this is the strange DC error guy...unfortunately.
This DC existed for about 4 months. I did a parralle upgrade to 2003 with a
new box and promoting it into a windows 2000 domain using adprep /forestprep
and adprep /domainprep:gprep
Of hboogz
Sent: Thursday, November 16, 2006 5:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
**Update***
i changed the user account control attribute using the following direction:
Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate
@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!
Hey Laura,
this is the strange DC error guy...unfortunately.
This DC existed for about 4 months. I did a parralle upgrade to 2003 with
a new box and promoting it into a windows 2000 domain using adprep
/forestprep and adprep
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!
**Update***
i changed the user account control attribute using the following
direction:
Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the DC
@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
**Update***
i changed the user account control attribute using the following direction:
Did you follow:
When using adsiedit:
* Connect to the domain NC
* Navigate to the Domain Controllers OU
* Right click on the DC for which you want
:* Thu 11/16/2006 7:35 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Kerberos is Killing Me!
AD sites.
3 one including the DR-site.
regarding the question about demoting then promoting...if i have to go
that route, should i keep the same server name ?
On 11/16/06, Laura A. Robinson
PROTECTED] On Behalf Of hboogz
Sent: Friday, November 17, 2006 2:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!
Thanks Deji.
I understand.
I will re-examine the event log in the morning and plan for a demotion over
the weekend.
besides removing the reference
28 matches
Mail list logo
