none
Event ID 4 Security kerberos and DNS issues

    问题

  • Hi,

    We have 3 DC. I reinstalled 2 dc (sr1,sr2) to windows 2008R2 with different host names (dc1,dc2). Now dc1 is unable to see and replicate with dc2. Dc2 seems . It always drops an error

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc2$. The target name used was Rpcss/dc2. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    I deleted sr1 and sr2 accounts in AD and in DNS.

    Aso checked: ldifde -f SPNdump.ldf -s GCName -t 3268 -d dc=forest, dc=root –r "(objectclass=computer)" -l servicePrincipalName.
    could not find any SV2 records to delete. 

    Last update. Now on dc2 I even can't logon without stoping KDC service and after logon to server cannot start dns, it seems dns can not load zones.

    I run netdom "resetpwd /s:<var>server</var> /ud:<var>domain</var>\<var>User </var> /pd:*" and it seems dns is working again, but after restart it is same thing.

    what could be wrong with this dc?

    thanks
    n

    2012年6月17日 0:20

答案

  • It seems that you have removed the link however can you confirm which dc have you demoted?From the log DC03 is having the issue?

    In the log you are getting dns test failed and RPC service unavailable for DC03."The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

    Active Directory and Active Directory Domain Services Port Requirements
    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

    Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
    Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

    Check the dns quid is registered for server DC03 in DNS Console.

    If DC03 was demoted have you performed metdata cleanup before promoting the server?

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • 已标记为答案 pikul 2012年6月17日 16:50
    2012年6月17日 16:19

全部回复

  • Hi,

    It looks like machine accounts of both the DC's are expired. You need to unjoin and rejoin them to domain. Before that let me know have you done metadata cleanup after removing sr1, sr2 from domain. If not do it now and make sure that DNS configuration is proper on all the DCs. DNS shall point to itself if DC has DNS role and shall point to PDC for secondary DNS. Once it is done reset the machine account by using following link or manually unjoin and rejoing them to domain.

    http://support.microsoft.com/kb/325850

    http://technet.microsoft.com/en-us/library/cc753596.aspx

    All the best.

    2012年6月17日 1:08
  • It looks to be both the DC's earlier references still remains in AD & you didn't give sufficient time before reusing the same hostname for configuring it again to the DC & due to which DC is not working correctly & giving SPN error. First make sure both the DC point to correct local DNS server in their NIC.

    How did you demote the DC, is it graceful or force removal? I presume you are aware either its graceful or force removal, few references of the DC doesn't go away & it needs to be cleaned manually else it remain in the AD & gives issue while reusing the same name for reconfiguring the DC.

    Check below two links.

    http://blogs.technet.com/b/askpfeplat/archive/2012/03/29/the-411-on-the-kdc-11-events.aspx

    http://jespermchristensen.wordpress.com/2008/06/12/troubleshooting-the-kerberos-error-krb_ap_err_modified/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月17日 7:35
    版主
  • It is domain controller that have account expired issue. Should I demote and promote it again. I did reset of computer account, but after reboot I face same problems and need to reset dc computer account again. Old dc were demote successfully, so I wander why all this happened. I checked metadata to remove old dc but there are only new dcs. Checked adsiedit.msc, dns, aduc. No entries anymore about old dcs, but if reboot new dc I have to reset its computer accout to get dns, replication working.

    Old and new dcs have diferent host names.

    2012年6月17日 8:04
  • Demotion & promotion would be much simpler. You can demote the dc's, clean up everything & promote it again. You can refer below references to cleanup the AD references post demotion. Also, run dcdiag to test if the AD is healthy & if there is any issue then solve it first before promoting new DC.

    Remove References of a Failed DC/Domain Or Perform Metadata Cleanup  http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    What does DCDIAG actually… do?  http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月17日 8:13
    版主
  • should I rejoin dc to the domain to get new computer account password after demote?
    2012年6月17日 10:03
  • If you have not demoted the DC it seems that secure channel between the DC are broken.You need to download download resorce kit tools and use kerbtray purge the tickets and then rest secure channel. Refer below link step by step is given.
    http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

    You can demote promote the faulty DC but demotion will not be graceful.You need to run dcpromo/forceremoval and then perfrom metadata cleanup on online DC to remove the instances of faulty DC.If faulty DC is FSMO role holder you need to seize the FSMO on other DC.

    Reference link
    Forcefull removal of DC:http://support.microsoft.com/kb/332199
    Metadata cleanup:http://www.petri.co.il/delete_failed_dcs_from_ad.htm
    Seize FSMO role:http://www.petri.co.il/seizing_fsmo_roles.htm

    After demotion you can use the same name and IP address to promote the server back as DC or use different name the choice is yours.You can join the server to domain or without joining the server to domain,you can proceed with dc promotion.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012年6月17日 10:40
  • I demoted removed from AD and promote dc and it same thing. I cant understand whats happening?

    why it replays not ipv4 address. IPv6 is disabled.

    Reply from ::1: time<1ms
    Reply from ::1: time<1ms

    • 已编辑 pikul 2012年6月17日 13:06
    2012年6月17日 12:50
  • I did demoted, rejoined and promoted server but still I can not logon without disabling KDC service. Can not understand why?
    2012年6月17日 13:10
  • Have you perfromed metadata cleanup before promoting the server back as DC?


    Please run the following commands on all DC and upload the results via skydrive.
    - ipconfig /all >c:\ipconfig.txt
    - dcdiag /v /c /d /e /s:<domaincontrollername> >c:\dcdiag.txt
    - repadmin /replsum>c:\repadmin.txt




    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012年6月17日 13:36
  • I demoted domain controller, I deleted dc in mmc Site and services and after disjoin from ad I could not find server in DNS. I check through ntdsutil, but server was not there, so it was nothing to remove.

    I just uploaded for all servers, just to I mentioned we have two but we have 3 server and the third have main problems

    thank you


    • 已编辑 pikul 2012年6月17日 14:12
    2012年6月17日 13:45
  • I uploaded files, are you able to find them?

    thank you

    2012年6月17日 14:51
  • Please paste the link to check the same.

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012年6月17日 15:18
  • could you write me email and I will send you link

    thank you for understanding




    • 已编辑 pikul 2012年6月17日 16:54
    2012年6月17日 15:30
  • It seems that you have removed the link however can you confirm which dc have you demoted?From the log DC03 is having the issue?

    In the log you are getting dns test failed and RPC service unavailable for DC03."The RPC server is unavailable" relates to port being blocked or network connectivity issue or due to dns misconfig.I would suggest contact network/security team to verify whether all the related AD ports being configured and allowed on the firewall for communication. Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

    Active Directory and Active Directory Domain Services Port Requirements
    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

    Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
    Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    It can also be caused by antivirus software with many of them sporting a new feature called "network traffic protection," which can efffectively block necessary AD traffic

    Check the dns quid is registered for server DC03 in DNS Console.

    If DC03 was demoted have you performed metdata cleanup before promoting the server?

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • 已标记为答案 pikul 2012年6月17日 16:50
    2012年6月17日 16:19
  • yes it is DC3 not working, I even rename this to DC4 and it is same issue. I not sure what can be wrong with DNS since 2 servers are working corectly, but how to check RPC functionality?

    thanks

    2012年6月17日 18:45