Senhores,
possuo 3 servidores:
SERVER_A (2003 server) = Schema owner,Domain role owner,PDC role,RID pool manager,Infrastructure owner
SERVER_B (2008)
SERVER_C (2008)
Após aplicar algums updates no SERVER_A, passei a ter problemas de replica entre os controladores.
O que eu ja sei:
a primeira mensagem foi: Source: LSASRV Event ID: 40960
The Security System detected an authentication error for the server LDAP/SERVER_A.domain.com.br/domain.com.br@DOMAIN.COM.BR. The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username
or authentication information. (0xc000006d)".
em seguida
comecei a perceber que existe um problema de alteração de nome na criptografia que impede o acesso ao sysvol do SERVER_A pelos demais servidores.
REPLICAS OCORREM MAS COM INCONSISTENCIAS DEVIDO A ISSO.
APARENTEMENTE ASSIM:
SERVER_A --> SERVER_B
SERVER_A --> SERVER_C
SERVER_B <--> SERVER_C
ACREDITO QUE NÃO SE CONSEGUE ACESSAR O SYSVOL DO SERVER_A PELOS DEMAIS DEVIDO AO ERRO QUE DUPLICOU O NOME DO SERVER_A
ALGO COMO:
......................... server_c failed test kccevent Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 07/28/2010 21:35:59
Event String: The kerberos client received a host/server_a.domain.com.br.
The target name used was ldap/server_a.domain.com.br/domain.com.br@domain.COM.BR.
This indicates that the password used to encrypt the kerberos service ticket is different than
that on the target server. Commonly, this is due to identically named machine accounts in the
target realm (DOMAIN.COM.BR), and the client realm. Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 07/28/2010 22:04:20
Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/server_a.domain.com.br. The target name used was DOMAIN\SERVER_A$.
This indicates that the password used to encrypt the kerberos service ticket is different than
that on the target server. Commonly, this is due to identically named machine accounts in the
target realm (DOMAIN.COM.BR), and the client realm. Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 07/28/2010 22:23:04
Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/server_a.domain.com.br. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/9ceb4a56-258b-4c00-8ab9-e2a687bab572/domain.com.br@domain.com.br.
This indicates that the password used to encrypt the kerberos service ticket is different than
that on the target server. Commonly, this is due to identically named machine accounts in the
target realm (DOMAIN.COM.BR), and the client realm. Please contact your system administrator.
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.domain.com.br. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/9ceb4a56-258b-4c00-8ab9-e2a687bab572/domain.com.br@domain.com.br. This indicates that the target
server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only
registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure
that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM.BR) is different from the client domain (DOMAIN.COM.BR), check if there are identically named
server accounts in these two domains, or use the fully-qualified name to identify the server."
gostaria de saber como renovar as chaves de B para A e C para A para que as replicas voltem a funcionar.
Atenciosamente,
Antonio Azevedo
