none
event 3 в журнале событий на DC Kerberos RRS feed

  • Вопрос

  • Win server 2003 r2 - контроллер домена,
    наблюдаются подтормаживания с доступом на сетевые папки,
    смотрю журнал, а там много подобных ошибок.

    Тип события:	Ошибка
    Источник события:	Kerberos
    Категория события:	Отсутствует
    Код события:	3
    Дата:		08.05.2020
    Время:		12:12:28
    Пользователь:		Н/Д
    Компьютер:	SERVER
    Описание:
    Получено сообщение об ошибке Kerberos:
             в сеансе входа в систему 
     Время клиента: 
     Время сервера: 8:12:28.0000 5/8/2020 Z
     Код ошибки: 0xd KDC_ERR_BADOPTION
     Расширенная ошибка: 0xc00000bb KLIN(0)
     Сфера клиента: 
     Имя клиента: 
     Сфера сервера: DOORS.LOCAL
     Имя сервера: host/server.doors.local
     Конечное имя: host/server.doors.local@DOORS.LOCAL
     Текст ошибки: 
     Файл: 9
     Строка: ae0
     Данные ошибки в данных записи.
    
    
     
    Тип события:	Ошибка
    Источник события:	Kerberos
    Категория события:	Отсутствует
    Код события:	3
    Дата:		08.05.2020
    Время:		12:52:02
    Пользователь:		Н/Д
    Компьютер:	SERVER
    Описание:
    Получено сообщение об ошибке Kerberos:
             в сеансе входа в систему DOORS\Администратор
     Время клиента: 
     Время сервера: 8:52:2.0000 5/8/2020 Z
     Код ошибки: 0x18 KDC_ERR_PREAUTH_FAILED
     Расширенная ошибка: 
     Сфера клиента: 
     Имя клиента: 
     Сфера сервера: DOORS
     Имя сервера: krbtgt/DOORS
     Конечное имя: krbtgt/DOORS@DOORS
     Текст ошибки: 
     Файл: e
     Строка: 6c0
     Данные ошибки в данных записи.
    
    Тип события:	Ошибка
    Источник события:	Kerberos
    Категория события:	Отсутствует
    Код события:	3
    Дата:		08.05.2020
    Время:		12:42:06
    Пользователь:		Н/Д
    Компьютер:	SERVER
    Описание:
    Получено сообщение об ошибке Kerberos:
             в сеансе входа в систему 
     Время клиента: 
     Время сервера: 8:42:6.0000 5/8/2020 Z
     Код ошибки: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Расширенная ошибка: 
     Сфера клиента: 
     Имя клиента: 
     Сфера сервера: DOORS.LOCAL
     Имя сервера: TermServLicensing
     Конечное имя: TermServLicensing@DOORS.LOCAL
     Текст ошибки: 
     Файл: 9
     Строка: ae0
    
    Тип события:	Ошибка
    Источник события:	Kerberos
    Категория события:	Отсутствует
    Код события:	3
    Дата:		08.05.2020
    Время:		12:52:06
    Пользователь:		Н/Д
    Компьютер:	SERVER
    Описание:
    Получено сообщение об ошибке Kerberos:
             в сеансе входа в систему 
     Время клиента: 
     Время сервера: 8:52:6.0000 5/8/2020 Z
     Код ошибки: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Расширенная ошибка: 
     Сфера клиента: 
     Имя клиента: 
     Сфера сервера: DOORS.LOCAL
     Имя сервера: Server.doors.local
     Конечное имя: Server.doors.local@DOORS.LOCAL
     Текст ошибки: 
     Файл: 9
     Строка: ae0
     Данные ошибки в данных записи.
    
    Тип события:	Ошибка
    Источник события:	Kerberos
    Категория события:	Отсутствует
    Код события:	3
    Дата:		08.05.2020
    Время:		12:52:09
    Пользователь:		Н/Д
    Компьютер:	SERVER
    Описание:
    Получено сообщение об ошибке Kerberos:
             в сеансе входа в систему 
     Время клиента: 
     Время сервера: 8:52:9.0000 5/8/2020 Z
     Код ошибки: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Расширенная ошибка: 
     Сфера клиента: 
     Имя клиента: 
     Сфера сервера: DOORS.LOCAL
     Имя сервера: cifs/192.168.0.222
     Конечное имя: cifs/192.168.0.222@DOORS.LOCAL
     Текст ошибки: 
     Файл: 9
     Строка: ae0
     Данные ошибки в данных записи.

    Отключить логи керберос - не решение.
    w32tm /resync - без проблем на SERVER
    >setspn -L server
    Registered ServicePrincipalNames for CN=SERVER,OU=Domain Controllers,DC=doors,DC=local:
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/Server.doors.local
        NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/Server.doors.local
        ldap/Server.doors.local/ForestDnsZones.doors.local
        ldap/Server.doors.local/DomainDnsZones.doors.local
        DNS/Server.doors.local
        GC/Server.doors.local/doors.local
        HOST/Server.doors.local/DOORS
        HOST/SERVER
        HOST/Server.doors.local
        HOST/Server.doors.local/doors.local
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/fe5455af-a4a9-4a92-93f3-66321f929950/doors.local
        ldap/fe5455af-a4a9-4a92-93f3-66321f929950._msdcs.doors.local
        ldap/Server.doors.local/DOORS
        ldap/SERVER
        ldap/Server.doors.local
        ldap/Server.doors.local/doors.local
    dcdiag /s:server.doors.local /v /f:C:\logs\dcdiag080520-fqdn-serverDoorsLocal.log
    Domain Controller Diagnosis
    
    Performing initial setup:
       * Connecting to directory service on server server.doors.local.
       * Collecting site info.
       * Identifying all servers.
       * Identifying all NC cross-refs.
       * Found 1 DC(s). Testing 1 of them.
       Done gathering initial info.
    
    Doing initial required tests
       
       Testing server: Default-First-Site-Name\SERVER
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             * Active Directory RPC Services Check
             ......................... SERVER passed test Connectivity
    
    Doing primary tests
       
       Testing server: Default-First-Site-Name\SERVER
          Starting test: Replications
             * Replications Check
             * Replication Latency Check
             * Replication Site Latency Check 
             ......................... SERVER passed test Replications
          Test omitted by user request: Topology
          Test omitted by user request: CutoffServers
          Starting test: NCSecDesc
             * Security Permissions check for all NC's on DC SERVER.
             * Security Permissions Check for
               DC=ForestDnsZones,DC=doors,DC=local
                (NDNC,Version 2)
             * Security Permissions Check for
               DC=DomainDnsZones,DC=doors,DC=local
                (NDNC,Version 2)
             * Security Permissions Check for
               CN=Schema,CN=Configuration,DC=doors,DC=local
                (Schema,Version 2)
             * Security Permissions Check for
               CN=Configuration,DC=doors,DC=local
                (Configuration,Version 2)
             * Security Permissions Check for
               DC=doors,DC=local
                (Domain,Version 2)
             ......................... SERVER passed test NCSecDesc
          Starting test: NetLogons
             * Network Logons Privileges Check
             Verified share \\SERVER\netlogon
             Verified share \\SERVER\sysvol
             ......................... SERVER passed test NetLogons
          Starting test: Advertising
             The DC SERVER is advertising itself as a DC and having a DS.
             The DC SERVER is advertising as an LDAP server
             The DC SERVER is advertising as having a writeable directory
             The DC SERVER is advertising as a Key Distribution Center
             The DC SERVER is advertising as a time server
             The DS SERVER is advertising as a GC.
             ......................... SERVER passed test Advertising
          Starting test: KnowsOfRoleHolders
             Role Schema Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local
             Role Domain Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local
             Role PDC Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local
             Role Rid Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local
             ......................... SERVER passed test KnowsOfRoleHolders
          Starting test: RidManager
             * Available RID Pool for the Domain is 2602 to 1073741823
             * Server.doors.local is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 2102 to 2601
             * rIDPreviousAllocationPool is 1602 to 2101
             * rIDNextRID: 2024
             * Warning :There is less than 16% available RIDs in the current pool
             ......................... SERVER passed test RidManager
          Starting test: MachineAccount
             Checking machine account for DC SERVER on DC SERVER.
             * SPN found :LDAP/Server.doors.local/doors.local
             * SPN found :LDAP/Server.doors.local
             * SPN found :LDAP/SERVER
             * SPN found :LDAP/Server.doors.local/DOORS
             * SPN found :LDAP/fe5455af-a4a9-4a92-93f3-66321f929950._msdcs.doors.local
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fe5455af-a4a9-4a92-93f3-66321f929950/doors.local
             * SPN found :HOST/Server.doors.local/doors.local
             * SPN found :HOST/Server.doors.local
             * SPN found :HOST/SERVER
             * SPN found :HOST/Server.doors.local/DOORS
             * SPN found :GC/Server.doors.local/doors.local
             ......................... SERVER passed test MachineAccount
          Starting test: Services
             * Checking Service: Dnscache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: RpcSs
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... SERVER passed test Services
          Test omitted by user request: OutboundSecureChannels
          Starting test: ObjectsReplicated
             SERVER is in domain DC=doors,DC=local
             Checking for CN=SERVER,OU=Domain Controllers,DC=doors,DC=local in domain DC=doors,DC=local on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local in domain CN=Configuration,DC=doors,DC=local on 1 servers
                Object is up-to-date on all servers.
             ......................... SERVER passed test ObjectsReplicated
          Starting test: frssysvol
             * The File Replication Service SYSVOL ready test 
             File Replication Service's SYSVOL is ready 
             ......................... SERVER passed test frssysvol
          Starting test: frsevent
             * The File Replication Service Event log test 
             ......................... SERVER passed test frsevent
          Starting test: kccevent
             * The KCC Event log test
             Found no KCC errors in Directory Service Event log in the last 15 minutes.
             ......................... SERVER passed test kccevent
          Starting test: systemlog
             * The System Event log test
             An Error Event occured.  EventID: 0x80000003
                Time Generated: 05/08/2020   13:42:06
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x80000003
                Time Generated: 05/08/2020   13:42:29
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x80000003
                Time Generated: 05/08/2020   13:57:29
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x80000003
                Time Generated: 05/08/2020   14:00:01
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x80000003
                Time Generated: 05/08/2020   14:12:30
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x80000003
                Time Generated: 05/08/2020   14:27:30
                (Event String could not be retrieved)
             ......................... SERVER failed test systemlog
          Test omitted by user request: VerifyReplicas
          Starting test: VerifyReferences
             The system object reference (serverReference)
    
             CN=SERVER,OU=Domain Controllers,DC=doors,DC=local and backlink on
    
             CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local
    
             are correct. 
             The system object reference (frsComputerReferenceBL)
    
             CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=doors,DC=local
    
             and backlink on CN=SERVER,OU=Domain Controllers,DC=doors,DC=local are
    
             correct. 
             The system object reference (serverReferenceBL)
    
             CN=SERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=doors,DC=local
    
             and backlink on
    
             CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=doors,DC=local
    
             are correct. 
             ......................... SERVER passed test VerifyReferences
          Test omitted by user request: VerifyEnterpriseReferences
          Test omitted by user request: CheckSecurityError
       
       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
       
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
       
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
       
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
       
       Running partition tests on : doors
          Starting test: CrossRefValidation
             ......................... doors passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... doors passed test CheckSDRefDom
       
       Running enterprise tests on : doors.local
          Starting test: Intersite
             Skipping site Default-First-Site-Name, this site is outside the scope
    
             provided by the command line arguments provided. 
             ......................... doors.local passed test Intersite
          Starting test: FsmoCheck
             GC Name: \\Server.doors.local
             Locator Flags: 0xe00001fd
             PDC Name: \\Server.doors.local
             Locator Flags: 0xe00001fd
             Time Server Name: \\Server.doors.local
             Locator Flags: 0xe00001fd
             Preferred Time Server Name: \\Server.doors.local
             Locator Flags: 0xe00001fd
             KDC Name: \\Server.doors.local
             Locator Flags: 0xe00001fd
             ......................... doors.local passed test FsmoCheck
          Test omitted by user request: DNS
          Test omitted by user request: DNS



Все ответы

  • Здравствуйте,

    Уточните пожалуйста показывает ли какие-то ошибки или дубликаты в SPN следующая команда в командной строке?
    dcdiag /test:checksecurityerror
    Подробнее о команде: Обнаружение ошибок системы безопасности или ошибок, которые относятся к проблемам безопасности возможно и выполняет начальную диагностику проблемы.

    Avis de non-responsabilité:
    Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.

    Bien cordialement, Andrei ...

    MCP

    Модератор
  • Здравствуйте, нет вроде примечательного

    >dcdiag /v /f:C:\logs\dcdiag100520-CheckSecurityError.log /test:CheckSecurityError

    Domain Controller Diagnosis
    
    Performing initial setup:
       * Verifying that the local machine Server, is a DC. 
       * Connecting to directory service on server Server.
       * Collecting site info.
       * Identifying all servers.
       * Identifying all NC cross-refs.
       * Found 1 DC(s). Testing 1 of them.
       Done gathering initial info.
    
    Doing initial required tests
       
       Testing server: Default-First-Site-Name\SERVER
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             * Active Directory RPC Services Check
             ......................... SERVER passed test Connectivity
    
    Doing primary tests
       
       Testing server: Default-First-Site-Name\SERVER
          Test omitted by user request: Replications
          Test omitted by user request: Topology
          Test omitted by user request: CutoffServers
          Test omitted by user request: NCSecDesc
          Test omitted by user request: NetLogons
          Test omitted by user request: Advertising
          Test omitted by user request: KnowsOfRoleHolders
          Test omitted by user request: RidManager
          Test omitted by user request: MachineAccount
          Test omitted by user request: Services
          Test omitted by user request: OutboundSecureChannels
          Test omitted by user request: ObjectsReplicated
          Test omitted by user request: frssysvol
          Test omitted by user request: frsevent
          Test omitted by user request: kccevent
          Test omitted by user request: systemlog
          Test omitted by user request: VerifyReplicas
          Test omitted by user request: VerifyReferences
          Test omitted by user request: VerifyEnterpriseReferences
          Starting test: CheckSecurityError
             * Dr Auth:  Beginning security errors check!
             Found KDC SERVER for domain doors.local in site Default-First-Site-Name
             Checking machine account for DC SERVER on DC SERVER.
             * SPN found :LDAP/Server.doors.local/doors.local
             * SPN found :LDAP/Server.doors.local
             * SPN found :LDAP/SERVER
             * SPN found :LDAP/Server.doors.local/DOORS
             * SPN found :LDAP/fe5455af-a4a9-4a92-93f3-66321f929950._msdcs.doors.local
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fe5455af-a4a9-4a92-93f3-66321f929950/doors.local
             * SPN found :HOST/Server.doors.local/doors.local
             * SPN found :HOST/Server.doors.local
             * SPN found :HOST/SERVER
             * SPN found :HOST/Server.doors.local/DOORS
             * SPN found :GC/Server.doors.local/doors.local
             [SERVER] No security related replication errors were found on this DC!  To target the connection to a specific source DC use /ReplSource:<DC>.
             ......................... SERVER passed test CheckSecurityError
       
       Running partition tests on : ForestDnsZones
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom
       
       Running partition tests on : DomainDnsZones
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom
       
       Running partition tests on : Schema
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom
       
       Running partition tests on : Configuration
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom
       
       Running partition tests on : doors
          Test omitted by user request: CrossRefValidation
          Test omitted by user request: CheckSDRefDom
       
       Running enterprise tests on : doors.local
          Test omitted by user request: Intersite
          Test omitted by user request: FsmoCheck
          Test omitted by user request: DNS
          Test omitted by user request: DNS
    >dcdiag /v /f:C:\logs\dcdiag100520-DNS.log /test:DNS
          Starting test: DNS
             Test results for domain controllers:
                
                DC: Server.doors.local
                Domain: doors.local
    
                      
                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed
                      
                   TEST: Basic (Basc)
                       Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported
                      NETLOGON service is running
                      kdc service is running
                      DNSCACHE service is running
                      DNS service is running
                      DC is a DNS server
                      Network adapters information:
                      Adapter [00000007] Intel(R) PRO/1000 PM Network Connection:
                         MAC address is 00:30:48:B8:35:E0
                         IP address is static
                         IP address: 192.168.0.1
                         DNS servers:
                            192.168.0.1 (<name unavailable>) [Valid]
                      The A record for this DC was found
                      The SOA record for the Active Directory zone was found
                      The Active Directory zone on this DC/DNS server was found (primary)
                      Root zone on this DC/DNS server was not found
                      
                   TEST: Forwarders/Root hints (Forw)
                      Recursion is enabled
                      Forwarders Information: 
                         8.8.8.8 (<name unavailable>) [Valid] 
                      
                   TEST: Delegations (Del)
                      No delegations were found in this zone on this DNS server
                      
                   TEST: Dynamic update (Dyn)
                      Warning: Dynamic update is enabled on the zone but not secure doors.local.
                      Test record _dcdiag_test_record added successfully in zone doors.local.
                      Test record _dcdiag_test_record deleted successfully in zone doors.local.
                      
                   TEST: Records registration (RReg)
                      Network Adapter [00000007] Intel(R) PRO/1000 PM Network Connection:
                         Matching A record found at DNS server 192.168.0.1:
                         Server.doors.local
    
                         Matching CNAME record found at DNS server 192.168.0.1:
                         fe5455af-a4a9-4a92-93f3-66321f929950._msdcs.doors.local
    
                         Matching DC SRV record found at DNS server 192.168.0.1:
                         _ldap._tcp.dc._msdcs.doors.local
    
                         Matching GC SRV record found at DNS server 192.168.0.1:
                         _ldap._tcp.gc._msdcs.doors.local
    
                         Matching PDC SRV record found at DNS server 192.168.0.1:
                         _ldap._tcp.pdc._msdcs.doors.local
    
             
             Summary of test results for DNS servers used by the above domain controllers:
    
                DNS server: 192.168.0.1 (<name unavailable>)
                   All tests passed on this DNS server
                   This is a valid DNS server 
                   Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered 
                   
                DNS server: 8.8.8.8 (<name unavailable>)
                   All tests passed on this DNS server
                   This is a valid DNS server 
                   
             Summary of DNS test results:
             
                                                Auth Basc Forw Del  Dyn  RReg Ext  
                   ________________________________________________________________
                Domain: doors.local
                   Server                       PASS PASS PASS PASS WARN PASS n/a  
             
             ......................... doors.local passed test DNS


  • Здравствуйте,

    Уточните пожалуйста если на вашем сервере влючен Kerberos logging?

    How to enable Kerberos event logging

    На английской ветки, есть предположение, что указанные события могут быть связаны с этим - Kerberos Event ID every 15 min


    Покажите результат следующей команды в комнадной строке(cmd)

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"



    Avis de non-responsabilité:
    Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.

    Bien cordialement, Andrei ...

    MCP

    Модератор
  • Данные ошибки могут и не быть причиной "сетевых" тормозов.

    Сколько у вас всего КД? Можете показать сетевые настройки с любой ПК, испытывающей проблемы, с КД и как вы маппите сетевые диски.

  • Kerberos logging включен конечно. Просто выключить логи, по-моему, не самое верное "решение", когда керберос говорит, что ему неизвестен сервер - контроллер домена

    Код ошибки: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
     Расширенная ошибка: 
     Сфера клиента: 
     Имя клиента: 
     Сфера сервера: DOORS.LOCAL
     Имя сервера: Server.doors.local
     Конечное имя: Server.doors.local@DOORS.LOCAL

    Может попробовать такое?

    setspn -R server 





  • КД один, Server.doors.local.

    Нашел в журнале рядовых компьютеров домена ошибку w32tm - невозможность синхронизировать время с КД. Исправил, тормоза прошли.

    Планирую развернуть второй КД на 2016 server, видимо 2003 уже пора на покой. 
    Надеюсь, сложностей с переносом AD не возникнет...