none
2003 AD錯誤 來源 Kerberos 事件ID4 RRS feed

  • 問題

  • 想請問一下
    我在dc 的log 一個小時就會有一個錯誤的日誌(其他的DC 也是一樣)
    kerberos 用戶端從伺服器 host/nt4dc.abc.corp 收到 KRB_AP_ERR_MODIFIED 錯誤。 使用的目標名稱為 。這指出用來加密 kerberos 服務票證的密碼 與目標伺服器上的不同。通常,這是因為目標領域 (abc.CORP) 及用戶端 領域中的電腦帳戶名稱相同。請連絡您的系統管理員。
    請問應該怎解呢??
    是從NT4升2003 ad上來的

    以下是我的dcdiag 檢查
    Domain Controller Diagnosis

    Performing initial setup:
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Default-First-Site-Name\NT4DC
          Starting test: Connectivity
             ......................... NT4DC passed test Connectivity
      
       Testing server: Default-First-Site-Name\DC1
          Starting test: Connectivity
                *** Warning: could not confirm the identity of this server in
                   the directory versus the names returned by DNS servers.
                   If there are problems accessing this directory server then
                   you may need to check that this server is correctly registered
                   with DNS
             ......................... DC1 passed test Connectivity
      
       Testing server: Default-First-Site-Name\DC2
          Starting test: Connectivity
             ......................... DC2 passed test Connectivity
      
       Testing server: Default-First-Site-Name\DC
          Starting test: Connectivity
             ......................... DC passed test Connectivity

    Doing primary tests
      
       Testing server: Default-First-Site-Name\NT4DC
          Starting test: Replications
             ......................... NT4DC passed test Replications
          Starting test: NCSecDesc
             ......................... NT4DC passed test NCSecDesc
          Starting test: NetLogons
             ......................... NT4DC passed test NetLogons
          Starting test: Advertising
             ......................... NT4DC passed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... NT4DC passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... NT4DC passed test RidManager
          Starting test: MachineAccount
             ......................... NT4DC passed test MachineAccount
          Starting test: Services
             ......................... NT4DC passed test Services
          Starting test: ObjectsReplicated
             ......................... NT4DC passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... NT4DC passed test frssysvol
          Starting test: frsevent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... NT4DC failed test frsevent
          Starting test: kccevent
             ......................... NT4DC passed test kccevent
          Starting test: systemlog
             An Error Event occured.  EventID: 0x40000004
                Time Generated: 10/20/2009   10:38:33
                (Event String could not be retrieved)
             ......................... NT4DC failed test systemlog
          Starting test: VerifyReferences
             ......................... NT4DC passed test VerifyReferences
      
       Testing server: Default-First-Site-Name\DC1
          Starting test: Replications
             REPLICATION LATENCY WARNING
             ERROR: Expected notification link is missing.
             Source DC
             Replication of new changes along this path will be delayed.
             This problem should self-correct on the next periodic sync.
             REPLICATION LATENCY WARNING
             ERROR: Expected notification link is missing.
             Source DC2
             Replication of new changes along this path will be delayed.
             This problem should self-correct on the next periodic sync.
             REPLICATION LATENCY WARNING
             ERROR: Expected notification link is missing.
             Source DC2
             Replication of new changes along this path will be delayed.
             This problem should self-correct on the next periodic sync.
             REPLICATION LATENCY WARNING
             ERROR: Expected notification link is missing.
             Source DC
             Replication of new changes along this path will be delayed.
             This problem should self-correct on the next periodic sync.
             REPLICATION LATENCY WARNING
             ERROR: Expected notification link is missing.
             Source DC
             Replication of new changes along this path will be delayed.
             This problem should self-correct on the next periodic sync.
             REPLICATION LATENCY WARNING
             ERROR: Expected notification link is missing.
             Source DC2
             Replication of new changes along this path will be delayed.
             This problem should self-correct on the next periodic sync.
             ......................... DC1 passed test Replications
          Starting test: NCSecDesc
             ......................... DC1 passed test NCSecDesc
          Starting test: NetLogons
             [DC1] An net use or LsaPolicy operation failed with error 1396, 登入失敗: 目標帳戶名稱不正確。.
             ......................... DC1 failed test NetLogons
          Starting test: Advertising
             Fatal Error:DsGetDcName (DC1) call failed, error 5
             The Locator could not find the server.
             ......................... DC1 failed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... DC1 passed test KnowsOfRoleHolders
          Starting test: RidManager
             The DS has corrupt data: rIDPreviousAllocationPool value is not valid
             No rids allocated -- please check eventlog.
             ......................... DC1 failed test RidManager
          Starting test: MachineAccount
             Could not open pipe with [DC1]:failed with 1396: 登入失敗: 目標帳戶名稱不正確。
             Could not get NetBIOSDomainName
             Failed can not test for LDAP SPN
             Failed can not test for LDAP SPN
             Failed can not test for HOST SPN
             Failed can not test for HOST SPN
             Failed can not test for HOST SPN
             Failed can not test for HOST SPN
             Failed can not test for GC SPN
             * Missing SPN :(null)
             * Missing SPN :(null)
             * Missing SPN :LDAP/DC1
             * Missing SPN :(null)
             * Missing SPN :LDAP/f89dc3c6-6c55-40ec-8d89-6d52d4cd1639._msdcs.abc.corp
             * Missing SPN :(null)
             * Missing SPN :(null)
             * Missing SPN :(null)
             * Missing SPN :(null)
             ......................... DC1 failed test MachineAccount
          Starting test: Services
             Could not open Remote ipc to [DC1]:failed with 1396: 登入失敗: 目標帳戶名稱不正確。
             ......................... DC1 failed test Services
          Starting test: ObjectsReplicated
             ......................... DC1 passed test ObjectsReplicated
          Starting test: frssysvol
             [DC1] An net use or LsaPolicy operation failed with error 1396, 登入失敗: 目標帳戶名稱不正確。.
             ......................... DC1 failed test frssysvol
          Starting test: frsevent
             ......................... DC1 failed test frsevent
          Starting test: kccevent
             Failed to enumerate event log records, error 登入失敗: 目標帳戶名稱不正確。
             ......................... DC1 failed test kccevent
          Starting test: systemlog
             Failed to enumerate event log records, error 登入失敗: 目標帳戶名稱不正確。
             ......................... DC1 failed test systemlog
          Starting test: VerifyReferences
             ......................... DC1 passed test VerifyReferences
      
       Testing server: Default-First-Site-Name\DC2
          Starting test: Replications
             ......................... DC2 passed test Replications
          Starting test: NCSecDesc
             ......................... DC2 passed test NCSecDesc
          Starting test: NetLogons
             ......................... DC2 passed test NetLogons
          Starting test: Advertising
             ......................... DC2 passed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... DC2 passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... DC2 passed test RidManager
          Starting test: MachineAccount
             ......................... DC2 passed test MachineAccount
          Starting test: Services
             ......................... DC2 passed test Services
          Starting test: ObjectsReplicated
             ......................... DC2 passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... DC2 passed test frssysvol
          Starting test: frsevent
             ......................... DC2 passed test frsevent
          Starting test: kccevent
             An Warning Event occured.  EventID: 0x80000785
                Time Generated: 10/20/2009   10:58:20
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x80000785
                Time Generated: 10/20/2009   10:58:20
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x80000785
                Time Generated: 10/20/2009   10:58:20
                (Event String could not be retrieved)
             ......................... DC2 failed test kccevent
          Starting test: systemlog
             An Error Event occured.  EventID: 0x40000004
                Time Generated: 10/20/2009   10:28:20
                (Event String could not be retrieved)
             ......................... DC2 failed test systemlog
          Starting test: VerifyReferences
             ......................... DC2 passed test VerifyReferences
      
       Testing server: Default-First-Site-Name\DC
          Starting test: Replications
             ......................... DC passed test Replications
          Starting test: NCSecDesc
             ......................... DC passed test NCSecDesc
          Starting test: NetLogons
             ......................... DC passed test NetLogons
          Starting test: Advertising
             ......................... DC passed test Advertising
          Starting test: KnowsOfRoleHolders
             ......................... DC passed test KnowsOfRoleHolders
          Starting test: RidManager
             ......................... DC passed test RidManager
          Starting test: MachineAccount
             ......................... DC passed test MachineAccount
          Starting test: Services
             ......................... DC passed test Services
          Starting test: ObjectsReplicated
             ......................... DC passed test ObjectsReplicated
          Starting test: frssysvol
             ......................... DC passed test frssysvol
          Starting test: frsevent
             ......................... DC passed test frsevent
          Starting test: kccevent
             An Warning Event occured.  EventID: 0x80000785
                Time Generated: 10/20/2009   10:54:56
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x80000785
                Time Generated: 10/20/2009   10:54:56
                (Event String could not be retrieved)
             An Warning Event occured.  EventID: 0x80000785
                Time Generated: 10/20/2009   10:54:56
                (Event String could not be retrieved)
             ......................... DC failed test kccevent
          Starting test: systemlog
             An Error Event occured.  EventID: 0x40000004
                Time Generated: 10/20/2009   10:09:56
                (Event String could not be retrieved)
             An Error Event occured.  EventID: 0x40000004
                Time Generated: 10/20/2009   11:08:37
                (Event String could not be retrieved)
             ......................... DC failed test systemlog
          Starting test: VerifyReferences
             ......................... DC passed test VerifyReferences
      
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
      
       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
      
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
      
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
      
       Running partition tests on : abc
          Starting test: CrossRefValidation
             ......................... abc passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... abc passed test CheckSDRefDom
      
       Running enterprise tests on : abc.corp
          Starting test: Intersite
             ......................... abc.corp passed test Intersite
          Starting test: FsmoCheck
             ......................... abc.corp passed test FsmoCheck



    2009年10月20日 上午 03:48

解答

  • 由DCDiag的內容來看..這台DC跟其他台DC的複寫應該是有問題的
    你可以先檢查看看你的DC之間複寫是全部不正常還是只有這台不正常

    這台NT4DC有很久沒有開機嗎?
    另外..你的AD環境中有幾台DC..五大角色是在哪一台身上?
    微軟技術支援服務
    結果 刪除掉當初之前硬碟掛點的那台DC  就都正常了
    想請問一下 因為我是NT4 PDC 升上來的,當初的BDC(升級時,當時是離縣) 
    現在在ad使用者及電腦的Domain Controllers  都還看的到
    請問可以直接滑鼠右鍵刪除嗎?
    • 已提議為解答 Vincent Lin 2009年10月22日 上午 06:55
    • 已標示為解答 Vincent Lin 2009年10月26日 上午 02:46
    2009年10月22日 上午 12:26
  • 移除NT4的BDC比較簡單..參考下面文章吧

    How to remove Windows NT4 BDC (Backup Domain Controller) From Active directory?
    http://support.microsoft.com/kb/555521/en-us


    微軟技術支援服務
    • 已標示為解答 Vincent Lin 2009年10月26日 上午 02:46
    2009年10月22日 上午 05:58

所有回覆

  • 錯誤訊息裡面的"使用的目標名稱為" 後面應該會有一個電腦名稱之類的訊息..如果有刪除的話把他貼上來看看

    另外..你的Domain只有一個呢?還是還有Sub Domain?


    微軟技術支援服務
    2009年10月21日 上午 02:32
  • 錯誤訊息裡面的"使用的目標名稱為" 後面應該會有一個電腦名稱之類的訊息..如果有刪除的話把他貼上來看看

    另外..你的Domain只有一個呢?還是還有Sub Domain?


    微軟技術支援服務
         裡面沒有寫耶 錯誤的訊息 就只有寫這樣耶
           使用的目標名稱為。
    2009年10月21日 上午 05:07
  • 由DCDiag的內容來看..這台DC跟其他台DC的複寫應該是有問題的
    你可以先檢查看看你的DC之間複寫是全部不正常還是只有這台不正常

    這台NT4DC有很久沒有開機嗎?
    另外..你的AD環境中有幾台DC..五大角色是在哪一台身上?
    微軟技術支援服務
    結果 刪除掉當初之前硬碟掛點的那台DC  就都正常了
    想請問一下 因為我是NT4 PDC 升上來的,當初的BDC(升級時,當時是離縣) 
    現在在ad使用者及電腦的Domain Controllers  都還看的到
    請問可以直接滑鼠右鍵刪除嗎?
    • 已提議為解答 Vincent Lin 2009年10月22日 上午 06:55
    • 已標示為解答 Vincent Lin 2009年10月26日 上午 02:46
    2009年10月22日 上午 12:26
  • 你刪掉的應該就是NT4PDC吧
    之前看起來是他的複寫有問題..有可能是Security Channel斷掉導致
    請你按造下面的KB動做進行刪除..才能刪除乾淨

    如何在網域控制站降級失敗後,移除 Active Directory 中的資料
    http://support.microsoft.com/default.aspx/kb/216498

    等全部都做好後..你可以重新去進行dcpromo再把他加回現在的網域..應該就不會有問題了

    另外..五大角色應該沒有在該台上面吧?


    微軟技術支援服務
    2009年10月22日 上午 02:06
  • 你刪掉的應該就是NT4PDC吧
    之前看起來是他的複寫有問題..有可能是Security Channel斷掉導致
    請你按造下面的KB動做進行刪除..才能刪除乾淨

    如何在網域控制站降級失敗後,移除 Active Directory 中的資料
    http://support.microsoft.com/default.aspx/kb/216498

    等全部都做好後..你可以重新去進行dcpromo再把他加回現在的網域..應該就不會有問題了

    另外..五大角色應該沒有在該台上面吧?


    微軟技術支援服務
    不是耶 我刪掉的是DC1耶
    五大角色 都在 NT4DC上說
    但之前下線 的bdc 應該怎刪除呢??



    2009年10月22日 上午 02:59
  • 拍寫..之前看錯..應該是DC1有複寫問題才對
    之前下線的BDC是DC1? 還是哪一台?

    如果是指DC1的話..就是按造上面文章(裡面的程序1)的動作去手動刪除就可以了
    裡面有個步驟需要注意就是 connect to server servername , 這邊的servername是指目前正常的DC..而不是已經無法運作的DC

    另外..你DC1目前有進行降級的動作了嗎?

    提供兩篇比較詳盡的手動移除DC的資料給你參考

    http://www.wretch.cc/blog/josephphoto/13886817
    http://www.lnes.tp.edu.tw/10/manager/windows%BA%DE%B2z/deleteNTDS-DSA.pdf


    微軟技術支援服務
    2009年10月22日 上午 03:33
  • 拍寫..之前看錯..應該是DC1有複寫問題才對
    之前下線的BDC是DC1? 還是哪一台?

    如果是指DC1的話..就是按造上面文章(裡面的程序1)的動作去手動刪除就可以了
    裡面有個步驟需要注意就是 connect to server servername , 這邊的servername是指目前正常的DC..而不是已經無法運作的DC

    另外..你DC1目前有進行降級的動作了嗎?

    提供兩篇比較詳盡的手動移除DC的資料給你參考

    http://www.wretch.cc/blog/josephphoto/13886817
    http://www.lnes.tp.edu.tw/10/manager/windows%BA%DE%B2z/deleteNTDS-DSA.pdf


    微軟技術支援服務

        我DC 1 是參照ntdsutil  的方式進去裡面刪除的
        但 之前的bdc  使用list servers in site 卻沒找該台編號
        只有在AD 使用者與電腦的domain Controllers 裡面有看到
        但不知道該怎刪除
          
    2009年10月22日 上午 05:26
  • 移除NT4的BDC比較簡單..參考下面文章吧

    How to remove Windows NT4 BDC (Backup Domain Controller) From Active directory?
    http://support.microsoft.com/kb/555521/en-us


    微軟技術支援服務
    • 已標示為解答 Vincent Lin 2009年10月26日 上午 02:46
    2009年10月22日 上午 05:58