Question

W2K3 AD / DC problem: event 4 (kerberos), 4000/4013 (DNS)

Asked by: 2good2

Hi,

I have 4 W2K3 DC with one server suddenly (after a disk crash) failing. This server, with ISA 2000 and Exchange 2003 installed, has now a some problems:

1. SP1 can't be (re)installed. Error: "cannot find teh file specified"
2. WindowsUpdate is not working (even though security in IE is low)
3. DNS is not working >>> event 4000 + 4013
4. Kerberos error >>> 4 The kerberos client received a KRB_AP_ERR_MODIFIED error...
etc.

A small list of complete errors:

Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            8-6-2005
Time:            16:53:11
User:            N/A
Computer:      SERVERB
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/serverb.domain.local.  The target name used was ldap/SERVERB.DOMAIN.LOCAL/DOMAIN.LOCAL@DOMAIN.LOCAL. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      NETLOGON
Event Category:      None
Event ID:      5781
Date:            8-6-2005
Time:            16:49:10
User:            N/A
Computer:      SERVERB
Description:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.DOMAIN.LOCAL.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).  

Possible causes of failure include:  
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration  

USER ACTION  
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00               *#..    


Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1865
Date:            8-6-2005
Time:            17:21:29
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVERB
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
 
Sites:
CN=PWI,CN=Sites,CN=Configuration,DC=DOMAIN,DC=LOCAL
 
 
 
 
 
 


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:      Error
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1311
Date:            8-6-2005
Time:            17:21:29
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVERB
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
 
Directory partition:
CN=Configuration,DC=DOMAIN,DC=LOCAL
 
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
 
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
 
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      NTDS KCC
Event Category:      Knowledge Consistency Checker
Event ID:      1566
Date:            8-6-2005
Time:            17:21:29
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVERB
Description:
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
 
Site:
CN=PWI,CN=Sites,CN=Configuration,DC=DOMAIN,DC=LOCAL
Directory partition:
CN=Configuration,DC=DOMAIN,DC=LOCAL
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=DOMAIN,DC=LOCAL

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4000
Date:            8-6-2005
Time:            17:13:54
User:            N/A
Computer:      SERVERB
Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    


Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4013
Date:            8-6-2005
Time:            17:13:54
User:            N/A
Computer:      SERVERB
Description:
The DNS server was unable to open the Active Directory.  This DNS server is configured to use directory service information and can not operate without access to the directory.  The DNS server will wait for the directory to start.  If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00               -#..    


Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13562
Date:            8-6-2005
Time:            16:51:05
User:            N/A
Computer:      SERVERB
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller SERVERB.DOMAIN.LOCAL for FRS replica set configuration information.
 
 Could not bind to a Domain Controller. Will try again at next polling cycle.

 


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Any idea how I can solve this as quick as possible?

Thanks!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-06-08 at 08:47:47ID21451056
Tags

kerberos

,

event

,

id

,

4

Topic

Windows 2003 Server

Participating Experts
1
Points
500
Comments
12

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Win2003 AD - DNS/Kerberos/LDAP problems on DC i…
    I have a Win2003 DC in a child domain that is having AD problems. It manifested itself when I examined the default domain GPO. What I discovered is this: 1. When I run netdiag, it fails the following tests- DNS, Kerberos and LDAP. Below is the output from the command [NETD...
  2. ldap binding + Kerberos + SPN problem
    Hi I have 3 DC 2003 in one domain, they are all GC, DNS servers. I have an exchange server as a member server. Everything working fine except of some errors in the event viewers that i was not minding because they are the usual warning, erros. I can ping any one of them, r...
  3. Kerberos Error 4
    Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 12/7/2007 Time: 3:16:50 PM User: N/A Computer: xxxxxxx Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server xxxxxxx$. (This is actually a workstation name ) Th...
  4. The kerberos client received a KRB_AP_ERR_MODIFIED
    HI One of our W2K3 server has been disconnected from the network for a while and we are now gettings the following error in the Event log : The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/atlan-red01.atlanrs.com. The target name used was ldap/...
  5. kerberos client received a KRB_AP_ERR_MODIFIED error
    I have been getting this error for a while now. It doesn't seem to effect anyone using this computer but I need it to go away. We have 2 domain controllers, PDC and BDC, for some reason I only get this error on BDC. I checked dns and I don't see duplicate records for these...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Netman66Posted on 2005-06-08 at 13:25:27ID: 14174343

How did you recover this server after the disk crash?

 

by: 2good2Posted on 2005-06-08 at 13:41:15ID: 14174483

The server did have two disks (in software mirror), one disk was offline for two days. So I just put the old disk in the server.

 

by: 2good2Posted on 2005-06-08 at 13:57:11ID: 14174630

One disk was offline because I upgraded this server to SP1. So the crashed disk had SP1 installed, the two days old disk which is now the bootdisk is without SP1.
When I tried to install SP1 the first error I received was about ".. update.inf.." . I followed the steps in article:

http://www.experts-exchange.com/Operating_Systems/Q_21377254.html?query=windows+2003+update.inf&clearTAFilter=true

but that wasn't the solution either. When I do now a SP1 setup, the error message is "cannot find the file specified".

 

by: Netman66Posted on 2005-06-08 at 17:28:31ID: 14175968

This is not going to be pleasant.

Upgrading to SP1 changed a few things in AD that are related to your server.  Reverting back to pre-SP1 without properly uninstalling SP1 doesn't remove the changes in AD that SP1 made.

You'll need to move any critical services off this server and DCPROMO it to a member server.  If it won't back out gracefully then run DCPROMO /forceremoval.  After it's out of the DC playground you'll need to do a metadata cleanup to remove any trace of it as a DC from AD.

Service pack it while it's only a member, then re-promote it.  

Here are the instructions to do the metadata cleanup:

http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

Let us know.

 

by: 2good2Posted on 2005-06-09 at 20:12:31ID: 14185474

I removed the server, did a metadata cleanup and a new install of W2K3 and Echange2003 (with /disasterrecovery option), dcpromo, etc. Only thing what is strange is that ( Which I need for Exchange to work) I can't find any of the SERVER$ accounts in the AD.

DNS and Kerberos seems to work but I will check this out the next days.

 

by: Netman66Posted on 2005-06-10 at 12:19:13ID: 14191707

You shouldn't see any of those accounts anyway.  The only one you'll see is the machine account in the Domain Controllers OU.

I don't show any of the computer$ accounts in my 2003 AD either.  It shows up in logs, but not in the console.

You should be good to go now.



 

by: 2good2Posted on 2005-06-10 at 18:40:47ID: 14193848

The ExchangeSA service is not working because of a missing SERVER$ machine account. Because ExchangeSA doesn't start the whole Exchange Server won't start. Any idea how I can add this machine account to the server? (in ADSIEDIT I can't add it. I tried it on a different AD, with W2K servers. And with ADSIEDIT it is possible to add a SERVER$ machine account.

 

by: Netman66Posted on 2005-06-11 at 09:31:51ID: 14195666

This might help you:

http://support.microsoft.com/default.aspx?scid=kb;en-us;260698

We're only interested in copying out the edb files, then removing and reinstalling Exchange.  It's a PITA for sure, but I think it's all you have.

Before going to this extreme, trying resetting the machine account like this:

•      To reset a domain controller in a Windows 2000 domain:
a.       Stop the Kerberos Key Distribution Center (KDC) service, and then set it to Manual startup.
b.       Run the netdom resetpwd /server:replication_partner_server_name /userd:domain_name\admin_user /passwordd:* command.
c.       Restart the computer, start the KDC, and then set it back to Automatic startup.
For additional information about how to reset a domain controller in a Windows 2000 domain, click the following article number to view the article in the Microsoft Knowledge Base:
260575 HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller

Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;329721

This should work fine with 2003.


 

by: 2good2Posted on 2005-06-12 at 17:04:09ID: 14199260

I fixed replication, was able to add the machine account and ExchangeSA did start without any problem. Thanks!

 

by: Netman66Posted on 2005-06-12 at 18:25:06ID: 14199437

Excellent.  How did you end up adding the account?

 

by: 2good2Posted on 2005-06-12 at 22:47:00ID: 14200021

I used dcdiag /s:localhost /recreatemachineaccount . With ADSIedit I added the machine account to the Exchange organization.

 

by: Netman66Posted on 2005-06-13 at 19:21:12ID: 14208380

Interesting...

I guess the million$ question is why was this account not there to begin with?

Nice work.



20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...