2good2
asked on
W2K3 AD / DC problem: event 4 (kerberos), 4000/4013 (DNS)
Hi,
I have 4 W2K3 DC with one server suddenly (after a disk crash) failing. This server, with ISA 2000 and Exchange 2003 installed, has now a some problems:
1. SP1 can't be (re)installed. Error: "cannot find teh file specified"
2. WindowsUpdate is not working (even though security in IE is low)
3. DNS is not working >>> event 4000 + 4013
4. Kerberos error >>> 4 The kerberos client received a KRB_AP_ERR_MODIFIED error...
etc.
A small list of complete errors:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 8-6-2005
Time: 16:53:11
User: N/A
Computer: SERVERB
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/serverb.domain.local. The target name used was ldap/SERVERB.DOMAIN.LOCAL/ DOMAIN.LOC AL@DOMAIN. LOCAL. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.LOCAL), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5781
Date: 8-6-2005
Time: 16:49:10
User: N/A
Computer: SERVERB
Description:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.DOMAIN.LOC AL.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1865
Date: 8-6-2005
Time: 17:21:29
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVERB
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=PWI,CN=Sites,CN=Configu ration,DC= DOMAIN,DC= LOCAL
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 8-6-2005
Time: 17:21:29
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVERB
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=DOMAIN ,DC=LOCAL
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1566
Date: 8-6-2005
Time: 17:21:29
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVERB
Description:
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site:
CN=PWI,CN=Sites,CN=Configu ration,DC= DOMAIN,DC= LOCAL
Directory partition:
CN=Configuration,DC=DOMAIN ,DC=LOCAL
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con figuration ,DC=DOMAIN ,DC=LOCAL
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 8-6-2005
Time: 17:13:54
User: N/A
Computer: SERVERB
Description:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 8-6-2005
Time: 17:13:54
User: N/A
Computer: SERVERB
Description:
The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date: 8-6-2005
Time: 16:51:05
User: N/A
Computer: SERVERB
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller SERVERB.DOMAIN.LOCAL for FRS replica set configuration information.
Could not bind to a Domain Controller. Will try again at next polling cycle.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Any idea how I can solve this as quick as possible?
Thanks!
I have 4 W2K3 DC with one server suddenly (after a disk crash) failing. This server, with ISA 2000 and Exchange 2003 installed, has now a some problems:
1. SP1 can't be (re)installed. Error: "cannot find teh file specified"
2. WindowsUpdate is not working (even though security in IE is low)
3. DNS is not working >>> event 4000 + 4013
4. Kerberos error >>> 4 The kerberos client received a KRB_AP_ERR_MODIFIED error...
etc.
A small list of complete errors:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 8-6-2005
Time: 16:53:11
User: N/A
Computer: SERVERB
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/serverb.domain.local.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NETLOGON
Event Category: None
Event ID: 5781
Date: 8-6-2005
Time: 16:49:10
User: N/A
Computer: SERVERB
Description:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.DOMAIN.LOC
Possible causes of failure include:
- TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers
- Specified preferred and alternate DNS servers are not running
- DNS server(s) primary for the records to be registered is not running
- Preferred or alternate DNS servers are configured with wrong root hints
- Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration
USER ACTION
Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2a 23 00 00 *#..
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1865
Date: 8-6-2005
Time: 17:21:29
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVERB
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=PWI,CN=Sites,CN=Configu
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: 8-6-2005
Time: 17:21:29
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVERB
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=DOMAIN
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1566
Date: 8-6-2005
Time: 17:21:29
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVERB
Description:
All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable.
Site:
CN=PWI,CN=Sites,CN=Configu
Directory partition:
CN=Configuration,DC=DOMAIN
Transport:
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Con
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4000
Date: 8-6-2005
Time: 17:13:54
User: N/A
Computer: SERVERB
Description:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: 8-6-2005
Time: 17:13:54
User: N/A
Computer: SERVERB
Description:
The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2d 23 00 00 -#..
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date: 8-6-2005
Time: 16:51:05
User: N/A
Computer: SERVERB
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller SERVERB.DOMAIN.LOCAL for FRS replica set configuration information.
Could not bind to a Domain Controller. Will try again at next polling cycle.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Any idea how I can solve this as quick as possible?
Thanks!
How did you recover this server after the disk crash?
ASKER
The server did have two disks (in software mirror), one disk was offline for two days. So I just put the old disk in the server.
ASKER
One disk was offline because I upgraded this server to SP1. So the crashed disk had SP1 installed, the two days old disk which is now the bootdisk is without SP1.
When I tried to install SP1 the first error I received was about ".. update.inf.." . I followed the steps in article:
https://www.experts-exchange.com/questions/21377254/Updating-to-SP4-I-get-Setup-could-not-verify-the-integrity-of-the-file-Update-inf-Make-sure-the-Cryptographic-service-is-running-on-this-computer.html?query=windows+2003+update.inf&clearTAFilter=true
but that wasn't the solution either. When I do now a SP1 setup, the error message is "cannot find the file specified".
When I tried to install SP1 the first error I received was about ".. update.inf.." . I followed the steps in article:
https://www.experts-exchange.com/questions/21377254/Updating-to-SP4-I-get-Setup-could-not-verify-the-integrity-of-the-file-Update-inf-Make-sure-the-Cryptographic-service-is-running-on-this-computer.html?query=windows+2003+update.inf&clearTAFilter=true
but that wasn't the solution either. When I do now a SP1 setup, the error message is "cannot find the file specified".
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I removed the server, did a metadata cleanup and a new install of W2K3 and Echange2003 (with /disasterrecovery option), dcpromo, etc. Only thing what is strange is that ( Which I need for Exchange to work) I can't find any of the SERVER$ accounts in the AD.
DNS and Kerberos seems to work but I will check this out the next days.
DNS and Kerberos seems to work but I will check this out the next days.
You shouldn't see any of those accounts anyway. The only one you'll see is the machine account in the Domain Controllers OU.
I don't show any of the computer$ accounts in my 2003 AD either. It shows up in logs, but not in the console.
You should be good to go now.
I don't show any of the computer$ accounts in my 2003 AD either. It shows up in logs, but not in the console.
You should be good to go now.
ASKER
The ExchangeSA service is not working because of a missing SERVER$ machine account. Because ExchangeSA doesn't start the whole Exchange Server won't start. Any idea how I can add this machine account to the server? (in ADSIEDIT I can't add it. I tried it on a different AD, with W2K servers. And with ADSIEDIT it is possible to add a SERVER$ machine account.
This might help you:
http://support.microsoft.com/default.aspx?scid=kb;en-us;260698
We're only interested in copying out the edb files, then removing and reinstalling Exchange. It's a PITA for sure, but I think it's all you have.
Before going to this extreme, trying resetting the machine account like this:
• To reset a domain controller in a Windows 2000 domain:
a. Stop the Kerberos Key Distribution Center (KDC) service, and then set it to Manual startup.
b. Run the netdom resetpwd /server:replication_partne r_server_n ame /userd:domain_name\admin_u ser /passwordd:* command.
c. Restart the computer, start the KDC, and then set it back to Automatic startup.
For additional information about how to reset a domain controller in a Windows 2000 domain, click the following article number to view the article in the Microsoft Knowledge Base:
260575 HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller
Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;329721
This should work fine with 2003.
http://support.microsoft.com/default.aspx?scid=kb;en-us;260698
We're only interested in copying out the edb files, then removing and reinstalling Exchange. It's a PITA for sure, but I think it's all you have.
Before going to this extreme, trying resetting the machine account like this:
• To reset a domain controller in a Windows 2000 domain:
a. Stop the Kerberos Key Distribution Center (KDC) service, and then set it to Manual startup.
b. Run the netdom resetpwd /server:replication_partne
c. Restart the computer, start the KDC, and then set it back to Automatic startup.
For additional information about how to reset a domain controller in a Windows 2000 domain, click the following article number to view the article in the Microsoft Knowledge Base:
260575 HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller
Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;329721
This should work fine with 2003.
ASKER
I fixed replication, was able to add the machine account and ExchangeSA did start without any problem. Thanks!
Excellent. How did you end up adding the account?
ASKER
I used dcdiag /s:localhost /recreatemachineaccount . With ADSIedit I added the machine account to the Exchange organization.
Interesting...
I guess the million$ question is why was this account not there to begin with?
Nice work.
I guess the million$ question is why was this account not there to begin with?
Nice work.