killyman
asked on
Kerberos Errors in Windows 2003 Server Domain
I'm getting a whole bunch of Kerberos errors in the last four days in our Event Viewer (System folder).
We have a single DC running Windows Server 2003 Standard and it is acting as a file server and running Exchange 2003 and AD. We
have about 50 workstations. Our server is running DNS, but our firewall is doing the DHCP.
We also have RealVNC running on all the workstations so that I can remotely log into them from the server. To log into one of the
workstations, I open the IE browser on the server and type http://computername:5800 into the address field and then I log in via a Java
page. A problem has arisen lately with the RealVNC log in process on some computers which I believe is directly related to the
kerberos errors.
For example, if I try to log into one of our workstations named AICH019 (http://aich019:5800) I get redirected to AICH021. If I ping both
computernames via CMD on the server (ping aich019 & ping aich021), I get the same IP address results for both. But, if I go on each
workstation and do ipconfig /all from the command prompt, I get seperate IP addresses. The kerberos error below indicates that the
two workstations in question are potentially "identically named machine accounts in the target realm."
__________________________
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/2/2004
Time: 10:36:40 AM
User: N/A
Computer: TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH021$. The target name used was
cifs/AICH019.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named machine accounts in the target realm (AICH.LOCAL), and the client realm.
Please contact your system administrator.
__________________________
I also have additional kerberos errors coming up with other workstations "in conflict".
Here is another error related to the workstation named AICH019.
__________________________
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 4/2/2004
Time: 1:51:30 AM
User: N/A
Computer: TMIC
Description:
The session setup from the computer AICH019 failed to authenticate. The name(s) of the account(s) referenced in the security
database is AICH019$. The following error occurred:
Access is denied.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
__________________________
I would very much appreciate any insight into what is the cause and solution of this issue.
Thanks,
Clark
We have a single DC running Windows Server 2003 Standard and it is acting as a file server and running Exchange 2003 and AD. We
have about 50 workstations. Our server is running DNS, but our firewall is doing the DHCP.
We also have RealVNC running on all the workstations so that I can remotely log into them from the server. To log into one of the
workstations, I open the IE browser on the server and type http://computername:5800 into the address field and then I log in via a Java
page. A problem has arisen lately with the RealVNC log in process on some computers which I believe is directly related to the
kerberos errors.
For example, if I try to log into one of our workstations named AICH019 (http://aich019:5800) I get redirected to AICH021. If I ping both
computernames via CMD on the server (ping aich019 & ping aich021), I get the same IP address results for both. But, if I go on each
workstation and do ipconfig /all from the command prompt, I get seperate IP addresses. The kerberos error below indicates that the
two workstations in question are potentially "identically named machine accounts in the target realm."
__________________________
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/2/2004
Time: 10:36:40 AM
User: N/A
Computer: TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH021$. The target name used was
cifs/AICH019.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named machine accounts in the target realm (AICH.LOCAL), and the client realm.
Please contact your system administrator.
__________________________
I also have additional kerberos errors coming up with other workstations "in conflict".
Here is another error related to the workstation named AICH019.
__________________________
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 4/2/2004
Time: 1:51:30 AM
User: N/A
Computer: TMIC
Description:
The session setup from the computer AICH019 failed to authenticate. The name(s) of the account(s) referenced in the security
database is AICH019$. The following error occurred:
Access is denied.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 22 00 00 c0 "..À
__________________________
I would very much appreciate any insight into what is the cause and solution of this issue.
Thanks,
Clark
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi there
Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in the dynamic updates box, then click ok.
Note you can't select secure updates unless it's ad integrated zone, for now just select yes.
Let us know if you need to change the dhcp server (I expect that you probably will),
Deb :))
Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in the dynamic updates box, then click ok.
Note you can't select secure updates unless it's ad integrated zone, for now just select yes.
Let us know if you need to change the dhcp server (I expect that you probably will),
Deb :))
Hi there
Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in the dynamic updates box, then click ok.
Note you can't select secure updates unless it's ad integrated zone, for now just select yes.
Let us know if you need to change the dhcp server (I expect that you probably will),
Deb :))
Ok - I think that the dhcp option on the server is probably a better course of action, but we can talk you through that too if necessary. However you WILL need to configure dynamic updates regardless of the course of action you take regarding dhcp. Open up dns on the server. Under the server object is the forward look-up zones list. Expand this first, then right-click on the forward lookup zone entitled "yourdomain.com" where this is the same as your ad domain name. Click properties and select the general tab - select yes in the dynamic updates box, then click ok.
Note you can't select secure updates unless it's ad integrated zone, for now just select yes.
Let us know if you need to change the dhcp server (I expect that you probably will),
Deb :))
lol sorry, browser error in the clicking department ;-))
ASKER
Deb,
I decided this afternoon to just go ahead and activate the DHCP Server on the Domain Controller and disable it on the firewall.
I ended up having to call Dell Server Support for help in figuring out why none of the workstations were getting IP addresses from the DHCP on the server after I set it up. Apparently, I forgot to "authorize" the DHCP Server in the properties box.
Everything seems to be working fine right now. I'll have to wait a few days and see if I get any more Kerberos errors, but the person I spoke with at Dell also believes that moving the role of DHCP to the server will resolve the problem because in 2000 & 2003 the DNS, AD and DHCP are so tightly intergrated.
I checked the properties for our domain in the DNS Forward Look Up Zone and didn't see a check box for dynamic updates. Instead there was an option for Dynamic Updates with a drop down box next to it. The option that was already chosen was "Secure". The other two options were "Nonsecure and secure" or "None." Could the configuration layout be different in 2003?
Clark
I decided this afternoon to just go ahead and activate the DHCP Server on the Domain Controller and disable it on the firewall.
I ended up having to call Dell Server Support for help in figuring out why none of the workstations were getting IP addresses from the DHCP on the server after I set it up. Apparently, I forgot to "authorize" the DHCP Server in the properties box.
Everything seems to be working fine right now. I'll have to wait a few days and see if I get any more Kerberos errors, but the person I spoke with at Dell also believes that moving the role of DHCP to the server will resolve the problem because in 2000 & 2003 the DNS, AD and DHCP are so tightly intergrated.
I checked the properties for our domain in the DNS Forward Look Up Zone and didn't see a check box for dynamic updates. Instead there was an option for Dynamic Updates with a drop down box next to it. The option that was already chosen was "Secure". The other two options were "Nonsecure and secure" or "None." Could the configuration layout be different in 2003?
Clark
Hi
Yes sorry I was speaking from windows 2000 server experience, but the principal is the same, just windows 2003 server is slightly different. If the zone is active-directory integrated then it defaults to the use of secure updates apparently which is what it would appear is already set in yours so it should be fine. There's a really good description of it all here:
Dynamic update in Windows 2003 Server
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_DynamicUpdates.asp
Hope this helps, but I think that you may have sorted this out now.
Deb :))
Yes sorry I was speaking from windows 2000 server experience, but the principal is the same, just windows 2003 server is slightly different. If the zone is active-directory integrated then it defaults to the use of secure updates apparently which is what it would appear is already set in yours so it should be fine. There's a really good description of it all here:
Dynamic update in Windows 2003 Server
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_DynamicUpdates.asp
Hope this helps, but I think that you may have sorted this out now.
Deb :))
Glad to hear ya moved over.....
Also have you told DHCP to automatically update DNS with client/host records?
Also have you told DHCP to automatically update DNS with client/host records?
ASKER
Deb & diggisaur,
Thanks for all of your help. Things seem to be working fairly well, although I did notice one Kerberos error from this morning (April 5) in the Event Viewer log. It is the only one to appear since the role of DHCP was set up on the server on April 3rd. Vast improvement as we were getting numerous errors each day all last week.
I have the DNS options set up in the DHCP properties box using the default settings (see below).
SELECTED - Enable DNS Dynamic updates according to the settings below:
SELECTED - Dynamically update DNS A and PTR records only if requested by the DHCP clients
NOT SELECTED - Always dynamically update DNS A and PTR records
SELECTED - Discard A and PTR records when lease is deleted
If you have any other comments, I'd appreciate it. Otherwise I'll just take this last opportunity to thank you both! Thanks!
Clark
Thanks for all of your help. Things seem to be working fairly well, although I did notice one Kerberos error from this morning (April 5) in the Event Viewer log. It is the only one to appear since the role of DHCP was set up on the server on April 3rd. Vast improvement as we were getting numerous errors each day all last week.
I have the DNS options set up in the DHCP properties box using the default settings (see below).
SELECTED - Enable DNS Dynamic updates according to the settings below:
SELECTED - Dynamically update DNS A and PTR records only if requested by the DHCP clients
NOT SELECTED - Always dynamically update DNS A and PTR records
SELECTED - Discard A and PTR records when lease is deleted
If you have any other comments, I'd appreciate it. Otherwise I'll just take this last opportunity to thank you both! Thanks!
Clark
No that looks good.
What you have set up should be fine - is the kerberos error any different from your previous ones?
ASKER
Hi Deb!
The error appears to be the same as the previous ones(see further below), but I haven't seen another since April 5th(morning).
We were having all kinds of problems with our firewall all last week (locking up) so after moving the DHCP role over to the server over the weekend, on Monday (April 5) in the afternoon I wiped out the firmware on the firewall and installed the latest fresh new version. The firewall seems to be fine now and maybe these kerberos errors were somehow related to the firewall being on the fritz.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/5/2004
Time: 10:18:53 AM
User: N/A
Computer: TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH023$. The target name used was cifs/AICH015.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (AICH.LOCAL), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The error appears to be the same as the previous ones(see further below), but I haven't seen another since April 5th(morning).
We were having all kinds of problems with our firewall all last week (locking up) so after moving the DHCP role over to the server over the weekend, on Monday (April 5) in the afternoon I wiped out the firmware on the firewall and installed the latest fresh new version. The firewall seems to be fine now and maybe these kerberos errors were somehow related to the firewall being on the fritz.
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/5/2004
Time: 10:18:53 AM
User: N/A
Computer: TMIC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server AICH023$. The target name used was cifs/AICH015.aich.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (AICH.LOCAL), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Hi there,
It's the same error as you'd been getting, so I'd leave it for a while and see if you get any more, if not all should be well - keep us posted. You could always check on the host records for AICH015 and ensure that there's no duplication anymore,
Deb :))
It's the same error as you'd been getting, so I'd leave it for a while and see if you get any more, if not all should be well - keep us posted. You could always check on the host records for AICH015 and ensure that there's no duplication anymore,
Deb :))
Yes I would agree with Debsy....leave DHCP on the server as it is for a while to see if the errors come back. (Personally I would leave DHCP there permanently). :)
ASKER
Thanks guys(figuratively speaking of course) :-)
No sign of any kerberos errors today.
Now onto other issues... Will it ever end? (it's a rhetorical question, of course)
Clark
No sign of any kerberos errors today.
Now onto other issues... Will it ever end? (it's a rhetorical question, of course)
Clark
Ah....no points for moi...maybe I didnt help any.
ASKER
Diggisaur,
I wanted to give you points, but I didn't see any options to split them between you and Deb. :-(
Is there a way?
Clark
I wanted to give you points, but I didn't see any options to split them between you and Deb. :-(
Is there a way?
Clark
You will need a moderator to unaccept the answer....post in the community to do this. The "Split" option is right above where you would have posted a comment before you accepted an answer.
I could always post some for you diggisaur? If not whatever you guys wanna do is fine by me :))
Glad we helped ;-)
Glad we helped ;-)
ASKER
All done! Thanks Deb and Diggisaur!
no problem :)
ASKER
I checked the host records in the DNS (on the sever) and I found that the computers in question both have the same IP address.
Now, remember what I said before?
"if I try to log into one of our workstations named AICH019 (http://aich019:5800) I get redirected to AICH021."
Well, in the Host record properties for AICH019 under the Security Tab I found a ghost user in there (it had a whole bunch of numbers and letters, but no coherent name). So, I deleted the record and after a little bit, the AICH019 computer obtained a seperate IP address and I could log into the AICH019 computer without being redirected to AICH022.
But, I just found another kerberos error this morning between two different computers. I did the same check as I mention before, and found the ghost user in the "target" computer's host record.
At this point, I think I'll just do as Diggisaur suggested and move the DHCP role over to the server. But, before doing that I just wanted to try your suggestion about checking that the DNS server is configured for dynamic updates and see if that solves the problem. How do I go about doing that(step by step)?
Thanks!
Clark