Computer account problems in Active Directory
Posted on 2004-08-02
We have a medium sized network with the following configuration:
Three DCs - 2 are Win2K, one is Win2K3
120 computers - members of the domain
300 users using roaming profiles
The problems began when we had done no major upgrades or changes and seem to be getting worse. The problems include:
1. Users began getting roaming profile error messages when they logged in. This is sporatic and unpredictable.
2. Computers added to the domain show up on one DC but not others.
3. We get Kerberos errors that say the client received a KRB_AP_ERR_MODIFIED error that indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.
4. The Netlogon service is reporting errors event ID 1097 and 1030 errors when group policy updates occur.
5. From the Win2K3 server, which holds all of the domain server roles, I've received event IDs 1388 in NTDS Replication. This error indicates that another domain controller attempted to replicate into this one and object which is not present in the local Active Directory database. The attribute set included in the update request is not sufficient to create the object.
6. When I tried to demote one of the Win2K DCs, I was unable to do so because it couldn't connect to the role master. I shut the system down (it is a media distribution server that isn't needed at the current time), which helped somewhat, but the problems persist.
7. On some of the workstations, the user can only connect to the server using the IP address. Using the system name give an error that the system cannot be located.
8. I get a FRS Replication Service error ID 13508 indicating the the remaining Win2K machine is having trouble enabling replication to the Win2K3 DC.
9. I am unable to install a certificate on the Win2K3 certificate server using the certificate request wizard. The error indicates that the wizard cannot be started because there are no trusted CAs available (there is one), I don't have permissions to request certificates from the CA (I do), and/or the available CAs issue certificates for which I don't have permissions (I'm using the domain Administrator account to do this on the CA for the domain which is running on the Win2K3 server system). If I try to import the certificate, I get a successful import message, but the certificate doesn't appear in the certificate list and there is no error generated.
There are many other odd things that have happened in the 6 - 8 months since this began happening. I am installing a new server to replace one of the Win2K DCs, which will run Server 2003. I am also planning on upgrading the media distribution server to Server 2003.
Here are the issues I need resolved:
1. I need to demote the media DC so I can remove it from AD. I don't want to upgrade the existing system.
2. I need a solution to the problem of inter-DC communication for AD updates.
3. I need an answer to the certificate problem.
4. Hopefully someone can explain what's going on in this network.
I have users that have problems logging in every day and projects that Tech Support are working on keep coming up against these errors.
Thanks in advance!