Solved

machine account not trusted for delegation error

Posted on 2009-03-31
4
4,053 Views
Last Modified: 2013-12-01
Hello,
I have a win2003 domain with 3 DCs, the most recently promoted DC being an R2 install.
I am receiving an odd error when running a dcdiag.
"Starting test: MachineAccount
The account mydc is not trusted for delegation.  It cannot replicate."

I am replicating between 3 DCs and everything seems to be going just fine. No big errors in any of the server's logs, except to say that the replication partition has not been backedup in 30 days.
Replmon looks great, the AD and DNS data is located on all 3 DCs. There is even an event in the log saying that replication is taking place. Is this machine account just not that critical to replication?
I am concerned because I am about to transfer roles to the newest DC (The current role holder may cease at any time) and want to avoid any issues.

Thank you very much.


Here is the dcdiag:

Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required test

Doing primary tests
   
   Testing server: Default-First-Site-Name\mydc
      Starting test: Replications
         ......................... mydc passed test Replications
      Starting test: NCSecDesc
         ......................... mydc passed test NCSecDesc
      Starting test: NetLogons
         ......................... mydc passed test NetLogons
      Starting test: Advertising
         ......................... mydc passed test Advertising
      Starting test: KnowsOfRoleHolders
         .........................mydc passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... mydc passed test RidManager
      Starting test: MachineAccount
         The account mydc is not trusted for delegation.  It cannot replicate.
         ......................... mydc failed test MachineAccount
      Starting test: Services
         ......................... mydc passed test Services
      Starting test: ObjectsReplicated
         ......................... mydc passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... mydc passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... mydc failed test frsevent
      Starting test: kccevent
         ......................... mydc passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC000014D
            Time Generated: 03/31/2009   12:44:06
            (Event String could not be retrieved)

   ((((((I received the above error too often to cut and paste in here, close to 100))))))


         ......................... mydc failed test systemlog
      Starting test: VerifyReferences
         ......................... mydc passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : mydomain
      Starting test: CrossRefValidation
         ......................... mydomain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... mydomain passed test CheckSDRefDom
   
   Running enterprise tests on :mydomain.local
      Starting test: Intersite
         ......................... mydomain.local passed test Intersite
      Starting test: FsmoCheck
         .........................mydomain.local passed test FsmoCheck
     
0
Comment
Question by:FlynnKeilty
  • 2
  • 2
4 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24037832
Might seem an obvious question, but have you checked the properties of the DC in ADUC? On the Generel Tab, is the 'Trust Computer For Delegation' option ticked?
Are you actually experiencing problems, or is it just the output of DCDIAG that is concerning you?
0
 

Author Comment

by:FlynnKeilty
ID: 24044883
bluntTony,

Thank you for your reply. That is indeed not checked and may resolve the error.
I am not receiving any problems, i am just concerned with the dcdiag output and was hoping for a 'Don't worry about the machine account  it doesn't necessarily mean anything is wrong" type of answer.
I've been googling but cannot find any reason against delegation. Do you know of any?

Thanks,

Flynn
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24047648
Delegation in the kerberos context, refers to the trusting of services on a computer to impersonate a logged on user in order to access network resources.
This is enabled by default for domain controllers, as they need this in order for the the KDC to interact with DCs in trusted domains.
On member servers and workstations it is disabled by default as it can be a security risk. If malware was to gain hold of or install a service on a trusted machine, it could impersonate a privileged user and access network resources accordingly.
http://technet.microsoft.com/en-us/library/cc739740.aspx
Is your DCDIAG clean now?
0
 

Author Closing Comment

by:FlynnKeilty
ID: 31565095
BluntTony,

Thank you for working with me and for the information that you provided.
I left 'Trust Computer For Delegation' unchecked and went ahead and brought my new dc up and everything seems to be going well. I have been pulled off to other things so this may be something i come back to. But in the meantime, here are your points and thanks again.

Flynn
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I wrote an article (http://www.experts-exchange.com/articles/2245/Anti-rootkit-software.html) some time ago with a reference to nLite  (http://www.nliteos.com/)slipstreaming software.  I recently changed that link to point to NTLite (https://www.ntl…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now