Kerberos Error, Event ID 4 Server 2008 after Rebuild
A few months ago one of our 2008 Standard servers crashed. We had a few corrupt file and ended up restoring the server using Backup Exec System Recovery. During the restore we resized the partitions on the disk. Afterwards we had some issues with AD and replication using DFS. After spending hours on the phone with Microsoft, we resolved that issue by deleting some DFS files. A few weeks ago, a user from that site (we have 4 AD sites) called and stated that outlook would not connect to Exchange (in a different site). I did some research and found that we could not hit the exchange server, nor any server, by its hostname. I was getting the following error "Logon Failure: The target account name is incorrect". After many hours of research I found the following article
https://www.experts-exchange.com/questions/21451056/W2K3-AD-DC-problem-event-4-kerberos-4000-4013-DNS.html
Which resolved the problem, or so I had thought. The issue has resurfaced.
We have 4 AD sites, 3 of which have server 2003 sp2 + and the 4th has 2008 standard. All sites are connected via vpn and we have ruled out connectivity.
When I attempt to connect from site 4 (2008 box) to any other site via \\ netbios name or FQDN, I receive an error stating "Logon Failure: The target account name is incorrect". If I connect to any other site using \\IP Address, the shares load up just fine.
The server is also loaded with System Event Source Security-Kerberos Event ID 4
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server4$. The target name used was ldap/server4.domain.local/
I have read a ton of articles and tried quite a bit with no success.
I have deleted and re-created the Replication Topology
Checked AD for duplicate computer accounts - negative
Reset the replication password for KCC
Rebooted the servers
Checked DNS for duplicate entries - negative
Ran the KCC connectivity tools with no errors
https://www.experts-exchange.com/questions/21451056/W2K3-AD-DC-problem-event-4-kerberos-4000-4013-DNS.html
Which resolved the problem, or so I had thought. The issue has resurfaced.
We have 4 AD sites, 3 of which have server 2003 sp2 + and the 4th has 2008 standard. All sites are connected via vpn and we have ruled out connectivity.
When I attempt to connect from site 4 (2008 box) to any other site via \\ netbios name or FQDN, I receive an error stating "Logon Failure: The target account name is incorrect". If I connect to any other site using \\IP Address, the shares load up just fine.
The server is also loaded with System Event Source Security-Kerberos Event ID 4
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server4$. The target name used was ldap/server4.domain.local/
I have read a ton of articles and tried quite a bit with no success.
I have deleted and re-created the Replication Topology
Checked AD for duplicate computer accounts - negative
Reset the replication password for KCC
Rebooted the servers
Checked DNS for duplicate entries - negative
Ran the KCC connectivity tools with no errors
jaynir
check this http://technet.microsoft.com/en-us/library/cc733987%28WS.10%29.aspx
ASKER
One more note.
When I try to force replication from AD Sites and Services from Site 1 (2003 server) to site 4 (2008 server) I get the following error
"The following error occurred during the attempt to contact the domain controller SERVER1: The target principal name is incorrect"
When I try to force replication from AD Sites and Services from Site 1 (2003 server) to site 4 (2008 server) I get the following error
"The following error occurred during the attempt to contact the domain controller SERVER1: The target principal name is incorrect"
check this out for the second problem http://support.microsoft.com/kb/288167
ASKER
jaynir: I have tried the steps listed in that article. There is only one computer account listed in AD for server4. Typically the klist util checks out clean. I did just run it again just for kicks and got the following error:
Credentials cache \\server4\home\admin\krb5c
Credentials cache \\server4\home\admin\krb5c
ASKER
I already tried that. That resolved the issue the first time that this happened but did not help this time.
Reset the secure channel password.
netdom resetpwd /server:server2 /userd:mydomain\administra
http://support.microsoft.com/kb/260575
If no,then check nslookup is able to resolve host to IP & vice versa.
Also remove lingering objects using repadmin /removelingeringobjects & then force the replication using repadmin /replicate
also you can use repadmin /syncall /a/e/p/d
netdom resetpwd /server:server2 /userd:mydomain\administra
http://support.microsoft.com/kb/260575
If no,then check nslookup is able to resolve host to IP & vice versa.
Also remove lingering objects using repadmin /removelingeringobjects & then force the replication using repadmin /replicate
also you can use repadmin /syncall /a/e/p/d
ASKER
I have already reset the password using netdom and that did not resolve the issue. I will attempt to remove the lingering objects. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.