dpcsit
asked on
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
Event Type:	Error
Event Source:	Kerberos
Event Category:	None
Event ID:	4
Date:		9/13/2010
Time:		7:31:25 PM
User:		N/A
Computer:	DC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server MRKMU11$. The target name used was cifs/MHE122.dpcs.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DPCS.ORG), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I get the above information in an event log, if I ping the mhe122 pc I get a .60 address, if I then turn around and ping -a the .60 address it returns the first name of MRKMU11$
If I check the DHCP server the mhe122 pc is listed as .80 and if I ping -a the .80 address I get the correct name.
So is this DNS or another issue?
Event Source:	Kerberos
Event Category:	None
Event ID:	4
Date:		9/13/2010
Time:		7:31:25 PM
User:		N/A
Computer:	DC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server MRKMU11$. The target name used was cifs/MHE122.dpcs.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DPCS.ORG), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I get the above information in an event log, if I ping the mhe122 pc I get a .60 address, if I then turn around and ping -a the .60 address it returns the first name of MRKMU11$
If I check the DHCP server the mhe122 pc is listed as .80 and if I ping -a the .80 address I get the correct name.
So is this DNS or another issue?
Tony Massa
I've seen this issue if the computer account doesn't have permissions to change its own DNS record. Then the computer changes IP (DHCP), and the old record stays. You should delete the bad DNS record (let it replicate the deletion to other DNS servers), then go to the CMD prompt on MHE122 and run IPCONFIG /REGISTERDNS
If you want to confirm, check the security on the MHE122 DNS entry. You should see the computer account with at least MODIFY permissions on the record.
ASKER
Now the .80 account is showing a different name of laptop9, but if I ping that name it shows a .36 address returned.
I have not deleted the record in dhcp nor have I run the registerdns command on the mhe122 pc.
I am pinging from my pc btw and now on the mhe122 pc, if that matters.
I have not deleted the record in dhcp nor have I run the registerdns command on the mhe122 pc.
I am pinging from my pc btw and now on the mhe122 pc, if that matters.
ASKER
So this seems to be across the board, and thus effecting all pcs in the domain. A ping by name returns one ip address, a ping with a -a on the ip then returns a second name. I will verify this by going through each pc and ip address shortly.
Do you have DHCP running on a domain controller? Check a DNS record for a bad DNS record and see what the security looks like.
Review this document and your DHCP server settings:
http://technet.microsoft.com/en-us/library/cc787034%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc787034%28WS.10%29.aspx
ASKER
Here is the setup for DHCP
dhcpdnspic.gif
dhcpdnspic.gif
Is your DHCP server on a domain controller? Can you post a screenshot of the security on a "bad" DNS record?
ASKER
tmassa99 not sure exactly how to give you that info, but yes dhcp is housed on the dns server.
And I have confirmed that it is more then one pc set of issues.
Pinging newlaptop10 [198.175.243.9] with 32 bytes of data:
Reply from 198.175.243.9: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Pinging ADS3.dpcs.org [198.175.243.9] with 32 bytes of data:
Reply from 198.175.243.9: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Pinging sae143.dpcs.org [198.175.243.30] with 32 bytes of data:
Reply from 198.175.243.30: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.30:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Pinging ADW107.dpcs.org [198.175.243.30] with 32 bytes of data:
Reply from 198.175.243.30: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.30:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
There are more in the list I am sure! Looks so far to be about a 10% failure rate.
And I have confirmed that it is more then one pc set of issues.
Pinging newlaptop10 [198.175.243.9] with 32 bytes of data:
Reply from 198.175.243.9: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Pinging ADS3.dpcs.org [198.175.243.9] with 32 bytes of data:
Reply from 198.175.243.9: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Pinging sae143.dpcs.org [198.175.243.30] with 32 bytes of data:
Reply from 198.175.243.30: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.30:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Pinging ADW107.dpcs.org [198.175.243.30] with 32 bytes of data:
Reply from 198.175.243.30: bytes=32 time<1ms TTL=128
Ping statistics for 198.175.243.30:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
There are more in the list I am sure! Looks so far to be about a 10% failure rate.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok so under the first article using an admin account for dhcp dns cred is not a good idea I take it? So what account level, standard user?
You should create a service (regular user) account with a password that you change manually, check password never expires on the account and you can change it on your schedule.
The reason it's a bad idea is because it's using the domain controller account which is essentially an admin of your AD, and can lead to compromise.
The reason it's a bad idea is because it's using the domain controller account which is essentially an admin of your AD, and can lead to compromise.
ASKER
Ok is there a simple how to create a service account listing step by step?
http://support.microsoft.com/kb/255134
Any standard user account should do...follow the directions in the KB article to use it.
Any standard user account should do...follow the directions in the KB article to use it.
ASKER
Something is wrong
Event Type: Warning
Event Source: DhcpServer
Event Category: None
Event ID: 1056
Date: 10/13/2010
Time: 5:00:05 PM
User: N/A
Computer: XXX
Description:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
The steps it has me do are:
How to Use the Netsh.exe Tool
NOTE: The Netsh.exe tool completes successfully only after you receive a "Command Successfully Completed" message.
To set the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server set dnscredentials user name domain name password
Note that if you use an asterisk (*) in place of the password variable, you are prompted to type a password.
NOTE: You must restart the DHCP Server service for these changes to take effect.
To delete the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server delete dnscredentials dhcpfullforce
NOTE: You must restart the DHCP Server service for these changes to take effect.
To show the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server show dnscredentials
This leaves me without any dnscredentials at all, is that correct????
Event Type: Warning
Event Source: DhcpServer
Event Category: None
Event ID: 1056
Date: 10/13/2010
Time: 5:00:05 PM
User: N/A
Computer: XXX
Description:
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
The steps it has me do are:
How to Use the Netsh.exe Tool
NOTE: The Netsh.exe tool completes successfully only after you receive a "Command Successfully Completed" message.
To set the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server set dnscredentials user name domain name password
Note that if you use an asterisk (*) in place of the password variable, you are prompted to type a password.
NOTE: You must restart the DHCP Server service for these changes to take effect.
To delete the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server delete dnscredentials dhcpfullforce
NOTE: You must restart the DHCP Server service for these changes to take effect.
To show the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server show dnscredentials
This leaves me without any dnscredentials at all, is that correct????
ASKER
When I show the credentials it is blank since I have deleted it using the delete dnscredentials dhcpfullforce
In reading down the ms support page it says:
How to Configure the DHCP Server Service to Impersonate an Account
* DHCP Server service starts and an impersonation account is configured.
If impersonation is successful, the impersonation account is used for all further DNS registrations. If impersonation is unsuccessful, the DHCP server logs the following Event ID in the System Event log and does not perform any DNS registrations (ignores DHCP Option 81):
Event Type: Error
Event Source: DHCP server name
Event Category: None
Event ID: 1002
Date: 5/31/2000
Time: 3:21:47 PM
User: N/A
Computer: computer name
Description: The DHCP service failed to initialize its global parameters.
The following error occurred: Logon failure: unknown user name or bad password.
Data: 0000: 2e 05 00 00
* DHCP Server service starts and impersonation account is not configured.
If the DHCP Server service is not running on a DC, the DHCP Server service uses local computer credentials to perform secure Dynamic DNS update. If the DHCP Server service is running on a DC, the service logs the following Event ID in the System Event log and the DHCP Server Service uses local computer credentials to perform secure DDNS update:
Event Type: Warning
Event Source: DHCP server name
Event Category: None
Event ID: 1002
Date: 5/31/2000
Time: 3:57:13 PM
User: N/A
Computer: computer name
Description: The DHCP service failed to initialize its global parameters. The following error occurred: %%0
Data: 0000: 00 00 00 00
But I do not see any of this in the logs, thus I assume that I must do something in addition or readd the account back assuming the commands are in the wrong order or is the dns credentials for dhcp now supposed to be blank?
In reading down the ms support page it says:
How to Configure the DHCP Server Service to Impersonate an Account
* DHCP Server service starts and an impersonation account is configured.
If impersonation is successful, the impersonation account is used for all further DNS registrations. If impersonation is unsuccessful, the DHCP server logs the following Event ID in the System Event log and does not perform any DNS registrations (ignores DHCP Option 81):
Event Type: Error
Event Source: DHCP server name
Event Category: None
Event ID: 1002
Date: 5/31/2000
Time: 3:21:47 PM
User: N/A
Computer: computer name
Description: The DHCP service failed to initialize its global parameters.
The following error occurred: Logon failure: unknown user name or bad password.
Data: 0000: 2e 05 00 00
* DHCP Server service starts and impersonation account is not configured.
If the DHCP Server service is not running on a DC, the DHCP Server service uses local computer credentials to perform secure Dynamic DNS update. If the DHCP Server service is running on a DC, the service logs the following Event ID in the System Event log and the DHCP Server Service uses local computer credentials to perform secure DDNS update:
Event Type: Warning
Event Source: DHCP server name
Event Category: None
Event ID: 1002
Date: 5/31/2000
Time: 3:57:13 PM
User: N/A
Computer: computer name
Description: The DHCP service failed to initialize its global parameters. The following error occurred: %%0
Data: 0000: 00 00 00 00
But I do not see any of this in the logs, thus I assume that I must do something in addition or readd the account back assuming the commands are in the wrong order or is the dns credentials for dhcp now supposed to be blank?
ASKER
Shoudln't this be set to update only if client requests it instead of always update?
dhcpdns.gif
dhcpdns.gif
ASKER
To add to this mess it appears that scavenging stopped working in 4/2010 at some point as this is the date and time listed for the zone to run again!
ASKER
Ok the date updated on scavenge but it didn't remove the old host a records.
Please go to DNS server Reverse lookup zone and check if there is no old entry for that host. Additionally check if you have configured PTR for your DNS server.
Thank you in advance.
Regards,
Krzysztof
Thank you in advance.
Regards,
Krzysztof
ASKER
There is a PTR record for the DNS server, there is no record in the reverse zone for the old A record that will not delete during scavenge.
Is there a way to log the scavenging when it is run to see what zones it is scanning?
Is there a way to log the scavenging when it is run to see what zones it is scanning?