Solved

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server

Posted on 2010-09-14
23
1,720 Views
Last Modified: 2013-12-04
Event Type:	Error
Event Source:	Kerberos
Event Category:	None
Event ID:	4
Date:		9/13/2010
Time:		7:31:25 PM
User:		N/A
Computer:	DC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server MRKMU11$.  The target name used was cifs/MHE122.dpcs.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DPCS.ORG), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I get the above information in an event log, if I ping the mhe122 pc I get a .60 address, if I then turn around and ping -a the .60 address it returns the first name of MRKMU11$

If I check the DHCP server the mhe122 pc is listed as .80 and if I ping -a the .80 address I get the correct name.

So is this DNS or another issue?
0
Comment
Question by:dpcsit
  • 12
  • 8
23 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33675534
I've seen this issue if the computer account doesn't have permissions to change its own DNS record.  Then the computer changes IP (DHCP), and the old record stays.  You should delete the bad DNS record (let it replicate the deletion to other DNS servers), then go to the CMD prompt on MHE122 and run IPCONFIG /REGISTERDNS
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33675544
If you want to confirm, check the security on the MHE122 DNS entry.  You should see the computer account with at least MODIFY permissions on the record.
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33676292
Now the .80 account is showing a different name of laptop9, but if I ping that name it shows a .36 address returned.

I have not deleted the record in dhcp nor have I run the registerdns command on the mhe122 pc.

I am pinging from my pc btw and now on the mhe122 pc, if that matters.
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33676312
So this seems to be across the board, and thus effecting all pcs in the domain. A ping by name returns one ip address, a ping with a -a on the ip then returns a second name. I will verify this by going through each pc and ip address shortly.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33676399
Do you have DHCP running on a domain controller?  Check a DNS record for a bad DNS record and see what the security looks like.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33676495
Review this document and your DHCP server settings:
http://technet.microsoft.com/en-us/library/cc787034%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33682926
Here is the setup for DHCP
dhcpdnspic.gif
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33683054
Is your DHCP server on a domain controller?  Can you post a screenshot of the security on a "bad" DNS record?
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33690942
tmassa99 not sure exactly how to give you that info, but yes dhcp is housed on the dns server.

And I have confirmed that it is more then one pc set of issues.

Pinging newlaptop10 [198.175.243.9] with 32 bytes of data:



Reply from 198.175.243.9: bytes=32 time<1ms TTL=128



Ping statistics for 198.175.243.9:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms


Pinging ADS3.dpcs.org [198.175.243.9] with 32 bytes of data:



Reply from 198.175.243.9: bytes=32 time<1ms TTL=128



Ping statistics for 198.175.243.9:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging sae143.dpcs.org [198.175.243.30] with 32 bytes of data:



Reply from 198.175.243.30: bytes=32 time<1ms TTL=128



Ping statistics for 198.175.243.30:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms


Pinging ADW107.dpcs.org [198.175.243.30] with 32 bytes of data:



Reply from 198.175.243.30: bytes=32 time<1ms TTL=128



Ping statistics for 198.175.243.30:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms


There are more in the list I am sure! Looks so far to be about a 10% failure rate.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 33691126
Review these articles on having DHCP/DNS together on a domain controller
http://support.microsoft.com/kb/282001
http://support.microsoft.com/kb/255134
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33691912
Ok so under the first article using an admin account for dhcp dns cred is not a good idea I take it? So what account level, standard user?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33692117
You should create a service (regular user) account with a password that you change manually, check password never expires on the account and you can change it on your schedule.  

The reason it's a bad idea is because it's using the domain controller account which is essentially an admin of your AD, and can lead to compromise.
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33756479
Ok is there a simple how to create a service account listing step by step?
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33756644
http://support.microsoft.com/kb/255134

Any standard user account should do...follow the directions in the KB article to use it.
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33899216
Something is wrong

Event Type:      Warning
Event Source:      DhcpServer
Event Category:      None
Event ID:      1056
Date:            10/13/2010
Time:            5:00:05 PM
User:            N/A
Computer:      XXX
Description:
The DHCP service has detected that it is running on a DC and has  no credentials configured for use with Dynamic DNS registrations  initiated by the DHCP service.   This is not a recommended security configuration.   Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the  DHCP Administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....    

The steps it has me do are:


How to Use the Netsh.exe Tool
NOTE: The Netsh.exe tool completes successfully only after you receive a "Command Successfully Completed" message.
To set the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server set dnscredentials user name domain name password
Note that if you use an asterisk (*) in place of the password variable, you are prompted to type a password.

NOTE: You must restart the DHCP Server service for these changes to take effect.
To delete the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server delete dnscredentials dhcpfullforce
NOTE: You must restart the DHCP Server service for these changes to take effect.
To show the user account that the DHCP Server service uses for DNS registrations, use the following command:
netsh dhcp server show dnscredentials


This leaves me without any dnscredentials at all, is that correct????
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33899254
When I show the credentials it is blank since I have deleted it using the delete dnscredentials dhcpfullforce

In reading down the ms support page it says:

How to Configure the DHCP Server Service to Impersonate an Account

    * DHCP Server service starts and an impersonation account is configured.
      If impersonation is successful, the impersonation account is used for all further DNS registrations. If impersonation is unsuccessful, the DHCP server logs the following Event ID in the System Event log and does not perform any DNS registrations (ignores DHCP Option 81):
      Event Type: Error
      Event Source: DHCP server name
      Event Category: None
      Event ID: 1002
      Date: 5/31/2000
      Time: 3:21:47 PM
      User: N/A
      Computer: computer name
      Description: The DHCP service failed to initialize its global parameters.
      The following error occurred: Logon failure: unknown user name or bad password.
      Data: 0000: 2e 05 00 00
    * DHCP Server service starts and impersonation account is not configured.

      If the DHCP Server service is not running on a DC, the DHCP Server service uses local computer credentials to perform secure Dynamic DNS update. If the DHCP Server service is running on a DC, the service logs the following Event ID in the System Event log and the DHCP Server Service uses local computer credentials to perform secure DDNS update:
      Event Type: Warning
      Event Source: DHCP server name
      Event Category: None
      Event ID: 1002
      Date: 5/31/2000
      Time: 3:57:13 PM
      User: N/A
      Computer: computer name
      Description: The DHCP service failed to initialize its global parameters. The following error occurred: %%0
      Data: 0000: 00 00 00 00

But I do not see any of this in the logs, thus I assume that I must do something in addition or readd the account back assuming the commands are in the wrong order or is the dns credentials for dhcp now supposed to be blank?
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33899352
Shoudln't this be set to update only if client requests it instead of always update?
dhcpdns.gif
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33909502
To add to this mess it appears that scavenging stopped working in 4/2010 at some point as this is the date and time listed for the zone to run again!
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33910210
Ok the date updated on scavenge but it didn't remove the old host a records.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33945722
Please go to DNS server Reverse lookup zone and check if there is no old entry for that host. Additionally check if you have configured PTR for your DNS server.

Thank you in advance.

Regards,
Krzysztof
0
 
LVL 1

Author Comment

by:dpcsit
ID: 33947291
There is a PTR record for the DNS server, there is no record in the reverse zone for the old A record that will not delete during scavenge.

Is there a way to log the scavenging when it is run to see what zones it is scanning?
0

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now