Solved

Kerberos event id 4 on 2003 servers

Posted on 2010-11-28
9
540 Views
Last Modified: 2012-05-10
I have two servers PDC and a backup DC each are running Windows Standard Server 2003.

I am having problem with file replication.

The new DC was a standard server and I promoted it to a backup domain controller. When installing the DC I chose the secondary controller, and the promotion went fine.

The setup on each server is as follows.
   The PDC services are, DNS, DHCP, WINs, remote services.

   The secondary DC has DNS.

What is happening is after I installed the DNS on the secondary DC all heck broke loose. The secondary DC decided to over write the DNS on the PDC and ruined it. I had to get help from EE to fix this problem,
thank you ChiefIT.

Now what I am getting is a Kerberos error id 4 on both servers.
Looking at the error messages the PDC is saying “the Kerberos client received a error from the server host/SecondDC.Mydomain.com. The target name used was Mydomain\SecondDC$.

The SecondDC is getting the same type Kerberos error id 4 but the server name is PDC instead of SecondDC$

What I am seeing in the messages is two different domain names, Mydomain.com and Mydomain.
I remember reading from an article about DNS by ChiefIT that there could be a problem with DNS if
Sysvol has a subdirectory of itself.

I looked on both servers and yes they do have two Sysvol directories the Sysvol subdirectory is the one being shared.

Could this be the problem causing the Kerberos errors?

Please give me some help to fix the Kerberos errors.
0
Comment
Question by:LcookHRC
  • 5
  • 4
9 Comments
 
LVL 9

Expert Comment

by:losip
Comment Utility
I think it's more likely to be name resolution errors where there's either something still wrong with DNS, or the machine accounts have got screwed, or there are entries for one or both of the servers in the hosts file.  Could you check that the hosts file on both machines are empty; that you have different hard-coded IP addresses on each and that the DNS entries for both servers reflect their actual IP addresses.  You should remeber that there many entries in DNS for DC servers under _sites; _tcp; _udp; DomainDNSzones and ForestDnsZones.  You should cehck through these tree branches that the entries are consistent.
0
 

Author Comment

by:LcookHRC
Comment Utility
The DNS on both servers are fine ran, dcdiag /test  came back all passed.

In both of the servers DNS I have
   Same as Host  - Name Server NS  - PDC.MyDomain.com
   Same as Host - Name Server NS   - SecondDC.MyDomain.com
   Same as Host -   HostA      -  PDC hard ip address
   Same as Host -   HostA      - SecondDC hard ip address

Looked in all the folders and they are consistent with what I have listed. except in one folder it has kerberos and a LDAP

In the Host.file it is empty except for a ip address that is 120.0.0.1 hosts,

Looking at the error again it is wanting to find the DC from a domain that is the domain name without the .com. It is the domain name that I use to add users to the active directory.
It looks like I am dealing with two domains. One that is like a local domain for each server and one that is like a global domain.
0
 
LVL 9

Expert Comment

by:losip
Comment Utility
I'd next try resetting the computer accounts using netdom.

By the way, are running WINS as well as DNS?
0
 

Author Comment

by:LcookHRC
Comment Utility
When you say reset the computer accounts you are meaning the PDC and SecondDC?
And how would that affect them getting back in the domain?

here is something I need to ask and it may not be relevent.
Why do I  see what looks like two domains. The reason I ask is because there seems to be two administrators, a MyDomain\Administrator and a MyDomain.com\Administrator.
When I look in the properties of say the c: folder of the domain controler the owner is Mydomain\Administrator.

Yes Wins and DNS
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 9

Expert Comment

by:losip
Comment Utility
Oh that's definitely not right assuming you intend to have just one domain.  There should only be one Administrator account in each security context, i.e. domain and member server.

Resetting the computer accounts with netdom just gets them back into synchronism and doesn't affect their domain membership but, in view of what you've now got with the apparent two domains, I don't think it will make any difference.

I think at this point I would demote the new DC and remove is from the domain (to a workgroup) and examine DNS carefully to see that it has got rid of the appropriate records and that only the top level A record remains.  Also check in AD that the computer is no longer shown not only as a DC but also as a member server.  Only once DNS is working properly would I start over and add the new computer to the domain, then promote it to DC then add the other roles you wish such as DNS.

Please also consider removing WINS unless you have some legacy clients that won't work with DNS.  
0
 

Author Comment

by:LcookHRC
Comment Utility
Sorry, Have not been back. I have been looking into the problem and going over my options.

One. I will have to create a new domain, we are scheduled to update the servers next year so that would be a good time. I will create a parallel network and create the domain and then move over to the new network. I will keep the same domain name.

Two. In the mean time I will keep this network limping along, for the first time I got 1030's and 1058's but
    got them cleared up.

Some of the things I was going to try.
   I was going to back the DNS off of the Second Domain Controller (SDC) but had something strange happen.
   When I selected to downgrade the message came back saying that this was the only domain controller on the network. I canceled out.
   I am guessing that this is one of the reasons for the Kerberos error. SDC thinks it is in a different subdomain and there can only be one computer id per domain.
Should I continue with the down grade of the SDC to take the DNS off of the server?

I looked into the problem of the two domains and all I can put together is that the person before me must have changed the domain name but did not clean up the old domain. I did not catch it until I added the second DC.
0
 
LVL 9

Expert Comment

by:losip
Comment Utility
Gosh, that sounds like quite a hash of two domains.  If you are going to have the opportunity to start again next year (only 30 days away!), then I would leave well alone as it seems sensible to limp on for now.  However, I would suggest not using the same domain name if you are going to need ANY co-existence.  The workstations are going to have to be re-added to the domain whether or not the domain name is preserved.
0
 

Author Comment

by:LcookHRC
Comment Utility
We next year is not that far but getting the servers are will be in second quarter.

Nope, Not going tohave any co-esistence. Everything will get moved at once. If you are wondering how can that be. Well it is because I do not have that large of a work group that is using this domain name.
Would it be a good idea to force replicated from the PDC to the SDC? Just to have the same information on both servers
Have any suggestions on where to get a good step by step on creating a Domain?
I will have time to plan.
0
 
LVL 9

Accepted Solution

by:
losip earned 500 total points
Comment Utility
If it's all working now, I would leave well alone and not touch anything until you build the new one.  If it isn't replicating by itself, then there's something wrong and I doubt forced replication would work and may break something else.

There is a ton of stuff on the internet about building domains and the associated infrastructure.  You could start with http://technet.microsoft.com/en-us/library/cc501481.aspx.  This is actually part of working towards hosted Exchange insfrastructure, but the principles of building a domain apply.

If you have a three or four surplus PCs, you could create a "lab" network isolated from your live network and practice building a domain: two DCs, a member server and a client.  This will give you confidence when you get to build the real one next year.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now