Kerberos event id 4 on 2003 servers

I have two servers PDC and a backup DC each are running Windows Standard Server 2003.

I am having problem with file replication.

The new DC was a standard server and I promoted it to a backup domain controller. When installing the DC I chose the secondary controller, and the promotion went fine.

The setup on each server is as follows.
   The PDC services are, DNS, DHCP, WINs, remote services.

   The secondary DC has DNS.

What is happening is after I installed the DNS on the secondary DC all heck broke loose. The secondary DC decided to over write the DNS on the PDC and ruined it. I had to get help from EE to fix this problem,
thank you ChiefIT.

Now what I am getting is a Kerberos error id 4 on both servers.
Looking at the error messages the PDC is saying “the Kerberos client received a error from the server host/ The target name used was Mydomain\SecondDC$.

The SecondDC is getting the same type Kerberos error id 4 but the server name is PDC instead of SecondDC$

What I am seeing in the messages is two different domain names, and Mydomain.
I remember reading from an article about DNS by ChiefIT that there could be a problem with DNS if
Sysvol has a subdirectory of itself.

I looked on both servers and yes they do have two Sysvol directories the Sysvol subdirectory is the one being shared.

Could this be the problem causing the Kerberos errors?

Please give me some help to fix the Kerberos errors.
Who is Participating?
If it's all working now, I would leave well alone and not touch anything until you build the new one.  If it isn't replicating by itself, then there's something wrong and I doubt forced replication would work and may break something else.

There is a ton of stuff on the internet about building domains and the associated infrastructure.  You could start with  This is actually part of working towards hosted Exchange insfrastructure, but the principles of building a domain apply.

If you have a three or four surplus PCs, you could create a "lab" network isolated from your live network and practice building a domain: two DCs, a member server and a client.  This will give you confidence when you get to build the real one next year.
I think it's more likely to be name resolution errors where there's either something still wrong with DNS, or the machine accounts have got screwed, or there are entries for one or both of the servers in the hosts file.  Could you check that the hosts file on both machines are empty; that you have different hard-coded IP addresses on each and that the DNS entries for both servers reflect their actual IP addresses.  You should remeber that there many entries in DNS for DC servers under _sites; _tcp; _udp; DomainDNSzones and ForestDnsZones.  You should cehck through these tree branches that the entries are consistent.
LcookHRCAuthor Commented:
The DNS on both servers are fine ran, dcdiag /test  came back all passed.

In both of the servers DNS I have
   Same as Host  - Name Server NS  -
   Same as Host - Name Server NS   -
   Same as Host -   HostA      -  PDC hard ip address
   Same as Host -   HostA      - SecondDC hard ip address

Looked in all the folders and they are consistent with what I have listed. except in one folder it has kerberos and a LDAP

In the Host.file it is empty except for a ip address that is hosts,

Looking at the error again it is wanting to find the DC from a domain that is the domain name without the .com. It is the domain name that I use to add users to the active directory.
It looks like I am dealing with two domains. One that is like a local domain for each server and one that is like a global domain.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

I'd next try resetting the computer accounts using netdom.

By the way, are running WINS as well as DNS?
LcookHRCAuthor Commented:
When you say reset the computer accounts you are meaning the PDC and SecondDC?
And how would that affect them getting back in the domain?

here is something I need to ask and it may not be relevent.
Why do I  see what looks like two domains. The reason I ask is because there seems to be two administrators, a MyDomain\Administrator and a\Administrator.
When I look in the properties of say the c: folder of the domain controler the owner is Mydomain\Administrator.

Yes Wins and DNS
Oh that's definitely not right assuming you intend to have just one domain.  There should only be one Administrator account in each security context, i.e. domain and member server.

Resetting the computer accounts with netdom just gets them back into synchronism and doesn't affect their domain membership but, in view of what you've now got with the apparent two domains, I don't think it will make any difference.

I think at this point I would demote the new DC and remove is from the domain (to a workgroup) and examine DNS carefully to see that it has got rid of the appropriate records and that only the top level A record remains.  Also check in AD that the computer is no longer shown not only as a DC but also as a member server.  Only once DNS is working properly would I start over and add the new computer to the domain, then promote it to DC then add the other roles you wish such as DNS.

Please also consider removing WINS unless you have some legacy clients that won't work with DNS.  
LcookHRCAuthor Commented:
Sorry, Have not been back. I have been looking into the problem and going over my options.

One. I will have to create a new domain, we are scheduled to update the servers next year so that would be a good time. I will create a parallel network and create the domain and then move over to the new network. I will keep the same domain name.

Two. In the mean time I will keep this network limping along, for the first time I got 1030's and 1058's but
    got them cleared up.

Some of the things I was going to try.
   I was going to back the DNS off of the Second Domain Controller (SDC) but had something strange happen.
   When I selected to downgrade the message came back saying that this was the only domain controller on the network. I canceled out.
   I am guessing that this is one of the reasons for the Kerberos error. SDC thinks it is in a different subdomain and there can only be one computer id per domain.
Should I continue with the down grade of the SDC to take the DNS off of the server?

I looked into the problem of the two domains and all I can put together is that the person before me must have changed the domain name but did not clean up the old domain. I did not catch it until I added the second DC.
Gosh, that sounds like quite a hash of two domains.  If you are going to have the opportunity to start again next year (only 30 days away!), then I would leave well alone as it seems sensible to limp on for now.  However, I would suggest not using the same domain name if you are going to need ANY co-existence.  The workstations are going to have to be re-added to the domain whether or not the domain name is preserved.
LcookHRCAuthor Commented:
We next year is not that far but getting the servers are will be in second quarter.

Nope, Not going tohave any co-esistence. Everything will get moved at once. If you are wondering how can that be. Well it is because I do not have that large of a work group that is using this domain name.
Would it be a good idea to force replicated from the PDC to the SDC? Just to have the same information on both servers
Have any suggestions on where to get a good step by step on creating a Domain?
I will have time to plan.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.