Solved

Kerberos event id 4 on 2003 servers

Posted on 2010-11-28
9
547 Views
Last Modified: 2012-05-10
I have two servers PDC and a backup DC each are running Windows Standard Server 2003.

I am having problem with file replication.

The new DC was a standard server and I promoted it to a backup domain controller. When installing the DC I chose the secondary controller, and the promotion went fine.

The setup on each server is as follows.
   The PDC services are, DNS, DHCP, WINs, remote services.

   The secondary DC has DNS.

What is happening is after I installed the DNS on the secondary DC all heck broke loose. The secondary DC decided to over write the DNS on the PDC and ruined it. I had to get help from EE to fix this problem,
thank you ChiefIT.

Now what I am getting is a Kerberos error id 4 on both servers.
Looking at the error messages the PDC is saying “the Kerberos client received a error from the server host/SecondDC.Mydomain.com. The target name used was Mydomain\SecondDC$.

The SecondDC is getting the same type Kerberos error id 4 but the server name is PDC instead of SecondDC$

What I am seeing in the messages is two different domain names, Mydomain.com and Mydomain.
I remember reading from an article about DNS by ChiefIT that there could be a problem with DNS if
Sysvol has a subdirectory of itself.

I looked on both servers and yes they do have two Sysvol directories the Sysvol subdirectory is the one being shared.

Could this be the problem causing the Kerberos errors?

Please give me some help to fix the Kerberos errors.
0
Comment
Question by:LcookHRC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 9

Expert Comment

by:losip
ID: 34226074
I think it's more likely to be name resolution errors where there's either something still wrong with DNS, or the machine accounts have got screwed, or there are entries for one or both of the servers in the hosts file.  Could you check that the hosts file on both machines are empty; that you have different hard-coded IP addresses on each and that the DNS entries for both servers reflect their actual IP addresses.  You should remeber that there many entries in DNS for DC servers under _sites; _tcp; _udp; DomainDNSzones and ForestDnsZones.  You should cehck through these tree branches that the entries are consistent.
0
 

Author Comment

by:LcookHRC
ID: 34226317
The DNS on both servers are fine ran, dcdiag /test  came back all passed.

In both of the servers DNS I have
   Same as Host  - Name Server NS  - PDC.MyDomain.com
   Same as Host - Name Server NS   - SecondDC.MyDomain.com
   Same as Host -   HostA      -  PDC hard ip address
   Same as Host -   HostA      - SecondDC hard ip address

Looked in all the folders and they are consistent with what I have listed. except in one folder it has kerberos and a LDAP

In the Host.file it is empty except for a ip address that is 120.0.0.1 hosts,

Looking at the error again it is wanting to find the DC from a domain that is the domain name without the .com. It is the domain name that I use to add users to the active directory.
It looks like I am dealing with two domains. One that is like a local domain for each server and one that is like a global domain.
0
 
LVL 9

Expert Comment

by:losip
ID: 34226493
I'd next try resetting the computer accounts using netdom.

By the way, are running WINS as well as DNS?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:LcookHRC
ID: 34227441
When you say reset the computer accounts you are meaning the PDC and SecondDC?
And how would that affect them getting back in the domain?

here is something I need to ask and it may not be relevent.
Why do I  see what looks like two domains. The reason I ask is because there seems to be two administrators, a MyDomain\Administrator and a MyDomain.com\Administrator.
When I look in the properties of say the c: folder of the domain controler the owner is Mydomain\Administrator.

Yes Wins and DNS
0
 
LVL 9

Expert Comment

by:losip
ID: 34228384
Oh that's definitely not right assuming you intend to have just one domain.  There should only be one Administrator account in each security context, i.e. domain and member server.

Resetting the computer accounts with netdom just gets them back into synchronism and doesn't affect their domain membership but, in view of what you've now got with the apparent two domains, I don't think it will make any difference.

I think at this point I would demote the new DC and remove is from the domain (to a workgroup) and examine DNS carefully to see that it has got rid of the appropriate records and that only the top level A record remains.  Also check in AD that the computer is no longer shown not only as a DC but also as a member server.  Only once DNS is working properly would I start over and add the new computer to the domain, then promote it to DC then add the other roles you wish such as DNS.

Please also consider removing WINS unless you have some legacy clients that won't work with DNS.  
0
 

Author Comment

by:LcookHRC
ID: 34260900
Sorry, Have not been back. I have been looking into the problem and going over my options.

One. I will have to create a new domain, we are scheduled to update the servers next year so that would be a good time. I will create a parallel network and create the domain and then move over to the new network. I will keep the same domain name.

Two. In the mean time I will keep this network limping along, for the first time I got 1030's and 1058's but
    got them cleared up.

Some of the things I was going to try.
   I was going to back the DNS off of the Second Domain Controller (SDC) but had something strange happen.
   When I selected to downgrade the message came back saying that this was the only domain controller on the network. I canceled out.
   I am guessing that this is one of the reasons for the Kerberos error. SDC thinks it is in a different subdomain and there can only be one computer id per domain.
Should I continue with the down grade of the SDC to take the DNS off of the server?

I looked into the problem of the two domains and all I can put together is that the person before me must have changed the domain name but did not clean up the old domain. I did not catch it until I added the second DC.
0
 
LVL 9

Expert Comment

by:losip
ID: 34261556
Gosh, that sounds like quite a hash of two domains.  If you are going to have the opportunity to start again next year (only 30 days away!), then I would leave well alone as it seems sensible to limp on for now.  However, I would suggest not using the same domain name if you are going to need ANY co-existence.  The workstations are going to have to be re-added to the domain whether or not the domain name is preserved.
0
 

Author Comment

by:LcookHRC
ID: 34262550
We next year is not that far but getting the servers are will be in second quarter.

Nope, Not going tohave any co-esistence. Everything will get moved at once. If you are wondering how can that be. Well it is because I do not have that large of a work group that is using this domain name.
Would it be a good idea to force replicated from the PDC to the SDC? Just to have the same information on both servers
Have any suggestions on where to get a good step by step on creating a Domain?
I will have time to plan.
0
 
LVL 9

Accepted Solution

by:
losip earned 500 total points
ID: 34265025
If it's all working now, I would leave well alone and not touch anything until you build the new one.  If it isn't replicating by itself, then there's something wrong and I doubt forced replication would work and may break something else.

There is a ton of stuff on the internet about building domains and the associated infrastructure.  You could start with http://technet.microsoft.com/en-us/library/cc501481.aspx.  This is actually part of working towards hosted Exchange insfrastructure, but the principles of building a domain apply.

If you have a three or four surplus PCs, you could create a "lab" network isolated from your live network and practice building a domain: two DCs, a member server and a client.  This will give you confidence when you get to build the real one next year.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question