Kerberos event id 4 on 2003 servers
I have two servers PDC and a backup DC each are running Windows Standard Server 2003.
I am having problem with file replication.
The new DC was a standard server and I promoted it to a backup domain controller. When installing the DC I chose the secondary controller, and the promotion went fine.
The setup on each server is as follows.
The PDC services are, DNS, DHCP, WINs, remote services.
The secondary DC has DNS.
What is happening is after I installed the DNS on the secondary DC all heck broke loose. The secondary DC decided to over write the DNS on the PDC and ruined it. I had to get help from EE to fix this problem,
thank you ChiefIT.
Now what I am getting is a Kerberos error id 4 on both servers.
Looking at the error messages the PDC is saying “the Kerberos client received a error from the server host/SecondDC.Mydomain.com
The SecondDC is getting the same type Kerberos error id 4 but the server name is PDC instead of SecondDC$
What I am seeing in the messages is two different domain names, Mydomain.com and Mydomain.
I remember reading from an article about DNS by ChiefIT that there could be a problem with DNS if
Sysvol has a subdirectory of itself.
I looked on both servers and yes they do have two Sysvol directories the Sysvol subdirectory is the one being shared.
Could this be the problem causing the Kerberos errors?
Please give me some help to fix the Kerberos errors.
I am having problem with file replication.
The new DC was a standard server and I promoted it to a backup domain controller. When installing the DC I chose the secondary controller, and the promotion went fine.
The setup on each server is as follows.
The PDC services are, DNS, DHCP, WINs, remote services.
The secondary DC has DNS.
What is happening is after I installed the DNS on the secondary DC all heck broke loose. The secondary DC decided to over write the DNS on the PDC and ruined it. I had to get help from EE to fix this problem,
thank you ChiefIT.
Now what I am getting is a Kerberos error id 4 on both servers.
Looking at the error messages the PDC is saying “the Kerberos client received a error from the server host/SecondDC.Mydomain.com
The SecondDC is getting the same type Kerberos error id 4 but the server name is PDC instead of SecondDC$
What I am seeing in the messages is two different domain names, Mydomain.com and Mydomain.
I remember reading from an article about DNS by ChiefIT that there could be a problem with DNS if
Sysvol has a subdirectory of itself.
I looked on both servers and yes they do have two Sysvol directories the Sysvol subdirectory is the one being shared.
Could this be the problem causing the Kerberos errors?
Please give me some help to fix the Kerberos errors.
I think it's more likely to be name resolution errors where there's either something still wrong with DNS, or the machine accounts have got screwed, or there are entries for one or both of the servers in the hosts file. Could you check that the hosts file on both machines are empty; that you have different hard-coded IP addresses on each and that the DNS entries for both servers reflect their actual IP addresses. You should remeber that there many entries in DNS for DC servers under _sites; _tcp; _udp; DomainDNSzones and ForestDnsZones. You should cehck through these tree branches that the entries are consistent.
ASKER
The DNS on both servers are fine ran, dcdiag /test came back all passed.
In both of the servers DNS I have
Same as Host - Name Server NS - PDC.MyDomain.com
Same as Host - Name Server NS - SecondDC.MyDomain.com
Same as Host - HostA - PDC hard ip address
Same as Host - HostA - SecondDC hard ip address
Looked in all the folders and they are consistent with what I have listed. except in one folder it has kerberos and a LDAP
In the Host.file it is empty except for a ip address that is 120.0.0.1 hosts,
Looking at the error again it is wanting to find the DC from a domain that is the domain name without the .com. It is the domain name that I use to add users to the active directory.
It looks like I am dealing with two domains. One that is like a local domain for each server and one that is like a global domain.
In both of the servers DNS I have
Same as Host - Name Server NS - PDC.MyDomain.com
Same as Host - Name Server NS - SecondDC.MyDomain.com
Same as Host - HostA - PDC hard ip address
Same as Host - HostA - SecondDC hard ip address
Looked in all the folders and they are consistent with what I have listed. except in one folder it has kerberos and a LDAP
In the Host.file it is empty except for a ip address that is 120.0.0.1 hosts,
Looking at the error again it is wanting to find the DC from a domain that is the domain name without the .com. It is the domain name that I use to add users to the active directory.
It looks like I am dealing with two domains. One that is like a local domain for each server and one that is like a global domain.
I'd next try resetting the computer accounts using netdom.
By the way, are running WINS as well as DNS?
By the way, are running WINS as well as DNS?
ASKER
When you say reset the computer accounts you are meaning the PDC and SecondDC?
And how would that affect them getting back in the domain?
here is something I need to ask and it may not be relevent.
Why do I see what looks like two domains. The reason I ask is because there seems to be two administrators, a MyDomain\Administrator and a MyDomain.com\Administrator
When I look in the properties of say the c: folder of the domain controler the owner is Mydomain\Administrator.
Yes Wins and DNS
And how would that affect them getting back in the domain?
here is something I need to ask and it may not be relevent.
Why do I see what looks like two domains. The reason I ask is because there seems to be two administrators, a MyDomain\Administrator and a MyDomain.com\Administrator
When I look in the properties of say the c: folder of the domain controler the owner is Mydomain\Administrator.
Yes Wins and DNS
Oh that's definitely not right assuming you intend to have just one domain. There should only be one Administrator account in each security context, i.e. domain and member server.
Resetting the computer accounts with netdom just gets them back into synchronism and doesn't affect their domain membership but, in view of what you've now got with the apparent two domains, I don't think it will make any difference.
I think at this point I would demote the new DC and remove is from the domain (to a workgroup) and examine DNS carefully to see that it has got rid of the appropriate records and that only the top level A record remains. Also check in AD that the computer is no longer shown not only as a DC but also as a member server. Only once DNS is working properly would I start over and add the new computer to the domain, then promote it to DC then add the other roles you wish such as DNS.
Please also consider removing WINS unless you have some legacy clients that won't work with DNS.
Resetting the computer accounts with netdom just gets them back into synchronism and doesn't affect their domain membership but, in view of what you've now got with the apparent two domains, I don't think it will make any difference.
I think at this point I would demote the new DC and remove is from the domain (to a workgroup) and examine DNS carefully to see that it has got rid of the appropriate records and that only the top level A record remains. Also check in AD that the computer is no longer shown not only as a DC but also as a member server. Only once DNS is working properly would I start over and add the new computer to the domain, then promote it to DC then add the other roles you wish such as DNS.
Please also consider removing WINS unless you have some legacy clients that won't work with DNS.
ASKER
Sorry, Have not been back. I have been looking into the problem and going over my options.
One. I will have to create a new domain, we are scheduled to update the servers next year so that would be a good time. I will create a parallel network and create the domain and then move over to the new network. I will keep the same domain name.
Two. In the mean time I will keep this network limping along, for the first time I got 1030's and 1058's but
got them cleared up.
Some of the things I was going to try.
I was going to back the DNS off of the Second Domain Controller (SDC) but had something strange happen.
When I selected to downgrade the message came back saying that this was the only domain controller on the network. I canceled out.
I am guessing that this is one of the reasons for the Kerberos error. SDC thinks it is in a different subdomain and there can only be one computer id per domain.
Should I continue with the down grade of the SDC to take the DNS off of the server?
I looked into the problem of the two domains and all I can put together is that the person before me must have changed the domain name but did not clean up the old domain. I did not catch it until I added the second DC.
One. I will have to create a new domain, we are scheduled to update the servers next year so that would be a good time. I will create a parallel network and create the domain and then move over to the new network. I will keep the same domain name.
Two. In the mean time I will keep this network limping along, for the first time I got 1030's and 1058's but
got them cleared up.
Some of the things I was going to try.
I was going to back the DNS off of the Second Domain Controller (SDC) but had something strange happen.
When I selected to downgrade the message came back saying that this was the only domain controller on the network. I canceled out.
I am guessing that this is one of the reasons for the Kerberos error. SDC thinks it is in a different subdomain and there can only be one computer id per domain.
Should I continue with the down grade of the SDC to take the DNS off of the server?
I looked into the problem of the two domains and all I can put together is that the person before me must have changed the domain name but did not clean up the old domain. I did not catch it until I added the second DC.
Gosh, that sounds like quite a hash of two domains. If you are going to have the opportunity to start again next year (only 30 days away!), then I would leave well alone as it seems sensible to limp on for now. However, I would suggest not using the same domain name if you are going to need ANY co-existence. The workstations are going to have to be re-added to the domain whether or not the domain name is preserved.
ASKER
We next year is not that far but getting the servers are will be in second quarter.
Nope, Not going tohave any co-esistence. Everything will get moved at once. If you are wondering how can that be. Well it is because I do not have that large of a work group that is using this domain name.
Would it be a good idea to force replicated from the PDC to the SDC? Just to have the same information on both servers
Have any suggestions on where to get a good step by step on creating a Domain?
I will have time to plan.
Nope, Not going tohave any co-esistence. Everything will get moved at once. If you are wondering how can that be. Well it is because I do not have that large of a work group that is using this domain name.
Would it be a good idea to force replicated from the PDC to the SDC? Just to have the same information on both servers
Have any suggestions on where to get a good step by step on creating a Domain?
I will have time to plan.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.