Solved

Kerberos event id 4 on 2003 servers

Posted on 2010-11-28
9
543 Views
Last Modified: 2012-05-10
I have two servers PDC and a backup DC each are running Windows Standard Server 2003.

I am having problem with file replication.

The new DC was a standard server and I promoted it to a backup domain controller. When installing the DC I chose the secondary controller, and the promotion went fine.

The setup on each server is as follows.
   The PDC services are, DNS, DHCP, WINs, remote services.

   The secondary DC has DNS.

What is happening is after I installed the DNS on the secondary DC all heck broke loose. The secondary DC decided to over write the DNS on the PDC and ruined it. I had to get help from EE to fix this problem,
thank you ChiefIT.

Now what I am getting is a Kerberos error id 4 on both servers.
Looking at the error messages the PDC is saying “the Kerberos client received a error from the server host/SecondDC.Mydomain.com. The target name used was Mydomain\SecondDC$.

The SecondDC is getting the same type Kerberos error id 4 but the server name is PDC instead of SecondDC$

What I am seeing in the messages is two different domain names, Mydomain.com and Mydomain.
I remember reading from an article about DNS by ChiefIT that there could be a problem with DNS if
Sysvol has a subdirectory of itself.

I looked on both servers and yes they do have two Sysvol directories the Sysvol subdirectory is the one being shared.

Could this be the problem causing the Kerberos errors?

Please give me some help to fix the Kerberos errors.
0
Comment
Question by:LcookHRC
  • 5
  • 4
9 Comments
 
LVL 9

Expert Comment

by:losip
ID: 34226074
I think it's more likely to be name resolution errors where there's either something still wrong with DNS, or the machine accounts have got screwed, or there are entries for one or both of the servers in the hosts file.  Could you check that the hosts file on both machines are empty; that you have different hard-coded IP addresses on each and that the DNS entries for both servers reflect their actual IP addresses.  You should remeber that there many entries in DNS for DC servers under _sites; _tcp; _udp; DomainDNSzones and ForestDnsZones.  You should cehck through these tree branches that the entries are consistent.
0
 

Author Comment

by:LcookHRC
ID: 34226317
The DNS on both servers are fine ran, dcdiag /test  came back all passed.

In both of the servers DNS I have
   Same as Host  - Name Server NS  - PDC.MyDomain.com
   Same as Host - Name Server NS   - SecondDC.MyDomain.com
   Same as Host -   HostA      -  PDC hard ip address
   Same as Host -   HostA      - SecondDC hard ip address

Looked in all the folders and they are consistent with what I have listed. except in one folder it has kerberos and a LDAP

In the Host.file it is empty except for a ip address that is 120.0.0.1 hosts,

Looking at the error again it is wanting to find the DC from a domain that is the domain name without the .com. It is the domain name that I use to add users to the active directory.
It looks like I am dealing with two domains. One that is like a local domain for each server and one that is like a global domain.
0
 
LVL 9

Expert Comment

by:losip
ID: 34226493
I'd next try resetting the computer accounts using netdom.

By the way, are running WINS as well as DNS?
0
 

Author Comment

by:LcookHRC
ID: 34227441
When you say reset the computer accounts you are meaning the PDC and SecondDC?
And how would that affect them getting back in the domain?

here is something I need to ask and it may not be relevent.
Why do I  see what looks like two domains. The reason I ask is because there seems to be two administrators, a MyDomain\Administrator and a MyDomain.com\Administrator.
When I look in the properties of say the c: folder of the domain controler the owner is Mydomain\Administrator.

Yes Wins and DNS
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 9

Expert Comment

by:losip
ID: 34228384
Oh that's definitely not right assuming you intend to have just one domain.  There should only be one Administrator account in each security context, i.e. domain and member server.

Resetting the computer accounts with netdom just gets them back into synchronism and doesn't affect their domain membership but, in view of what you've now got with the apparent two domains, I don't think it will make any difference.

I think at this point I would demote the new DC and remove is from the domain (to a workgroup) and examine DNS carefully to see that it has got rid of the appropriate records and that only the top level A record remains.  Also check in AD that the computer is no longer shown not only as a DC but also as a member server.  Only once DNS is working properly would I start over and add the new computer to the domain, then promote it to DC then add the other roles you wish such as DNS.

Please also consider removing WINS unless you have some legacy clients that won't work with DNS.  
0
 

Author Comment

by:LcookHRC
ID: 34260900
Sorry, Have not been back. I have been looking into the problem and going over my options.

One. I will have to create a new domain, we are scheduled to update the servers next year so that would be a good time. I will create a parallel network and create the domain and then move over to the new network. I will keep the same domain name.

Two. In the mean time I will keep this network limping along, for the first time I got 1030's and 1058's but
    got them cleared up.

Some of the things I was going to try.
   I was going to back the DNS off of the Second Domain Controller (SDC) but had something strange happen.
   When I selected to downgrade the message came back saying that this was the only domain controller on the network. I canceled out.
   I am guessing that this is one of the reasons for the Kerberos error. SDC thinks it is in a different subdomain and there can only be one computer id per domain.
Should I continue with the down grade of the SDC to take the DNS off of the server?

I looked into the problem of the two domains and all I can put together is that the person before me must have changed the domain name but did not clean up the old domain. I did not catch it until I added the second DC.
0
 
LVL 9

Expert Comment

by:losip
ID: 34261556
Gosh, that sounds like quite a hash of two domains.  If you are going to have the opportunity to start again next year (only 30 days away!), then I would leave well alone as it seems sensible to limp on for now.  However, I would suggest not using the same domain name if you are going to need ANY co-existence.  The workstations are going to have to be re-added to the domain whether or not the domain name is preserved.
0
 

Author Comment

by:LcookHRC
ID: 34262550
We next year is not that far but getting the servers are will be in second quarter.

Nope, Not going tohave any co-esistence. Everything will get moved at once. If you are wondering how can that be. Well it is because I do not have that large of a work group that is using this domain name.
Would it be a good idea to force replicated from the PDC to the SDC? Just to have the same information on both servers
Have any suggestions on where to get a good step by step on creating a Domain?
I will have time to plan.
0
 
LVL 9

Accepted Solution

by:
losip earned 500 total points
ID: 34265025
If it's all working now, I would leave well alone and not touch anything until you build the new one.  If it isn't replicating by itself, then there's something wrong and I doubt forced replication would work and may break something else.

There is a ton of stuff on the internet about building domains and the associated infrastructure.  You could start with http://technet.microsoft.com/en-us/library/cc501481.aspx.  This is actually part of working towards hosted Exchange insfrastructure, but the principles of building a domain apply.

If you have a three or four surplus PCs, you could create a "lab" network isolated from your live network and practice building a domain: two DCs, a member server and a client.  This will give you confidence when you get to build the real one next year.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 20011 to Office 365 7 86
Computer software inventory 5 81
help!! No network & No Internet connectivity 4 53
Fortigate 100D NTP Issue 4 52
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now