We help IT Professionals succeed at work.

DC role Changes automatically from Server to Workstation

My DC is going down every week lately due to AD errors.  Microsoft support has performed machine type change using ADSIEDIT from Workstation to Server and reset machine account.  It works for a day then something changed it back to Workstation !

AD value,  userAccountrol = 69632 (0x1000 = (WORKSTATION TRUST ACCOUNT....)

It starts with Event ID 4 Security-Kerberos then follows with multiple Event ID 1058,1006 GroupPolicy.  GroupPolicy errors are due to Domain Controller not functioning.

Event ID 4
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was ldap/dc.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

On another standard server I see the following:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$.  The target name used was ldap/dc.DOMAIN.LOCAL/DOMAIN.LOCAL@DOMAIN.LOCAL. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.
Comment
Watch Question

my best advice would be to reopen the case with MS Support.  I am assuming you have a case number.  Their criteria is to see the case through to completion, although be aware that sometimes that means "flatten and relinstall or "restore from backup".
Commented:
Machine account reset

Author

Commented:
closed