• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 820
  • Last Modified:

Kerberos errors 1925 & 4; NTFRS 13508, no access to shares on server across network

7 servers
All Domain Controllers

Server list & status as follows

1 - Kerberos Key Distribution running
3 - Kerberos Key Distribution running
4 - Kerberos Key Distribution running
5 - Kerberos Key Distribution running
6 - Kerberos Key Distribution running
A - Problem machine?
N - Kerberos Key Distribution running

Errors on A with Kerberos stopped:

Directory Service Event Viewer
Source NTDS KCC
ID  1925
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
CN=Configuration,DC=X,DC=local
Source domain controller:
CN=NTDS Settings,CN=6,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=HSPIPES,DC=local
Source domain controller address:
08227034-71fe-4291-9fd1-14c32f888e2f._msdcs.X.local
Intersite transport (if any):
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  
User Action
Verify if the source domain controller is accessible or network connectivity is available.
Additional Data
Error value:
8457 The destination server is currently rejecting replication requests.

Various "Directory Partitions"

A & 6

File Replication Service Event Viewer
Source NtFrs
ID 13508
The File Replication Service is having trouble enabling replication from 6 to A for c:\windows\sysvol\domain using the DNS name 6.X.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name hspserver6.HSPIPES.local from this computer.
 [2] FRS is not running on 6.X.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.


Now I start Kerberos Key Distribution on server A.

Kerberos is now running on all 7 servers.

Errors on A with Kerberos running:
Nothing to start with

Try to browse to \\N
\\n is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Logon failure: The target account name is incorrect.

Logged event as follows:
System Event Viewer
Source Kerberos
ID 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/N.X.local.  The target name used was cifs/N.X.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (X.LOCAL), and the client realm.   Please contact your system administrator.

Try to browse to \\6
Error same as above

All others accessbile, however:

Logged event as follows:
System Event Viewer
Source Kerberos
ID 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/4.X.local.  The target name used was 4.

This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (X.LOCAL), and the client realm.   Please contact your system administrator.

Similar errors with ID 4 when some client PCs connect.

No events for servers 1, 3, & 5

After a while we get exactly the same set of Kerberos Errors (1925) (see top) as when Kerberos is not running. Just A & N as before.


Browsing to \\A (the problem server) from all servers fine, with or without Kerberos running!

My guess is that A has some sort of problem; but in particular what I don't understand is why it would dislike servers 6 & N, and be okay with the others!

Any assistance in how to fix this would be gratefully received.
0
seworby
Asked:
seworby
  • 6
  • 4
1 Solution
 
KaffiendCommented:
You have more than one domain?  "X" and "HSPipes"?

Is there a trust involved here?

Have you checked replication?  (Could be a replication problem with A and N)
0
 
seworbyAuthor Commented:
Sorry, the X was trying to genericise it by removing the actual domain name. There is only one domain and no trust involved.
Replication: yes, NTFRS is not replicating correctly between them, ID 13508, if that's what you mean?
Thanks for your help.
0
 
seworbyAuthor Commented:
I've now got loads of Userenv errors in the Application Log:
Source: Userenv
ID: 1006
Windows cannot bind to X.local domain. (Local Error). Group Policy processing aborted.

I did also have a message before about the Active Directory having been restored by an unrecognised method, but unfortuantly I have lost that. I can't reproduce it, though I expect a reboot might.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
KaffiendCommented:
Can you elaborate a little bit on your network architecture?  Are all the DCs in the same site, or are they in more than one site?  (Take a look at Active Directory Sites and Services)

Also, you might want to use repadmin to check if replication (or rather, the lack of it) is your problem.  
Repadmin usage examples here: http://technet.microsoft.com/en-us/library/cc773062%28v=ws.10%29.aspx

This could be a case of one or two of your DCs not having replicated with the rest of your AD for too long (But let's not jump the gun here just yet)
0
 
seworbyAuthor Commented:
Thanks; yes all the DC are in the same site, it's a single-site set-up.
I agree that lack of replication is the problem. From doing diganostics is appears inbound and outbound replication is disabled on server A. I'm not sure why, but I'm a bit wary of just forcibly re-enabling it; I don't know what errors server A could try to push back to the other DCs...? If it would just get the latest "copy" from another server that would be fine, but I don't know if that's the way it works.
I may be better off doing a demote and re-promote on the problem server?
0
 
KaffiendCommented:
That's (demote + promote) probably the fastest way.  Before you do that, though, you should first make sure the problem is limited to the one DC.  (Did you run through a few repadmin commands already?)

Also, the problem with this approach is, one hasn't determined the root cause of the problem, which may come up again in the future.

If you do go this route, demote, then allow a little time for replication so that all DCs know that the bad DC is gone, before you promote again (or, manually initiate replication - you can do this with AD Sites and Services)

With 7 DCs in your site, I'm wondering if you have more than just a flat network - maybe networking issues are what caused the issue in the first place (possibly VLANs and network-related access control between VLANs?).  You should probably look into that as well.
0
 
seworbyAuthor Commented:
I think the cause of the problem may be that Server A fell over (long story) some time ago, and I had to go back to a backup a couple of days old to restore. But this problem only came to light 10 days ago, and I have no events there to tie in. Is it possible the error/s lay dormant for a while if nothing much changed on the domain?
The other servers seem okay; I'm not aware of any networking issues.
0
 
KaffiendCommented:
Yes, a DC could keep running for a while with no visible/noticeable symptoms for a while.

This command might come in handy (if you don't know this one already):
dcpromo /forceremoval
0
 
seworbyAuthor Commented:
Thanks; yes, that's what I did in the end.
Then I waited and re-promoted.
All seems well now.

For reference:
Use DCPROMO /forceremoval.
http://support.microsoft.com/kb/332199

Then do metadata cleanup
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Then re-promote.
0
 
seworbyAuthor Commented:
Force demote, clean up metadata & then re-promote.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now