• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2852
  • Last Modified:

No AD connection on server

I have a Windows Server 2008 that have some problems.

When I try to add a member to a group (Remote Desktop Users) I get this dialog when clicking "Advanced" telling me "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. "
Screen
I tried to remove the machine from DNS to see if it reregistered, but it didn't (after reboot).

On the server where I am trying to add a user to a group, I get this event:
The Security System detected an authentication error for the server
ldap/DC2.MyDOMAIN.dk. The failure code from authentication protocol 
Kerberos was "  (0x80080341)".

Open in new window


Level: Warning
IEvent ID: 40960
User: SYSTEM

Any ideas?
0
Kasper Katzmann
Asked:
Kasper Katzmann
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Can you verify if you DC/server are activated (genuine) ?

Regards,
Krzysztof
0
 
Sushil SonawaneCommented:
Remove the member server form domain and rejoin then check
0
 
Sarang TinguriaSr EngineerCommented:
Have you checked the DNS setting on this server ..Is it pointing to internal DNS ..??

See below link if it help
http://support.microsoft.com/kb/938457
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
Kasper KatzmannAuthor Commented:
Problem solved. It turned out to be due to an old error/mistake in group policy, that only allowed the servers to use DES_CBC_MD5. After removing the bad GPO the policy wasn't reset on the server.

This is what I did to solve the problem:

1.

Opened Secpol.msc

2.

Went to Local Policies/Security Options

3.

Found Network security: Configure encryption types allowed for Kerberos and removed the tick from DES_CBC_MD5 (and all others if there were any)
Thanks for your suggestions anyway. It could just as well have been any of that.

Case closed :-)
0
 
Sarang TinguriaSr EngineerCommented:
Thats Great
0
 
Kasper KatzmannAuthor Commented:
I found the solution on my own
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now