Migrating new office over to our Domain from Windows 2003 to 2008r2, event ID 4 is showing up

We acquired a remote office and will be bringing them over to our domain soon. As of now they are on our network on a different subnet and I can PING their devices. I already built a DC at our home office, on our subnet and took it up to the remote office last weekend. I let it sit all weekend but noticed today in the event viewer I was getting flooded with Event ID 4 on the new server.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server miadc1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/94173ee4-5d51-4c78-83c4-f108144bc53d/seitlin.com@seitlin.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SEITLIN.COM) is different from the client domain (SEITLIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

These are showing up every few seconds so I am thinking there is a serious problem with Kerberos. The new server is on our home domain, seitlin.com but there is another domain on the subnet that is soon to be shut down. Does anyone have any idea what could be causing these constant errors. Are there known issues associated with having two Domains on the same subnet? Could there be an issue related to me having configured the DC on a different subnet then it is on now? All advice on how to get migrating active directory from a windows 2003 domain to a new windows 2008rd domain is welcome...thanks
LVL 1
Thor2923Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
From the DC in the second site have can you run the following commands...

Repadmin /replsum
Repadmin /showrepl
Dcdiag /v

Typically it is not a good idea to bring up a DC in your main location and then move it to another Site with a new subnet. Will it work, yes, but when you change the IP address to the DC if it does not update it's new IP address in all of the specific locations including DNS, SRV Records, Sites and Services etc, you will run into issues.

What you should have done is either brought up the DC in the new site completely or setup the DC in your main office using IFM (Install from media) from there you can then use this to setup the DC in the remote site to suppress the amount of data replicated when the DC comes online.

Make sure that you add the new subnet of the remote site to the AD sites and services console. You also need to ensure that the KCC creates replicaiton partners "automatically".

My recommendation would be to check the above settings and ensure that replicaiton is workign proerply. If you continue to receive these error messages might be easier to demote the DC and re-promote in the new site.

Thanks


Will.
0
SandeshdubeySenior Server EngineerCommented:
There are multiple reasons for eventid 4 to occur this could be due to dns duplicate dns entries, missing spn,secure channel broken,time skew issue etchttp://jespermchristensen.wordpress.com/2008/06/12/troubleshooting-the-kerberos-error-krb_ap_err_modified/

Event ID: 4 Source: Kerberos
http://social.technet.microsoft.com/Forums/windowsserver/en-US/f8a93cde-f1de-47b6-b85a-781c795825f7/kerberos-event-id-4-krbaperrmodified
http://www.eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1

As suggested by spec01 run dcdiag /q and repadmin /replsum to check the health of DC.Also check event log for any errors and warning.

As the dc is move to remote location from main office ensure that correct ip address is configured on DC and required port are open for AD communication.

Changing the IP of the DC will not cause any issue. Follow the below link.
 http://technet.microsoft.com/en-us/library/cc739015%28WS.10%29.aspx
 
Once the ip address is changes you should restart the netlogon & dns service (or restart the server) after the change so that the SRV and other associated records are updated to the new IP. Also run ipconfig /flushdns & ipconfig /registerdns.Reference link on this   http://technet.microsoft.com/en-us/library/cc758579

You have move the DC to new  subnets that could possible affect your AD sites.  Is this new subnet already defined in sites and services.  If it is not then add it and associate it with the correct site.

Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

Hope this helps
0
Thor2923Author Commented:
I have nothing but errors running the first two commands suggested above
Repadmin /replsum
Repadmin /showrepl

I think this was a big mistake setting it up the way I did. Is there a way to back peddle and start this over? I can access the machine remotely and will be in the office again this weekend. All suggestions on how to cleanly demote this and remove active directory services and re add them are welcome. I do not want to start out with a nightmare.  Look at my results!

Source DSA          largest delta    fails/total %%   error
 MIADC2           >60 days            5 /   5  100  (2148074274) The target prin
cipal name is incorrect.


Destination DSA     largest delta    fails/total %%   error
 ORLANDODC1       >60 days            5 /   5  100  (2148074274) The target prin
cipal name is incorrect.


Experienced the following operational errors trying to retrieve replication info
rmation:
        8341 - MIADC1.domain.com
        8341 - FTLDC1.domain.com
        8341 - WP-DC1.domain.com
        8341 - WP-DC2.domain.com
        8341 - JAXDC1.domain.com
        8341 - MLDC01.domain.com
        8341 - MIADC2.domain.com
          58 - FTLDC2.domain.com

and and a whole bunch of these;


Naming Context: DC=ForestDnsZones,DC=domain,DC=com
Source: Miami\MIADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=domain,DC=com
Source: Miami\MIADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Thor2923Author Commented:
I do not want to make it worse so if there is a clean way to start over, please let me know
0
SandeshdubeySenior Server EngineerCommented:
How many DCs you have in the env and how is the sites physically connected.Are the connectivity mess or all sites can reach each other.Kindly provide more info.


Source DSA          largest delta    fails/total %%   error
 MIADC2           >60 days            5 /   5  100  (2148074274) The target prin
cipal name is incorrect.


Destination DSA     largest delta    fails/total %%   error
 ORLANDODC1       >60 days            5 /   5  100  (2148074274) The target prin
cipal name is incorrect.

From above the log it is clear that secure channel between the DC are broken.Hence you are getting the error target principal name is incorrect.

Refer below link for the same:
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

But if the server has passed tombstone life cycle period then you need to demote the dc forecefully and promote the server back as DC.he default Tombstone Life time period is 60 days in Windows Server 2003.But the default Tombstone Lifetime period has been changed in Windows Server 2003 SP1 and later to 180 days:http://www.anas.co.in/2010/02/what-is-tombstone-lifetime-how-to.html

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

Hope this helps
0
Thor2923Author Commented:
There are 6 sites including the newest one that has the issues. I have one DC in the newest or Orlando site. I have 3 sites with 2 DCs and 2 with 1. They can all Ping each other, not sure what you mean by mess or connectivity. Where can I look for that? I would be happy to send you screen shots
0
Thor2923Author Commented:
ok in reading further the DC was passed the tombstone life. I built the server down in Fort Lauderdale over 2 months ago and thought everything was ok. I then drove it up to Orlando and plugged it in with a new IP and subnet. If this is as simple as demoting and promoting the Orlando DC, that would be a relief. I am just glad I plugged this in 2 weeks before we actually need it
0
Thor2923Author Commented:
I tried to demote the problem server using dcpromo and got an error "the target account name is incorrect" and each time I attempt it it tries tries to connect to a different DC. I do not think I can do a clean DCPROMO. I am looking at DCPROMO /Forceremoval....do you have an opinion on that?
0
Thor2923Author Commented:
well I went ahead and did a DCPROMO /Forceremoval and ended up with a server in a workgroup. I was expecting a member server in our domain that I would need to promote. I also noticed it will no longer let me remote in. I had to use dameware even though setting for remote access are set. At least I have access and I will be driving up to Orlando this weekend anyway. I guess the next step it she metadata cleanup and then readd it as a DC in the proper subnet.
0
Thor2923Author Commented:
I am attempting to do the metadata cleanup but have not had any luck with NTDSutil or trying to delete OrlandoDC1 from ADUC or Sites and services. It acts like the object is not really there or in AD Sites and Services I get a message "Do not delete the OrlandoDC1 container object  OrlandoDC1 contains objects representing Domain Controller OrlandoDC1" and it goes on to tell me to use DCPROMO, which failed and I had to use DCPROMO /forceremoval
At this point, I have renamed the server that was put in a workgroup after my forceremoval and re added it to the domain as a member server. I have not tried to reinstall AD DS yet. I am hoping to just treat this as a new DC that is being added to our remote office in Orlando.  I am just concerned about leaving that orphaned DC name on the system. Another point worth mentioning is, I had a DC in Fort Lauderdale crash yesterday and will not boot back up. I have made similar attempts get FTLDC2 out of active directory or do a metadata cleanup, but not had success. At this point I just want to get those bogus servers out of AD. All comments are welcome

Also, comments about bringing my orlando server back as a DC using the same name or different name or welcome too....thanks
0
Thor2923Author Commented:
Ok, in one of my threads someone mentioned DNS and I cleaned up the bogus DNS entries for the two former DCs, including the one this thread is about (OrlandoDC1) and was finally able to delete them from ADUC and Sites and Services. I feel like I am finally making progress. NOW...does anyone have an opinon on bring OrlandoDC1 back with the same name or should I use another name. Right now the Orlando DC is setting on our domain with the name of OrlDC1. I am thinking I should just use another name to avoid any issues of conflict with the old name floating around. Opinions are comments are welcome. AND...should I bring this DC back from the command line using DCPROMO or use server manager? Right now the roles I was using on this server appear to be there with a red X. I am thinking maybe I need to remove them and readd them
0
Thor2923Author Commented:
My new DC in orlando is intact as ORLDC1. I ran the first command above
Repadmin /replsum
Source DSA          largest delta    fails/total %%   error
 FTLDC1                    08m:35s    0 /  20    0
 JAXDC1                    04m:25s    0 /   5    0
 MIADC1                    04m:25s    0 /  15    0
 MIADC2              (unknown)        0 /  20    0
 MLDC01                    04m:26s    0 /   5    0
 WP-DC1                    03m:49s    0 /  15    0
 WP-DC2                    03m:48s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 FTLDC1                       :45s    0 /  10    0
 JAXDC1                    01m:00s    0 /  10    0
 MIADC1                    01m:19s    0 /  15    0
 MIADC2                    04m:30s    0 /  15    0
 MLDC01                    08m:38s    0 /  10    0
 ORLDC1              (unknown)        0 /   5    0
 WP-DC1                    03m:51s    0 /  15    0
 WP-DC2                    03m:53s    0 /   5    0

That looks encouraging, but how about the second command results...I it looking like there is still come access denied

Repadmin /showrepl


Repadmin: running command /showrepl against full DC localhost
Orlando\ORLDC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 940461ba-b20d-4654-b5f7-1608dd094b41
DSA invocationID: bb1c4390-a5fd-4906-8a83-dfda74b4c36f

==== INBOUND NEIGHBORS ======================================

DC=seitlin,DC=com
    Miami\MIADC2 via RPC
        DSA object GUID: 851ffe97-a716-49ae-9e23-c4e4ed84058d
        Last attempt @ (never) was successful.

CN=Configuration,DC=seitlin,DC=com
    Miami\MIADC2 via RPC
        DSA object GUID: 851ffe97-a716-49ae-9e23-c4e4ed84058d
        Last attempt @ (never) was successful.

CN=Schema,CN=Configuration,DC=seitlin,DC=com
    Miami\MIADC2 via RPC
        DSA object GUID: 851ffe97-a716-49ae-9e23-c4e4ed84058d
        Last attempt @ (never) was successful.

DC=DomainDnsZones,DC=seitlin,DC=com
    Miami\MIADC2 via RPC
        DSA object GUID: 851ffe97-a716-49ae-9e23-c4e4ed84058d
        Last attempt @ (never) was successful.

DC=ForestDnsZones,DC=seitlin,DC=com
    Miami\MIADC2 via RPC
        DSA object GUID: 851ffe97-a716-49ae-9e23-c4e4ed84058d
        Last attempt @ (never) was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

It looks healthier then it was but I am still concerned about "denied" should I be concerned??
0
Thor2923Author Commented:
that final command had some results I am not too sure about also

Dcdiag /v

The last part of it basically says all 6 of the other sites are "out of range"??

 Starting test: Intersite
    Skipping site FtLauderdale, this site is outside the scope provided by
    the command line arguments provided.
    Skipping site Jacksonville, this site is outside the scope provided by
    the command line arguments provided.
    Skipping site MiamiLakes, this site is outside the scope provided by
    the command line arguments provided.
    Skipping site Orlando, this site is outside the scope provided by the
    command line arguments provided.
    Skipping site Miami, this site is outside the scope provided by the
    command line arguments provided.
    Skipping site WPB, this site is outside the scope provided by the
    command line arguments provided.
    ......................... domain.com passed test Intersite
0
SandeshdubeySenior Server EngineerCommented:
If it is Win2008 DC then you need to open the cmd as run as administrator and then run the diagnosis else you will recieved above error,

The repadmin /replsum output indicates that there is no replication issue.I will also recommend to use alternate admin user to login and run the diagnosis and check.But ensure that user has full admin/enterprise/schema rights.
0
Thor2923Author Commented:
I opened the cmd prompt as administrator and got a successful Repadmin /showrepl but that dcdiag /v is still giving me the "out of scope message below". I am thinking the server is workable now since I have good replication. I will just do a little more research on what is meant by "out of scope"


 Starting test: Intersite
    Skipping site FtLauderdale, this site is outside the scope provided by
    the command line arguments provided.
    Skipping site Jacksonville, this site is outside the scope provided by
    the command line arguments provided.
    Skipping site MiamiLakes, this site is outside the scope provided by
    the command line arguments provided.
    Skipping site Orlando, this site is outside the scope provided by the
    command line arguments provided.
    Skipping site Miami, this site is outside the scope provided by the
    command line arguments provided.
    Skipping site WPB, this site is outside the scope provided by the
    command line arguments provided.
    ......................... domain.com passed test Intersite
0
Mike KlineCommented:
I've seen some posts that say that message is a "bug" in dcdiag.  I can't seem to reproduce it.

Thanks

Mike
0
Thor2923Author Commented:
I read the same thing too earlier today....I am going to go with the server I have and see what happens.....should be ok as long as the other commands above are checking out
0
SandeshdubeySenior Server EngineerCommented:
See this thread it could be bug. Ensure that lates service pack is installed on server.

DC " failed test Connectivity" in DCDiag prior to 2k-2k8r2 migration
http://social.technet.microsoft.com/Forums/windowsserver/en-US/a2ea8440-587d-4a0c-aed7-0068011b299b/dc-failed-test-connectivity-in-dcdiag-prior-to-2k2k8r2-migration

I will recommend to download resource kit tool on DC and run the diagnosis and check .http://www.microsoft.com/en-in/download/details.aspx?id=17657
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.