Solved

2012R2 DC disconnecting with KRB_AP_ERR_MODIFIED

Posted on 2014-01-13
8
5,008 Views
Last Modified: 2014-03-14
Hi,

I'm hoping someone could maybe shed some light on this issue.

We have recently installed some new servers running 2012 R2 Hyper-V. There are 2 identical physical servers (HP DL360p) both running 2012 R2 with 4 x VMs total.
1 VM for DC/Fileserver and 1 for Exchange 2010 in each box.
DC1 = PDC, RID and Infrastructure Master
DC2 = Schema Master, Domain Naming Master

Everything has been working fine for 2 months since but last Friday I had users reporting "Access denied" to file shares on one of the DC / Fileservers which uses DFS replication.
After looking in the event log I found several errors:

Event ID:4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server (servername). The target name used was HTTP/(servername).(domainname). This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using....

Also the error repeats with reference to target name "Rpcss/(servername)" and "Cifs/(servername)"

When attempting to log onto the offending DC (DC2) with the Domain Admin user, I was refused as username password not recognised. The only solution was a reboot of the machine (VM).
The SAME thing also happened to DC1 the following day.

I've been looking into the errors and tried several steps already:

    Checked for duplicate SPN using "Setspn /x"
    Noticed on DC2 that the secure channel was broken so had to run:
    import-module ActiveDirectory
    Test-ComputerSecureChannel /repair
    Check DNS manually for any duplicates. Scavenge and clear cache.
    Ensure Time sync is working properly. Setup according to recommendations (HyperV hosts are not domain joined-they sync directly to NTP, DC1/PDC is master and syncs to NTP, other member servers and client sync to DC1/PDC)
    Reset the Domain Administrator users password
    Ran DCDIAG on both DCs and everything OK
    Verified that no Windows updates had been performed before the issue
    The only thing that I can remember changing in regards to Active Directory is that I added the second DC to the nightly backup job for System State. This means that AD gets backed up twice, wondered if this could cause issues. However speaking to the company about it (Yosemite Backup) they said no.

Only thing I havn't done is to reset the machine account password on either of the DC's, wondering if this is needed as I already rebooted and reset the secure channel? I found a guide explaining this, would it be worth trying (out of hours probably due to reboot needed):
http://sumoomicrosoft.blogspot.co.uk/2012/07/reset-domain-controller-computer-account.html

Also, I cannot reset the secure channel on DC1, I assume because it is the PDC and does not need a channel to communicate with itself?

Hope there is some solution, i'm on the edge of my seat today hoping the servers stay up in the office!
0
Comment
Question by:chrismanncalgavin
  • 4
  • 3
8 Comments
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
Since a reboot fixed this immidiately, and it has only occured once, I would itially suspect a glitch of some kind caused this, unless it happens again.
A single glitched bit, especially located in a cryptographoc key, could cause this problem:  "server failed to decrypt the ticket"

Related factoid:
Lets say an average bit in the computer memory messes up due to some environmental/external factors (acceidentally switches from a 0 to 1  or vice versa), on average,  once every 100 years (3.15 Billion Seconds).
You have 8GB of ram, thats (8GB*8 bits/byte) = 64 billion bits.
This means that, on-average, you will have a bit go wrong every... 100 years(3.15Bsec)/64billion = 0.05 Seconds!!!

It's amazing computers work at all!  (The fact that they DO work so consistantly shows just how stable those memory bits actually are in reality! )
0
 
LVL 8

Author Comment

by:chrismanncalgavin
Comment Utility
Thanks for the comment.

I would understand the glitch as you mentioned if it only occurred on one DC, but this happened 2 days in a row (first on server 1 then on server 2).
So far has been fine today.

It is quite unnerving!
0
 
LVL 10

Expert Comment

by:Korbus
Comment Utility
Two days in a row on two machines:  I agree- not a glitch.
0
 
LVL 8

Accepted Solution

by:
chrismanncalgavin earned 0 total points
Comment Utility
Thanks Korbus.

Just to update you:
I've now followed steps to reset both the domain controller's computer account passwords.
Still no sign of the issue mentioned since.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 10

Expert Comment

by:Korbus
Comment Utility
Gosh dont ya hate that?  You almost WANT it to happen so you can address it now when your expecting it, rather than 2 months down the road when your in the middle of somthing else.
0
 
LVL 8

Author Closing Comment

by:chrismanncalgavin
Comment Utility
I realised there was no simple answer and in the end only followed my nose. Hopefully this was a one off issue, but I may need to ask another question in the future.
0
 

Expert Comment

by:navitend
Comment Utility
I am having this same issue.  What exactly did you do to resolve this?  You mention resetting the domain controller's computer account password.  Do you have the steps taken?
0
 
LVL 8

Author Comment

by:chrismanncalgavin
Comment Utility
Hi there,
Sorry to hear you're having the same issue. Some of the guides I followed are below:
http://sumoomicrosoft.blogspot.co.uk/2012/07/reset-domain-controller-computer-account.html

http://support.microsoft.com/kb/325850

Hope that helps.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now