I'm hoping someone could maybe shed some light on this issue.
We have recently installed some new servers running 2012 R2 Hyper-V. There are 2 identical physical servers (HP DL360p) both running 2012 R2 with 4 x VMs total.
1 VM for DC/Fileserver and 1 for Exchange 2010 in each box.
DC1 = PDC, RID and Infrastructure Master
DC2 = Schema Master, Domain Naming Master
Everything has been working fine for 2 months since but last Friday I had users reporting "Access denied" to file shares on one of the DC / Fileservers which uses DFS replication.
After looking in the event log I found several errors:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server (servername). The target name used was HTTP/(servername).(domainn
ame). This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using....
Also the error repeats with reference to target name "Rpcss/(servername)" and "Cifs/(servername)"
When attempting to log onto the offending DC (DC2) with the Domain Admin user, I was refused as username password not recognised. The only solution was a reboot of the machine (VM).
The SAME thing also happened to DC1 the following day.
I've been looking into the errors and tried several steps already:
Checked for duplicate SPN using "Setspn /x"
Noticed on DC2 that the secure channel was broken so had to run:
Check DNS manually for any duplicates. Scavenge and clear cache.
Ensure Time sync is working properly. Setup according to recommendations (HyperV hosts are not domain joined-they sync directly to NTP, DC1/PDC is master and syncs to NTP, other member servers and client sync to DC1/PDC)
Reset the Domain Administrator users password
Ran DCDIAG on both DCs and everything OK
Verified that no Windows updates had been performed before the issue
The only thing that I can remember changing in regards to Active Directory is that I added the second DC to the nightly backup job for System State. This means that AD gets backed up twice, wondered if this could cause issues. However speaking to the company about it (Yosemite Backup) they said no.
Only thing I havn't done is to reset the machine account password on either of the DC's, wondering if this is needed as I already rebooted and reset the secure channel? I found a guide explaining this, would it be worth trying (out of hours probably due to reboot needed):
Also, I cannot reset the secure channel on DC1, I assume because it is the PDC and does not need a channel to communicate with itself?
Hope there is some solution, i'm on the edge of my seat today hoping the servers stay up in the office!