Solved

Windows 2012 R2 DC Event Id 26

Posted on 2016-09-29
10
320 Views
Last Modified: 2016-10-15
This is the error I have been getting all of a sudden over the last week or so

I have two DC's on the parent Domain both Windows 2012 R2 on the Child Domain Windows 2003 and Windows 2012 R2

One DC get this multiple times a day the other only a few times

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/29/2016 21:17:16
Event ID:      26
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      TGCS011.our.network.tgcsnet.com
Description:
While processing an AS request for target service krbtgt, the account ba-06dc6a$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 3. The accounts available etypes were 23  -133  -128  18  17.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="49152">26</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-30T01:17:16.000000000Z" />
    <EventRecordID>285051</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>TGCS011.our.network.tgcsnet.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Target">krbtgt</Data>
    <Data Name="Name">ba-06dc6a$</Data>
    <Data Name="ID">1</Data>
    <Data Name="RequestedEtypes">3</Data>
    <Data Name="AvailableETypes">23  -133  -128  18  17</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>



RAN THIS COMAND


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\administrator.OUR>klist tickets

Current LogonId is 0:0x724e6

Cached Tickets: (2)

#0>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: krbtgt/OUR.NETWORK.TGCSNET.COM @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: TGCS011

#1>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: host/tgcs011.our.network.tgcsnet.com @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: TGCS011

C:\Users\administrator.OUR>


How do I correct this issue
0
Comment
Question by:Thomas Grassi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 19

Expert Comment

by:Mal Osborne
ID: 41822836
First thing I would do here is check that all machines involved have the correct time set. Kerberos errors, in my experience are often due to time skew.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41822839
Hello

I just checked all machines are running current time Physical and VM hosts all same time

Every so Often I get and event about not syncing the time but not that often and only from a few member servers.

Is there a command to run to reset this?
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41822926
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41823302
Yes I saw that already

This part does not make any sense to me

Resolve

Configure an available encryption type

Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly.


Also  you can see I ran the klist tickets  command that's where I got that from

Puzzled
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41824873
Update

After reviewing the event errors closely I figured which devices are causing this issue

I have Seagate Black Armor 440 NAS that is the BA-06dc6a$

Do not understand why they are causing this error

I contacted Seagate waiting for response

What does "did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)."   mean

Thoughts
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41831049
Update

Seagate support was of no help

Any one out there have any ideas

I am at a loss here
0
 
LVL 41

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41834265
Basically this error occurs when a system attempts to generate a Kerberos ticket but doesn't have the necessary rights/authorization to do so. Basically it means your NAS isn't properly communicating with the domain and has probably lost its secure channel link. Check to see if there is an Object for the NAS in AD. Just search AD for a computer with the name BA-06dc6a. If there is no object for the NAS in AD, that means it can't request a Kerberos ticket, and this event will pop up in the logs each time it tries. If that's the case, you'll have to add the NAS to the domain again or remove its domain configuration entirely.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41834574
Adam

I checked Ad and both units are in AD the are in the Computers container.

Is there any settings I should look for?
0
 
LVL 23

Author Closing Comment

by:Thomas Grassi
ID: 41845182
Guys I had to remove them from AD and put them in a workgroup

Very strange that this started after I put the second NAS on the network

Thanks for all the help
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question