Solved

Windows 2012 R2 DC Event Id 26

Posted on 2016-09-29
10
100 Views
Last Modified: 2016-10-15
This is the error I have been getting all of a sudden over the last week or so

I have two DC's on the parent Domain both Windows 2012 R2 on the Child Domain Windows 2003 and Windows 2012 R2

One DC get this multiple times a day the other only a few times

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/29/2016 21:17:16
Event ID:      26
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      TGCS011.our.network.tgcsnet.com
Description:
While processing an AS request for target service krbtgt, the account ba-06dc6a$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 3. The accounts available etypes were 23  -133  -128  18  17.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
    <EventID Qualifiers="49152">26</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-30T01:17:16.000000000Z" />
    <EventRecordID>285051</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>TGCS011.our.network.tgcsnet.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="Target">krbtgt</Data>
    <Data Name="Name">ba-06dc6a$</Data>
    <Data Name="ID">1</Data>
    <Data Name="RequestedEtypes">3</Data>
    <Data Name="AvailableETypes">23  -133  -128  18  17</Data>
    <Binary>
    </Binary>
  </EventData>
</Event>



RAN THIS COMAND


Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\administrator.OUR>klist tickets

Current LogonId is 0:0x724e6

Cached Tickets: (2)

#0>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: krbtgt/OUR.NETWORK.TGCSNET.COM @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: TGCS011

#1>     Client: administrator @ OUR.NETWORK.TGCSNET.COM
        Server: host/tgcs011.our.network.tgcsnet.com @ OUR.NETWORK.TGCSNET.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_deleg
ate name_canonicalize
        Start Time: 9/27/2016 7:17:51 (local)
        End Time:   9/27/2016 17:17:51 (local)
        Renew Time: 10/4/2016 7:17:51 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: TGCS011

C:\Users\administrator.OUR>


How do I correct this issue
0
Comment
Question by:Thomas Grassi
10 Comments
 
LVL 17

Expert Comment

by:Malmensa
ID: 41822836
First thing I would do here is check that all machines involved have the correct time set. Kerberos errors, in my experience are often due to time skew.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41822839
Hello

I just checked all machines are running current time Physical and VM hosts all same time

Every so Often I get and event about not syncing the time but not that often and only from a few member servers.

Is there a command to run to reset this?
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41822926
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41823302
Yes I saw that already

This part does not make any sense to me

Resolve

Configure an available encryption type

Kerberos supports several encryption types that are used to encrypt the tickets. If you are using a non-Microsoft Kerberos client to request a ticket from a Windows-based Kerberos server, the Kerberos client must support the same encryption type. Use the event log message to determine the available encryption type and configure the Kerberos client accordingly.


Also  you can see I ran the klist tickets  command that's where I got that from

Puzzled
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41824873
Update

After reviewing the event errors closely I figured which devices are causing this issue

I have Seagate Black Armor 440 NAS that is the BA-06dc6a$

Do not understand why they are causing this error

I contacted Seagate waiting for response

What does "did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1)."   mean

Thoughts
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41831049
Update

Seagate support was of no help

Any one out there have any ideas

I am at a loss here
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41834265
Basically this error occurs when a system attempts to generate a Kerberos ticket but doesn't have the necessary rights/authorization to do so. Basically it means your NAS isn't properly communicating with the domain and has probably lost its secure channel link. Check to see if there is an Object for the NAS in AD. Just search AD for a computer with the name BA-06dc6a. If there is no object for the NAS in AD, that means it can't request a Kerberos ticket, and this event will pop up in the logs each time it tries. If that's the case, you'll have to add the NAS to the domain again or remove its domain configuration entirely.
0
 
LVL 23

Author Comment

by:Thomas Grassi
ID: 41834574
Adam

I checked Ad and both units are in AD the are in the Computers container.

Is there any settings I should look for?
0
 
LVL 23

Author Closing Comment

by:Thomas Grassi
ID: 41845182
Guys I had to remove them from AD and put them in a workgroup

Very strange that this started after I put the second NAS on the network

Thanks for all the help
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Table of Contents: Lesson 1 - Installing Windows Server 2012 (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/A_11592-Become-an-Administrator-Installing-Windows-Server-2012.html) Lesson 2 - Configuring Ser…
My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now