2 servers loosing contact with domain controller Kerbos errors
Hi we have a client with mixed OS versions.
DC = Server 2012 r2
App server = Server 2008 r2
RDS = Server 2012 r2
DC migrated from 2003 to 2012 r2
Guide followed : Link
I have tryed many solutions to the problem but nothing has solved the issue. Since we are getting Kerberos messages i tried the standard to synch time servers. But to no help. Only thing that fixes the problem temporarily is rebooting the server.
Some of the errors are :
Regards
Bjørn.
DC = Server 2012 r2
App server = Server 2008 r2
RDS = Server 2012 r2
DC migrated from 2003 to 2012 r2
Guide followed : Link
I have tryed many solutions to the problem but nothing has solved the issue. Since we are getting Kerberos messages i tried the standard to synch time servers. But to no help. Only thing that fixes the problem temporarily is rebooting the server.
Some of the errors are :
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.Additional information : ID:4, SOURCE:Microsoft-Windows-Security-Kerberos
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server dc$. The target name used was ldap/DC.XXX.local. This indicates that the target server failed to decrypt the ticket provided by the client.
This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server.
This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service.
Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (XXX.LOCAL) is different from the client domain (XXX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.Additional information : ID:5719, SOURCE:NETLOGON
This computer was not able to set up a secure session with a domain controller in domain XXXdue to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. Regards
Bjørn.
Have you tried disabling IpV6 on the servers?
Please don't disabled IPv6
https://blogs.technet.microsoft.com/askpfeplat/2013/06/16/ipv6-for-the-windows-administrator-why-you-need-to-care-about-ipv6/
Did you enable/force Kerberos?
https://blogs.technet.microsoft.com/askpfeplat/2013/06/16/ipv6-for-the-windows-administrator-why-you-need-to-care-about-ipv6/
Did you enable/force Kerberos?
Hi,
Symptoms seems like the secure channel broken issue. However:-
1) Hope the default domain controller GPO is getting applied to the DC?
2) Make sure your domain controller LAN card preferred DNS server is set with its own IP address. Make sure NO ISP IP address should be set.
3) What the event logs says. Any errors on (System, Directory Service, DNS & NTFRS) Logs?
Thanks,
Abhi...
Symptoms seems like the secure channel broken issue. However:-
1) Hope the default domain controller GPO is getting applied to the DC?
2) Make sure your domain controller LAN card preferred DNS server is set with its own IP address. Make sure NO ISP IP address should be set.
3) What the event logs says. Any errors on (System, Directory Service, DNS & NTFRS) Logs?
Thanks,
Abhi...
I said " tried disabling IpV6 on the servers"...this is only to check if this is causing the issue...if this is the culprit you just change the priority to Ipv4...
Personally from time to time i had quite a few issues due to ipV6 ...
Personally from time to time i had quite a few issues due to ipV6 ...
Hi,
Hope the above errors are from the 2 member server?
Just to clarify a bit more, are you facing any issues with the member servers? like accessing share, login issues etc? Or are you just seeing those errors during a reboot of the servers?
Can you refer the Microsoft article and see if its relevent here (https://support.microsoft.com/en-in/help/938449/netlogon-event-id-5719-or-group-policy-event-1129-is-logged-when-you-s)
Thanks,
Hope the above errors are from the 2 member server?
Just to clarify a bit more, are you facing any issues with the member servers? like accessing share, login issues etc? Or are you just seeing those errors during a reboot of the servers?
Can you refer the Microsoft article and see if its relevent here (https://support.microsoft.com/en-in/help/938449/netlogon-event-id-5719-or-group-policy-event-1129-is-logged-when-you-s)
Thanks,
One of the potential gotcha's that I point out whenever someone asks about adding a 2012 server to an existing 2003 domain is that Kerberos Authentication can fail intermittently. More information concerning this issue can be found here:
http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
Microsoft has released a hotfix:
http://support.microsoft.com/kb/2989971
-saige-
http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
Microsoft has released a hotfix:
http://support.microsoft.com/kb/2989971
-saige-
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
When you say that you please can you detail exactly what you did?
Are the other servers getting their time info from the DC?
Thanks,
Alan.