Kerberos PAC Errors

We have a Windows 2016 RODC running server core in our DMZ. That is restricted via our firewall on which DC's internally it can communicate with. Sporadically we i.e once every other week get the following error message on one of the internal DC's the RODC can talk to. "During TGS processing, the KDC was unable to verify the signature on the PAC from RODCNA1$. This indicates the PAC was modified." Search online seems to point out this is normal but my problem is if this is normal they why is is an error
LVL 21
compdigit44Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
Microsoft have a good blog that talks about PAC verification issues. The article is good and gives insight into your question and scenarios which cause PAC verification failure. You can find the article here.

That is restricted via our firewall on which DC's internally it can communicate with.

I have to wonder what restricting it to communicating with just a few DC's vs. say all of them achieves. And I say this because if 1 is compromised they are all compromised.

Search online seems to point out this is normal but my problem is if this is normal they why is is an error

Because you probably have a network restriction that is sporadically generating this error. Windows is saying, hey this happened.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
Thank you for your feed back. All the article i have read seem to point out this is normal but was concerned this could have  been some type of attack on the RODC
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.