HI , My domain controller is a windows 2008 r2 server and it also is a DNS in the domain.
When I remove the computer in the domain, the correspond DNS record is not removed from the DNS automatically.
So my question is how to remove the dns record automatically , so I need not do it manually.
thank you very much!
Chu.
Chu Qiu
Hi,
we have group by namereset.
Lock1 andLock2 are the two normal domain users which are member of reset group.
Reset group is a member ofaccount operator builtin group.
Now the problem comes here
Lock1 and lock2 can unlock all the user accounts in the domain. But lock1 cannot unlock lock2 if it gets locked out or reset password of each other and viceversa.
please help ...
Thanks
Sunny
Hi,
experiencing problems with roaming profiles on Windows 2008 domain. when i am trying to login with domain user on XP machine it gives following error
If anyone has any guidance on this problem I would really appreciate it.
Thanks.
Ok, first a brief synopsis of this network.
1. We have the Enterprise DC in the U.S. and it is the Schema master and the Domain Naming Master. We can never seize the Schema from it.
2. I work in the Middle East and we have one root DC here and 3 other Domain Controllers. We have 2 DC's in remote sites.
3. We had to remove a DC the other day and when we ran dcpromo we got the following error.
The Operation failed because:
Active Directory Domain Service could not transfer the remaining data in directory partition DC=DomainDnsZones,DC=example, to Active Directory Domain Controller \\exampleDC1\...............
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
So because of that we had to run dcpromo /forceremove
Afterwards I followed the article here http://support.microsoft.com/?id=216498 to remove the metadata.
Now when I go to the Schema into DC2 it shows the current Schema master. When I right click and change to another server I get this.
"The schema FSMO holder could not be found. Schema modifications can only be made on the schema FSMO holder"
I try to change to any of our other 4 DC's and I get the same error.
When I open Schema on those DC's I get this.
Current Schema Master (Offline)
Error
That is not true because that resides in the states as I mentioned above and it never goes offline.
What is possibly related is when I try to do a replicate with our root DC that fails with the error below.
"The following error occurred during the attempt to synchronize naming context conus.cano.com to from Domain Controller RDC3 to Domain Controller DC1: The naming context is in the process of being removed or is not replicated from the specified server." This operation will not continue.
I think somehow this might be pointing at the Root DC. Our DC3 has all of the other 3 roles and is our primary DNS server.
So to sum it up
DC1 - Current Schema Master (Offline): Error
DC2 - Can see the Schema Master fine
DC3 - Current Schema Master (Offline): Error
DC4 - Current Schema Master (Offline): Error
DC5 - Current Schema Master (Offline): Error
Also when I go to AD and search for one of our larger Groups, all of the members in that group show as SIDs only.
Any help would be appreciated. Thanks
Greetings everyone.
I have created a child domain in the AD forest with two domain controllers (both Windows 2003 R2). After that I tried to configure additional DNS server on the second DC. Now I should say, that the 1st DNS server on the 1st DC works fine, but the second one doesn't. In the DNS console both the Forward and Reverse lookup zones are empty and I have 4015 error event accompanied by 4513 and 4514 events (messages are attached below).
As it has been said here, I have found and deleted one duplicating zone record using ADSIEdit (the duplicated zone was storied in Default Naming Context). Now all DNS zones store in appropriate AD partitions - domain-wide zone in DC=DomainDNSZones,DC=child,DC=domain,DC=com, and forest-wide zone in the DC=ForestDNSZones,DC=domain,DC=com - and no duplicating zones have been found (Default naming contex partition contains only Root hints now). All DNS servers were restarted, force replication was made but no luck - errors are still present and the zones are empty in the DNS console.
So, as 4514 and 4515 say, I tried to put my second DC into the apropriate replication scope. This topic should help me. But after
Add NC Replica DC=DomainDNSZones,DC=child,DC=domain,DC=com dc2.child.domain.com
I have got an error:
LDAP error 0x32(50 (Insufficient Rights). Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN SUFF_ACCESS_RIGHTS), data 0 Win32 error returned is 0x2098(Insufficient access rights to perform the operati on.)
I tried to google it, but no luck. So, I need help. Please.
Some additional information.
1. 4015 Error message
Event Type: Error Event Source: DNS Event Category: None Event ID: 4015 Date: 26.12.2012 Time: 17:22:27 User: N/A Computer: DC2 Description: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152395, #1: 0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 13 00 00 00 ....
2. 4513 and 5414 error messages:
Event Type: Information Event Source: DNS Event Category: None Event ID: 4513 Date: 26.12.2012 Time: 17:22:27 User: N/A Computer: DC2 Description: The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.domain.com. This prevents the zones that should be replicated to all DNS servers in the child.domain.com forest from replicating to this DNS server. To create or repair the forest-wide DNS directory partition, open the the DNS console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. The error was 9002. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2a 23 00 00 *#..
Event Type: Information Event Source: DNS Event Category: None Event ID: 4514 Date: 26.12.2012 Time: 17:22:26 User: N/A Computer: DC2 Description: The DNS server detected that it is not enlisted in the replication scope of the directory partition DomainDnsZones.child.domain.com. This prevents the zones that should be replicated to all DNS servers in the domain.com domain from replicating to this DNS server. For information on how to add a DNS server to the replication scope of an application directory partition, please see Help and Support. To create or repair the domain-wide DNS directory partition, open the the DNS console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. The error was 9005. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2d 23 00 00 -#..
3. DC1 and DC2 ipconfigs:
Windows IP Configuration Host Name . . . . . . . . . . . . : dc2 Primary Dns Suffix . . . . . . . : child.domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : child.domain.com domain.com
Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP Network Team #1 Physical Address. . . . . . . . . : 00-14-C2-3D-B6-9A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.25.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.25.1 DNS Servers . . . . . . . . . . . : 192.168.25.2 192.168.25.3
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc1
Primary Dns Suffix . . . . . . . : child.domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : child.domain.com
domain.com
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP Network Team #1
Physical Address. . . . . . . . . : 00-14-C2-3F-6C-E2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.25.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.25.1
DNS Servers . . . . . . . . . . . : 192.168.25.2
192.168.25.34. dcdiag on DC2
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: spb\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: spb\DC2
Starting test: Replications
......................... DC2 passed test Replications
Starting test: NCSecDesc
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
......................... DC2 passed test NetLogons
Starting test: Advertising
......................... DC2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC2 passed test RidManager
Starting test: MachineAccount
......................... DC2 passed test MachineAccount
Starting test: Services
......................... DC2 passed test Services
Starting test: ObjectsReplicated
......................... DC2 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC2 passed test frssysvol
Starting test: frsevent
......................... DC2 passed test frsevent
Starting test: kccevent
......................... DC2 passed test kccevent
Starting test: systemlog
......................... DC2 passed test systemlog
Starting test: VerifyReferences
......................... DC2 passed test VerifyReferences
Running partition tests on : spb
Starting test: CrossRefValidation
......................... spb passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... spb passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running enterprise tests on : domain.com
Starting test: Intersite
......................... domain.com passed test Intersite
Starting test: FsmoCheck
......................... domain.com passed test FsmoCheck5.Some repadmin output:
repadmin /showreps
child\DC2
DC Options: (none)
Site Options: (none)
DC object GUID: fbb45f38-ee10-4bdd-bf27-18cc6b6f0995
DC invocationID: e62c67e1-1c6e-4bc8-9238-5307714ac4bb
==== INBOUND NEIGHBORS ======================================
CN=Configuration,DC=domain,DC=com
child\DC1 via RPC
DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
Last attempt @ 2012-12-27 13:45:22 was successful.
CN=Schema,CN=Configuration,DC=domain,DC=com
child\DC1 via RPC
DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
Last attempt @ 2012-12-27 13:45:22 was successful.
DC=child,DC=domain,DC=com
child\DC1 via RPC
DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
Last attempt @ 2012-12-27 13:46:54 was successful.6. And ntdsutil output:
ntdsutil: domain management
domain management: connections
server connections: connect to server dc2
Binding to dc2 ...
Connected to dc2 using credentials of locally logged on user.
server connections: q
domain management: list nc replicas DC=DomainDnsZones,DC=child,DC=domain,DC=com
The application directory partition DC=DomainDnsZones,DC=child,DC=domain,DC=com's Replicas are:
CN=NTDS Settings,CN=dc1,CN=Servers,CN=child,CN=Sites,CN=Configuration,D
C=domain,DC=com
domain management: add nc replica DC=DomainDnsZones,DC=child,DC=domain,DC=com dc2.child.domain.com
LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)I think this should be easily resolved, but I need some guidance.
I have a client with 2 Server 2003 R2 x64 DCs: BORIS & NATASHA. Last year I upgraded both of them from x86 to x64 one at a time, allowing replication to occur between the upgrades. BORIS is the FSMO roles holder as it is currently the production server,
while NATASHA is a backup DC. One thing that puzzles me though is that if I look at the NS record in DNS on the SOA tab, it says NATASHA is the Primary server.
While doing some routine maintenance I noticed an error in the File Replication Service events about a 'Tombstone' situation (Event ID 2042). I looked at article cc757610 in the Technet Library and opted for remedy #3 as I did not want to demote NATASHA
and I got confused looking at the help about using "repadmin /removelingeringobjects". I have no idea how to determine which DC has the good copy of the directory.
Now, in running "repadmin /showrepl" I get
"DC=CPA,DC=local
Default-First-Site-Name\BORIS via RPC
DC object GUID: 0267a090-1890-40e2-9a15-ea928cabd425
Last attempt @ 2012-12-27 08:28:55 failed, result -2146893022 (0x80090322):
The target principal name is incorrect.
1179 consecutive failure(s). Last success @ 2012-12-21 23:30:15." <-- THIS IS WEIRD SINCE THIS IS THE DATE THAT I DISCOVERED THE TOMBSTONE EVENT AND MADE THE REGISTRY CHANGE
(I THINK).
When I try to look at the FSMO roles on NATASHA, it shows ERROR for RID, PDC & Infrastructure and says "The current Operations Master is offline. The role cannot be transferred." The other issue I'm having is that client PCs are intermittently having trouble reconnecting to necessary server shares.
TIA
Wayne S. CompTIA A+ CompTIA Network+ Microsoft MCP www.InfoTek831.com
I am in the process of removing a domain controller (2008 R2) from our environment. I was able to successfully transfer all required FSMO roles to the new domain controller, but receive the error when running DCPromo on the server.
"The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles."
I ran a dsquery using the command dsquery * CN=Infrastructure,DC=DomainDnsZones,DC=Domain,DC=com -attr fSMORoleOwner and receive the following output:
"CN=NTDS Settings\0ADEL:1d2ebcbd-16cb-4923-937d-ad768880ec2e,CN=OldServer\0ADEL:6fb18232-4b56-4646-ac5f-2809b5ee6a16,CN=Servers,CN=Default-First-Site-Name,CN=Site
Based on the results of the command I see the problem is related to a role that's assigned to a server (OldServer) that was incorrectly removed from the environment over 4 years ago. While I believe i have identified the source of the
problem I have hit a wall on how to proceed with resolving the problem. Your advise would be appreciated..
Hi everyone
I have windows server 2003 enterprise edition SP2 32-bit running active directory. I just want to upgrade it to active directory 2008 r2. what are the simple methods to do that. And also tell me please, if i upgrade from active directory 2003 to 2008 r2. Then will i need to join domain on all clients or not?
I am restoring a system state backup to my test environment win2003 DC's.
After my backup and before my restore, I deleted a GPO. During the wizard I chose "Restore to: Original Location" and "Leave Existing Files". Post restore, the GPO was once again listed in gpmc, but was not restored to SYSVOL.
FYI I did this from DSRM, exactly per these steps: http://technet.microsoft.com/en-us/library/cc758435(v=ws.10).aspx
Thanks in advance,
Jaime
In our domain controllers we see below events:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 19.12.2012 7:13:45
Event ID: 1168
Task Category: Internal Processing
Level: Error
Keywords: Classic
User: "our domain"\XXXX$
Computer: YYYY
Description:
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
1332
Error value (hex):
534
Internal ID:
1240627
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
<EventID Qualifiers="49152">1168</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2012-12-19T05:13:45.180564900Z" />
<EventRecordID>1621</EventRecordID>
<Correlation />
<Execution ProcessID="436" ThreadID="4832" />
<Channel>Directory Service</Channel>
<Computer>YYYY</Computer>
<Security UserID="S-1-5-21-1074365621-3550774200-4067301949-50952" />
</System>
<EventData>
<Data>1332</Data>
<Data>534</Data>
<Data>1240627</Data>
</EventData>
</Event>
XXXX is RODC and YYYY is DC server.
Greetings.
I'm Willing to take all information of an active directory (W2003) for each user the server has. This means to know all the configuration that affects to each user (Department, Site, GPOs, logon Scripts etc...). In general, i know what info i should check to have all the information from each user, but i would like to ask for some tips/guide/tools (official tools) that maybe could help me to take this information. Maybe there are some points that i'm not considering.
Thanks in advance.
hello everyone,
i have been working on introducing a new RODC to one of our Remote Branches. i have setup all that i can determine that is necessary to allow this to work. the connection between the offices is quite a slow 500k link.
i have one new user defined in AD that has been added to the Allowed RODC policy and the machine they use. it passes in the Resultant Policy on the Writable DC and when i log into the workstation it will 'sometimes' grab the correct RODC.... other times it will use one of the other two DC's.
i can't figure out why or what is causes this.
i have the ADSS setup correctly and the respective Subnets are defined properly.
thanks for any help on this.
Hi
I have below issue of my client application Kerberos authentication. See below issue history..
Cleint is trying to setup SSO using Windows integrated authentication for one of our SAP Enterprise Portal applications.
The browser has to talk to the AD server and send a Kerberos token to the J2EE engine for the authentication to happen. But in client case a NTLM token is being passed which is failing the SPNEGO authentication process.
Is it possible to determine whether a Users password was set via the end user OR if it was set by an administrator through Active Directory Users and Computers?
I am trying to target users with a "force password reset at next logon", but I only want to target those users that have not reset since the last administrative set password.
thanks
Hi,
We had a motherboard failure on our primary DC server night before last (SLSODOMAIN), secondary stayed up the whole time (SLSODOMAIN3), replaced motherboard yesterday and got server back up. But DC diag is still showing a number of issues and not sure where to begin. There is no SYSVOl share on the server that went down and it appears to not be accepting binds from the backup DC.
When writing code, you always start by correcting the first error and the one underneath tend to fix themselves. Not sure if is true in the DC world as well.
The dcdiag output from the server that went down for a day, only fails one test, FRSEVENT saying errors occurred in the last 24 hours and that failing sysvol replication can cause GP issues.
Below is my DCDIAG output from the backup DC. I apologize for not knowing more about this stuff and any help would be greatly appreciated.
Performing initial setup:
Trying to find home server...
Home Server = SLSODomain3
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SLSODOMAIN3
Starting test: Connectivity
......................... SLSODOMAIN3 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SLSODOMAIN3
Starting test: Advertising
......................... SLSODOMAIN3 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SLSODOMAIN3 passed test FrsEvent
Starting test: DFSREvent
......................... SLSODOMAIN3 passed test DFSREvent
Starting test: SysVolCheck
......................... SLSODOMAIN3 passed test SysVolCheck
Starting test: KccEvent
......................... SLSODOMAIN3 passed test KccEvent
Starting test: KnowsOfRoleHolders
[SLSODOMAIN] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: SLSODOMAIN is the Schema Owner, but is not responding to DS
RPC Bind.
[SLSODOMAIN] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: SLSODOMAIN is the Schema Owner, but is not responding to LDAP
Bind.
Warning: SLSODOMAIN is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: SLSODOMAIN is the Domain Owner, but is not responding to LDAP
Bind.
Warning: SLSODOMAIN is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: SLSODOMAIN is the PDC Owner, but is not responding to LDAP
Bind.
......................... SLSODOMAIN3 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SLSODOMAIN3 passed test MachineAccount
Starting test: NCSecDesc
......................... SLSODOMAIN3 passed test NCSecDesc
Starting test: NetLogons
......................... SLSODOMAIN3 passed test NetLogons
Starting test: ObjectsReplicated
......................... SLSODOMAIN3 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,SLSODOMAIN3] A recent replication attempt failed:
From SLSODOMAIN to SLSODOMAIN3
Naming Context: DC=ForestDnsZones,DC=slso,DC=music
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2012-12-28 10:58:14.
The last success occurred at 2012-12-25 23:58:03.
59 failures have occurred since the last success.
[Replications Check,SLSODOMAIN3] A recent replication attempt failed:
From SLSODOMAIN to SLSODOMAIN3
Naming Context: DC=DomainDnsZones,DC=slso,DC=music
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2012-12-28 10:58:14.
The last success occurred at 2012-12-25 23:58:03.
59 failures have occurred since the last success.
[Replications Check,SLSODOMAIN3] A recent replication attempt failed:
From SLSODOMAIN to SLSODOMAIN3
Naming Context: CN=Schema,CN=Configuration,DC=slso,DC=music
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2012-12-28 10:58:14.
The last success occurred at 2012-12-25 23:58:03.
59 failures have occurred since the last success.
[Replications Check,SLSODOMAIN3] A recent replication attempt failed:
From SLSODOMAIN to SLSODOMAIN3
Naming Context: CN=Configuration,DC=slso,DC=music
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2012-12-28 10:58:14.
The last success occurred at 2012-12-25 23:58:03.
63 failures have occurred since the last success.
[Replications Check,SLSODOMAIN3] A recent replication attempt failed:
From SLSODOMAIN to SLSODOMAIN3
Naming Context: DC=slso,DC=music
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2012-12-28 11:23:43.
The last success occurred at 2012-12-26 00:32:29.
1082 failures have occurred since the last success.
......................... SLSODOMAIN3 failed test Replications
Starting test: RidManager
......................... SLSODOMAIN3 passed test RidManager
Starting test: Services
......................... SLSODOMAIN3 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x40000004
Time Generated: 12/28/2012 10:51:08
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/1fb9c9bf-8540-40ba-8c92-03f911ddfc20/slso.music@slso.music. This indicates
that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered
on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 12/28/2012 11:09:29
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was LDAP/1fb9c9bf-8540-40ba-8c92-03f911ddfc20._msdcs.slso.music. This indicates that the target server failed
to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered
on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that
the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically named server
accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 12/28/2012 11:09:29
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was ldap/slsodomain.slso.music. This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server.
This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC
are both updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically named server accounts in these two domains, or use
the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 12/28/2012 11:14:54
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server slsodomain$. The target name used was SLSO\SLSODOMAIN$. This indicates that the target server failed to decrypt the ticket provided by the client.
This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error
can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both
updated to use the current password. If the server name is not fully qualified, and the target domain (SLSO.MUSIC) is different from the client domain (SLSO.MUSIC), check if there are identically named server accounts in these two domains, or use the fully-qualified
name to identify the server.
......................... SLSODOMAIN3 failed test SystemLog
Starting test: VerifyReferences
......................... SLSODOMAIN3 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : slso
Starting test: CheckSDRefDom
......................... slso passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... slso passed test CrossRefValidation
Running enterprise tests on : slso.music
Starting test: LocatorCheck
......................... slso.music passed test LocatorCheck
Starting test: Intersite
......................... slso.music passed test Intersite
I am in the process of replacing all the Windows 2003 DCs in our Domain with new Windows 2008 R2 servers. The current setup consists of three domain controllers that use BIND for DNS. The existing DCs update their srv records in DNS dynamicly with no errors. This configuration has been in production for more than 5+ years with no DNS problems.
After promoting one of the Windows 2008 servers, I started seeing multiple DNS dynamic registration failures (event 5774) on the 2008 server only. There is one event logged for each of the 13 srv records that netologon is trying to register. The error value for each event is "Bad DNS packet."
The 2003 DCs are still able to dynamically register with DNS and BIND is configured to allow dynamic updates from the new 2008 DC.
The strange thing is that when I check the DNS server zone files the new 2008 DC is correctly registered in DNS. Also replication works with no errors. The only errors I see in the event log are the 5774 errors.
The BIND server is set to accept non secure updates from only the three old DCs and the three new DCs. Does Windows 2008 only register DNS with DNS servers that only accept secure updates?
Since the DNS records are registered correctly can I ignore the 5774 errors or is there something else that I should look at.
Thanks for any help
the prerequisites check fails. here is the content of the log file. please help me fix it.
[2012/12/27:16:27:25.535]