Hi

suddenly one of our 2008R2Sp1 DC get a lot off error  ... all others are OK

System :

EventID 4  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server xxxxx

DFS replication :

Event 1204 The DFS Replication service failed to contact domain controller  to access configuration 

Directory Service

1865 The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network 

1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 

DNS server

4000 The DNS server was unable to open Active Directory.  

Given those huge errors, i wonder if it's not a solution to Depromote/remove from domain the repromote this server ..... 

what do you think about it ?

regards

• Edited by GuiAg 20 hours 3 minutes ago

Hi

 First you need to fix "EventID 4  The Kerberos client received a KRB_AP_ERR_MODIFIED error" this cause to secure channel between DC's broken,

 To fix follow the steps on artilce

https://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/

hi

thanks ! nice doc, it seems that KLIST have replaced Kerbtray.exe on w2k8R2

also for the resetpwd command, every documentation has not the same command, for example here 

https://sarithvs.wordpress.com/2010/11/30/testing-post-for-exchange-2000/

it's the opposite in his example ... and MS docs

/s:  is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running." 

thanks for your clarification

• Edited by GuiAg 16 hours 53 minutes ago

It's ture that Kerbtray is no longer part of the tool set, but klist can be used to complete many of the tasks formerly performed by it.
 
As already suggested, instead of demoting and re-promoting the server directly, please first try to fix the Security-Kerberos / 4 error, then verify the status again.
 
More reference about Event 4:
 
https://technet.microsoft.com/en-us/library/cc733987%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
 

Regards,

Eth