Okay here is the issue The client seems that it had before 2 windows 2003 the primary and the secondary which is replicating... It seems that they did run the adprep and the forest prep on the primary domain controller to upgrade it to windows 2008 But in the secondary they didnt do that... im getting a lot of errors on the event viewer which they are telling me this While processing a TGS request for the target server krbtgt/BLAHBLAH.com, the accounSMCSTAFFNB43$@\BLAHBLAH.com did not have a suitable key for generating a Kerberos ticket And i was thinking its happening because they didnt run ADPrep on that secondary server because this error start happening when they upgraded the primary server to 2008 Anyways how can i check that they didnt run adprep? on that server? and if they didnt run can i run it just like that now? or have to do a process for that ? Im also looking this error but im not sure if its related with this the kerberos client received a KRB_AP_ERR_MODIFIED error from the server ac-dc$. The target name used was cifs/AC-DC The target name used was DNS/ac-dc.domain.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm

Hello, the adprep /forestprep, adprep /domainprep /gpprep and adprep /rodcprep have to run once in the domain and not on any existing DC. Kerberos errors can belong to wrong system time on the DCs, make sure they are not more then 5 minutes off. Please see the following article to reset a machine account password of a DC: http://support.microsoft.com/default.aspx?scid=kb;en-us;325850 If that isn't the case please post an unedited ipconfig /all and the following output files: dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) As the output will become large, DON'T post them into the thread, please use Windows Sky Drive(with open access!) and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi, You may check the current schema version to make sure the adprep.exe was run successfully. For Windows Server 2008 RTM, the schema version is 44. If the schema version has been updated to version 44, it is not necessary to run the adprep.exe again. For more information, please read the following Microsoft KB article: How to find the current Schema Version http://support.microsoft.com/kb/556086 For the Kerberos Event ID 4, please check and delete the unused or duplicated computer account. For more information, please refer to the following Microsoft TechNet article: Event ID 4 — Kerberos Client Configuration http://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx Regards, Arthur Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I was able to fix the kerberos Error doing this 1. When does this problem occur? Does it only occur when you log onto the 2nd DC using the Administrator account? 2. Please force active directory replication between the two domain controller also run DCDIAG.exe in the Windows Server 2003 Support Tools to ensure that the password change for Administrator account is properly replicated to the 2nd DC. It replication fails, please try to purge the tickets and reset the secure channel on the backupserver: a) Stop the KDC service on the on the backupserver.domain.local. b) In the command prompt, run " Klist purge". (Klist is available in the Windows Resource kit) c) Run "NLTEST /SC_RESET" to reset the secure channel to the domain. d) Reboot the server and check how it works. Resetting the secure channel seems to did it... im not getting the error anymore so far. Here for full Tread http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b81cc899-17f5-4484-9e5a-6bdab78f63ec Thank you all for all your time in asnwering me!!!!!! :)