Domain controler // DS/DFS/System error

Hi

suddenly one of our 2008R2Sp1 DC get a lot off error  ... all others are OK

System :

EventID 4  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server xxxxx

DFS replication :

Event 1204 The DFS Replication service failed to contact domain controller  to access configuration 

Directory Service

1865 The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network 

1311 The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 

DNS server

4000 The DNS server was unable to open Active Directory.  

Given those huge errors, i wonder if it's not a solution to Depromote/remove from domain the repromote this server ..... 

what do you think about it ?

regards


  • Edited by GuiAg Thursday, August 27, 2015 11:44 AM
August 27th, 2015 11:43am

Hi

 First you need to fix "EventID 4  The Kerberos client received a KRB_AP_ERR_MODIFIED error" this cause to secure channel between DC's broken,

 To fix follow the steps on artilce

https://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/

Free Windows Admin Tool Kit Click here and download it now
August 27th, 2015 11:52am

hi

thanks ! nice doc, it seems that KLIST have replaced Kerbtray.exe on w2k8R2

also for the resetpwd command, every documentation has not the same command, for example here 

https://sarithvs.wordpress.com/2010/11/30/testing-post-for-exchange-2000/

it's the opposite in his example ... and MS docs

/s:  is the name of the domain controller to use for setting the machine account password. This is the server where the KDC is running." 

thanks for your clarification




  • Edited by GuiAg Thursday, August 27, 2015 2:54 PM
August 27th, 2015 2:53pm

It's ture that Kerbtray is no longer part of the tool set, but klist can be used to complete many of the tasks formerly performed by it.
 
As already suggested, instead of demoting and re-promoting the server directly, please first try to fix the Security-Kerberos / 4 error, then verify the status again.
 
More reference about Event 4:
 
https://technet.microsoft.com/en-us/library/cc733987%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
 

Regards,

Eth

Free Windows Admin Tool Kit Click here and download it now
August 28th, 2015 7:33am

Hi

yes that's what i 've seen about klist purge

but for now my question is about the netdom resetpwd and which way to use it since i see different command.

If i understand, this command have to be launched on the PDC and the /server argument is the problematic target server .. right? or maybe it's the opposite :) http://www.softheap.com/security/account-password-1.html


  • Edited by GuiAg Friday, August 28, 2015 9:38 AM
August 28th, 2015 8:36am

Hi

 Check those please

https://support.microsoft.com/en-us/kb/325850

https://technet.microsoft.com/en-us/library/cc788073.aspx?f=255&MSPPError=-2147217396

You need to reset account on problematic server,on the second link you can find detailed examples.

Free Windows Admin Tool Kit Click here and download it now
August 28th, 2015 8:47am

but for now my question is about the netdom resetpwd and which way to use it since i see different command.

Sorry I missed this previously. Please take a look at the first KB article shared by Burak above, in step 4, there is a "For example, ..." paragraph which should be helpful for you to understand this command.
 
You should launch this command on the machine for which you want to change the password (problematic server).
 
By the way, seems the second link shared above is for Netdom reset, not Netdom resetpwd. The correct one is:
 
https://technet.microsoft.com/en-us/library/cc785478.aspx
 

Regards,

Eth

August 28th, 2015 10:45am

hi thanks a lot!

yes thats what i see

  1. Purge cache kerberos : klist purge
  2. Stop KDC service on problematic server then lauch netdom resetpwd /s:<onlinePDCDC> /ud:domain\User /pd:*
  3. restart
  4. validate repadmin /syncall && repadmin /replsummary
  5. start KDC service

Free Windows Admin Tool Kit Click here and download it now
August 28th, 2015 11:46am

Hi,
 
How is it going? Please let us know if you would like further assistance.
 
Thanks,
 

Regards,

Eth

August 30th, 2015 9:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics