The kerberos client received a KRB_AP_ERR_MODIFIED error and Failedto query SPN registration on DC 'hostname_ho.domainname.local'

[Inonino]

We have various branches connected to our main branch, but one of the
domain controller from one of the small branches is having issue and
is not replicating with DCs in the main office. It is also generating
the event ID #4:

"The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/name_host.domainname.local. The target name used was host2/
name.host.domainname.local. This indicates that the password used to
encrypt the kerberos service ticket is different than that on the
target server. Commonly, this is due to identically named server
accounts in the target realm (%2), and the client realm (%4). Please
contact your system administrator."

Any idea what would be the best solution for our problem or what we
need to fix?

Below is the result I am getting when I run the the "dcdiag"
command:

Computer Name: Hostname

DNS Host Name: hostname.domainname.local

System info : Microsoft Windows Server 2003 (Build 3790)

Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel

List of installed hotfixes :

Q147222

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : MyServerHostName

IP Address . . . . . . . . : 132.X.X.X

Subnet Mask. . . . . . . . : 255.255.255.0

Default Gateway. . . . . . : 132.X.X.X

Dns Servers. . . . . . . . : 132.X.X.X


AutoConfiguration results. . . . . . : Passed


Default gateway test . . . : Passed


NetBT name test. . . . . . : Passed

[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge

r Service', <20> 'WINS' names is missing.


WINS service test. . . . . : Skipped

There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed

List of NetBt transports currently configured:

NetBT_Tcpip_{86E69554-BF1F-420C-8B5A-A6E8473FF1AA}

1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

[WARNING] You don't have a single interface with the <00>
'WorkStation Servi

ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

[WARNING] The DNS host name 'hostname.domainname.local' valid only
on Windows

DNS Servers. [DNS_ERROR_NON_RFC_NAME]

PASS - All the DNS entries for DC are registered on DNS server
'132.X.X.X' and other DCs also have some of the names registered.

Redir and Browser test . . . . . . : Passed

List of NetBt transports currently bound to the Redir

NetBT_Tcpip_{86E69554-BF1F-420C-8B5A-A6E8473FF1AA}

The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser

NetBT_Tcpip_{86E69554-BF1F-420C-8B5A-A6E8473FF1AA}

The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed

Secure channel for domain 'DomainName' is to '\
\hostname_ho.domainname.local'.

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

[WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

[WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

[WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

[WARNING] Failed to query SPN registration on DC
'hostname_ho.domainname.local'.

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped

No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed
information

The command completed successfully

[Florian Frommherz [MVP]]

Howdie!

Inonino schrieb:
> We have various branches connected to our main branch, but one of the
> domain controller from one of the small branches is having issue and
> is not replicating with DCs in the main office. It is also generating
> the event ID #4:
>
> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server host/name_host.domainname.local. The target name used was host2/
> name.host.domainname.local. This indicates that the password used to
> encrypt the kerberos service ticket is different than that on the
> target server. Commonly, this is due to identically named server
> accounts in the target realm (%2), and the client realm (%4). Please
> contact your system administrator."

You may probably have machines with identical machine names/SPNs in AD
or incorrect DNS entries in DNS. Is that only from one DC? I'd probably
try an LDAP search for host2/name.host.domainname.local and see what it
comes up with. My guess is that it either returns two objects or there
are legacy DNS entries that point to different DNS objects with the same
hostname.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

[Inonino]

On Feb 9, 2:16 pm, "Florian Frommherz [MVP]"
<flor...@frickelsoft.DELETETHIS.net> wrote:
> Howdie!
>
> Inonino schrieb:
>
> > We have various branches connected to our main branch, but one of the
> > domain controller from one of the small branches is having issue and
> > is not replicating with DCs in the main office. It is also generating
> > the event ID #4:
>
> > "The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > server host/name_host.domainname.local. The target name used was host2/
> > name.host.domainname.local. This indicates that the password used to
> > encrypt the kerberos service ticket is different than that on the
> > target server. Commonly, this is due to identically named server
> > accounts in the target realm (%2), and the client realm (%4). Please
> > contact your system administrator."
>
> You may probably have machines with identical machine names/SPNs in AD
> or incorrect DNS entries in DNS. Is that only from one DC? I'd probably
> try an LDAP search for host2/name.host.domainname.local and see what it
> comes up with. My guess is that it either returns two objects or there
> are legacy DNS entries that point to different DNS objects with the same
> hostname.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog:http://www.frickelsoft.net/blog.
> ANY advice you get on the Newsgroups should be tested thoroughly in your
> lab.

Yes, it is from only one domain.

[Inonino]

On Feb 10, 7:42 am, Inonino <gilb...@gmail.com> wrote:
> On Feb 9, 2:16 pm, "Florian Frommherz [MVP]"
>
>
>
> <flor...@frickelsoft.DELETETHIS.net> wrote:
> > Howdie!
>
> > Inonino schrieb:
>
> > > We have various branches connected to our main branch, but one of the
> > > domain controller from one of the small branches is having issue and
> > > is not replicating with DCs in the main office. It is also generating
> > > the event ID #4:
>
> > > "The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> > > server host/name_host.domainname.local. The target name used was host2/
> > > name.host.domainname.local. This indicates that the password used to
> > > encrypt the kerberos service ticket is different than that on the
> > > target server. Commonly, this is due to identically named server
> > > accounts in the target realm (%2), and the client realm (%4). Please
> > > contact your system administrator."
>
> > You may probably have machines with identical machine names/SPNs in AD
> > or incorrect DNS entries in DNS. Is that only from one DC? I'd probably
> > try an LDAP search for host2/name.host.domainname.local and see what it
> > comes up with. My guess is that it either returns two objects or there
> > are legacy DNS entries that point to different DNS objects with the same
> > hostname.
>
> > Cheers,
> > Florian
> > --
> > Microsoft MVP - Group Policy
> > eMail: prename [at] frickelsoft [dot] net.
> > blog:http://www.frickelsoft.net/blog.
> > ANY advice you get on the Newsgroups should be tested thoroughly in your
> > lab.
>
> Yes, it is from only one domain.

Sorry! From one DC.

[Florian Frommherz [MVP]]

Howdie!

Inonino schrieb:
> Yes, it is from only one domain.

So what does the failing server resolve in DNS for the target DC (check
with nslookup)? Have you tried searching in LDAP to check whether there
are duplicate SPNs?

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.