DC Kerberos Errors

I am running a Windows 2003 Server in a single domain enviroment. We

have two main DCs in our home office and 7 remote DCs in our branch

plants. One of our branch plant DC is triggering errors in our main DC

Directory Service event log.





Type: Warning

Source: NTDS KCC

Event ID: 1566

All domain controllers in the following site that can replicate the
directory partition

over this transport are currently unavailable.


Site:

CN=***,CN=***,CN=***,DC=***,DC=***

Directory partition:

DC=***,DC=***

Transport:

CN=***,CN=***,CN=***,CN=***,DC=***,DC=***





Type: Error

Source: NTDS KCC

Event ID: 1311

The Knowledge Consistency Checker (KCC) has detected problems with the
following

directory partition.


Directory partition:

DC=***,DC***

There is insufficient site connectivity information in Active Directory
Sites and

Services for the KCC to create a spanning tree replication topology. Or, one
or more

domain controllers with this directory partition are unable to replicate the
directory

partition information. This is probably due to inaccessible domain
controllers.


User Action

Use Active Directory Sites and Services to perform one of the following
actions:

- Publish sufficient site connectivity information so that the KCC can
determine a

route by which this directory partition can reach this site. This is the
preferred

option.

- Add a Connection object to a domain controller that contains the directory
partition

in this site from a domain controller that contains the same directory
partition in

another site.


If neither of the Active Directory Sites and Services tasks correct this
condition, see

previous events logged by the KCC that identify the inaccessible domain
controllers





Type: Warning

Source: NTDS KCC

Event ID: 1865

The Knowledge Consistency Checker (KCC) was unable to form a complete
spanning tree

network topology. As a result, the following list of sites cannot be reached
from the

local site.


Sites:

CN=***,CN=***,CN=***,DC=***,DC=***





On top of these errors, the branch plant DC is logging this Kerberos

error over and over in the System event log:





Type; Error

Source: Kerberos

Event ID: 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/***. The

target name used was ldap/***. This indicates that the password used to
encrypt the

kerberos service ticket is different than that on the target server.
Commonly, this is

due to identically named machine accounts in the target realm (***), and the
client

realm. Please contact your system administrator.





And it's logging this error in the Application event log over and over:





Type: Error

Source: Userenv

Event ID: 1053

Windows cannot determine the user or computer name. (The target principal
name is incorrect.

). Group Policy processing aborted.





Some of the recent changes done to this machine that may be causing

these issues are system board replacement, and an upgrade to the hard

drives. I have tried reseting the machine account password using

netdom.exe, though i am not 100% sure I am perfoming this task

correctly. The main tasks that seem to be broke are File Replication,

directory replication, and when logged into the branch plant DC you get

a logon Failure error message when trying to access network shares. Any

help on this issue would be greatly appreciated.

i think you will need to reset the domain controller password in the active
directory
but you wont be able to do it from active directory users and groups so you
will nedd to use netdom commands to reset the DC password


"Zachary Dundore" wrote:

> I am running a Windows 2003 Server in a single domain enviroment. We
>
> have two main DCs in our home office and 7 remote DCs in our branch
>
> plants. One of our branch plant DC is triggering errors in our main DC
>
> Directory Service event log.
>
>
>
>
>
> Type: Warning
>
> Source: NTDS KCC
>
> Event ID: 1566
>
> All domain controllers in the following site that can replicate the
> directory partition
>
> over this transport are currently unavailable.
>
>
> Site:
>
> CN=***,CN=***,CN=***,DC=***,DC=***
>
> Directory partition:
>
> DC=***,DC=***
>
> Transport:
>
> CN=***,CN=***,CN=***,CN=***,DC=***,DC=***
>
>
>
>
>
> Type: Error
>
> Source: NTDS KCC
>
> Event ID: 1311
>
> The Knowledge Consistency Checker (KCC) has detected problems with the
> following
>
> directory partition.
>
>
> Directory partition:
>
> DC=***,DC***
>
> There is insufficient site connectivity information in Active Directory
> Sites and
>
> Services for the KCC to create a spanning tree replication topology. Or, one
> or more
>
> domain controllers with this directory partition are unable to replicate the
> directory
>
> partition information. This is probably due to inaccessible domain
> controllers.
>
>
> User Action
>
> Use Active Directory Sites and Services to perform one of the following
> actions:
>
> - Publish sufficient site connectivity information so that the KCC can
> determine a
>
> route by which this directory partition can reach this site. This is the
> preferred
>
> option.
>
> - Add a Connection object to a domain controller that contains the directory
> partition
>
> in this site from a domain controller that contains the same directory
> partition in
>
> another site.
>
>
> If neither of the Active Directory Sites and Services tasks correct this
> condition, see
>
> previous events logged by the KCC that identify the inaccessible domain
> controllers
>
>
>
>
>
> Type: Warning
>
> Source: NTDS KCC
>
> Event ID: 1865
>
> The Knowledge Consistency Checker (KCC) was unable to form a complete
> spanning tree
>
> network topology. As a result, the following list of sites cannot be reached
> from the
>
> local site.
>
>
> Sites:
>
> CN=***,CN=***,CN=***,DC=***,DC=***
>
>
>
>
>
> On top of these errors, the branch plant DC is logging this Kerberos
>
> error over and over in the System event log:
>
>
>
>
>
> Type; Error
>
> Source: Kerberos
>
> Event ID: 4
>
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
> host/***. The
>
> target name used was ldap/***. This indicates that the password used to
> encrypt the
>
> kerberos service ticket is different than that on the target server.
> Commonly, this is
>
> due to identically named machine accounts in the target realm (***), and the
> client
>
> realm. Please contact your system administrator.
>
>
>
>
>
> And it's logging this error in the Application event log over and over:
>
>
>
>
>
> Type: Error
>
> Source: Userenv
>
> Event ID: 1053
>
> Windows cannot determine the user or computer name. (The target principal
> name is incorrect.
>
> ). Group Policy processing aborted.
>
>
>
>
>
> Some of the recent changes done to this machine that may be causing
>
> these issues are system board replacement, and an upgrade to the hard
>
> drives. I have tried reseting the machine account password using
>
> netdom.exe, though i am not 100% sure I am perfoming this task
>
> correctly. The main tasks that seem to be broke are File Replication,
>
> directory replication, and when logged into the branch plant DC you get
>
> a logon Failure error message when trying to access network shares. Any
>
> help on this issue would be greatly appreciated.
>
>
>

I have already tried that. I have gone through the steps found on
Microsoft's website:
http://support.microsoft.com/kb/325850
Yet still no luck getting the error messages to stop.

"Amir Fahmy" <[email protected]> wrote in message
news:[email protected]...
>i think you will need to reset the domain controller password in the active
> directory
> but you wont be able to do it from active directory users and groups so
> you
> will nedd to use netdom commands to reset the DC password

On Apr 16, 11:18 am, "Zachary Dundore" <[email protected]>
wrote:
> I have already tried that. I have gone through the steps found on
> Microsoft's website:http://support.microsoft.com/kb/325850
> Yet still no luck getting the error messages to stop.
>
> "Amir Fahmy" <[email protected]> wrote in message
>
> news:[email protected]...
>
>
>
> >i think you will need to reset the domain controller password in the active
> > directory
> > but you wont be able to do it from active directory users and groups so
> > you
> > will nedd to use netdom commands to reset the DC password- Hide quoted text -
>
> - Show quoted text -

Hi,

>Event ID: 1566
This is probably because you do not have your sites and subnets set up
correctly. If you have them set up, what transport are you using? IP
or SMTP.

>Event ID: 1311
Fix 1566 first

>Event ID: 1865
Same...fix 1566

>Event ID: 4
two DCs sharing the same IP address? Same name?

I would fix the first errors and then attack the others one at a time.


Good luck

Harj Singh
Power Your Active Directory
www.specopssoft.com

I am going to reopen a new post on this. I have found the issue to be that
this particular DC hasn't replicated with another DC since January 17, 2007.
This is well past the tombstone lifetime limit set in our system.

"Harj" <[email protected]> wrote in message
news:[email protected]...
> On Apr 16, 11:18 am, "Zachary Dundore" <[email protected]>
> wrote:
>> I have already tried that. I have gone through the steps found on
>> Microsoft's website:http://support.microsoft.com/kb/325850
>> Yet still no luck getting the error messages to stop.
>>
>> "Amir Fahmy" <[email protected]> wrote in message
>>
>> news:[email protected]...
>>
>>
>>
>> >i think you will need to reset the domain controller password in the
>> >active
>> > directory
>> > but you wont be able to do it from active directory users and groups so
>> > you
>> > will nedd to use netdom commands to reset the DC password- Hide quoted
>> > text -
>>
>> - Show quoted text -
>
> Hi,
>
>>Event ID: 1566
> This is probably because you do not have your sites and subnets set up
> correctly. If you have them set up, what transport are you using? IP
> or SMTP.
>
>>Event ID: 1311
> Fix 1566 first
>
>>Event ID: 1865
> Same...fix 1566
>
>>Event ID: 4
> two DCs sharing the same IP address? Same name?
>
> I would fix the first errors and then attack the others one at a time.
>
>
> Good luck
>
> Harj Singh
> Power Your Active Directory
> www.specopssoft.com
>