Re: Windows/Exchange 2003 in cluster - Kerberos errors

Tech-Archive recommends: Fix windows errors by optimizing your registry

In news:1124821106.830795.174860@xxxxxxxxxxxxxxxxxxxxxxxxxxxx,
Are Westby <arester@xxxxxxxxx> made this post, which I then commented about
below:
> Hello,
>
> (This post might be appropriate for both Exchange and AD groups, but
> seen as it is primarily Kerberos- and AD-related, I'll post here)
>
> Scenario:
>
> 2 Windows 2003 servers with Exchange 2003, set up in an active/passive
> cluster configuration with 2 nodes and 1 virtual server, using Veritas
> Cluster Server. Kerberos authentication is enabled for the cluster.
> Both members of Windows 2003 Active Directory domain.
>
> The actual problem is that I can't access any configuration tabs in
> Exchange System Manager (these settings are stored in AD). Both
> Exchange service account, logged on account and Veritas service
> account have the necessary read/write rights in the directory.
>
> Errors:
>
> Message in eventviewer:
>
> -------------------
>
> The kerberos client received a KRB_AP_ERR_MODIFIED error from the
> server host/***-003.**.***.**.
> The target name used was RPCSS/***-006.**.***.**. This indicates that
> the password used to encrypt the kerberos service ticket is different
> than that on the target server. Commonly, this is due to identically
> named machine accounts in the target realm (**.***.**), and the
> client realm.
> Please contact your system administrator.
>
> --------------------
>
> 003.* is the hostname of the active Exchange cluster node, 006.* is
> the hostname of the virtual server. I have verified that there are no
> duplicate computer objects or hostname conflicts in neither domain nor
> forest.
>
> I've run dcdiag from the active cluster node, and it yields no errors.
> Netdiag though, gives the following error after performing the LDAP
> test segment of netdiag (the LDAP-test is classified as "FAILED",
> everything else is tagged as "PASSED"):
>
> --------------------
>
> [WARNING] The default SPN registration for 'HOST/***-003.**.***.**' is
> missing on DC '***-***.**.***.**'.
>
> --------------------
>
> This error message repeats in netdiag output for all active (and
> reachable) domain controllers in the forest.
>
> Now, the funny thing is that if I do an "spnset -L hostname" (-L =
> "list") from either the Exchange cluster node or any domain
> controller, the Exchange cluster node does indeed have valid SPN
> registrations. I've also attempted "spnset -R hostname" (-R =
> "reset") to no avail.
>
> Finally, netdiag output lists one more peculiar thing:
>
> Computer Name: ***-006
> DNS Host Name: ***-003.**.***.**
>
> Again, 006 is the host name of the virtual server, 003 the active
> cluster node.
>
> Any help greatly appreciated.
>
> Kind rgds,
>
> Are Westby

Not being familiar with Veritas Cluster services, nor a cluster expert, but
I do understand it's functionality with MS Cluster services. The only thing
I can think of, especially that it seems when the VS is on one machine, it
may have got the ticket when the VS was on the other resource, then when it
was moved, it is looking at it as a different machine and therefore assumes
it's a different ticket than the other resoure.

Is there anything in the Veritas Kerberos config that you can tell it to use
the cluster IP instead of the resource IPs?

Does that make sense? Other than that, I'm not sure with this one and the
best I have on it!
:-)


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================


.

Relevant Pages

  • Re: Exchange 2007 CCR Setup
    ... To which virtual server? ... The instance of Exchange server, ... such as the IP and Network Name for each storage group as in the Single ... Instance Cluster? ...
    (microsoft.public.exchange.design)
  • Re: Exchange 2007 SP1 Standard Edition - SCR on a Windows 2003 Clu
    ... Mailbox roles and manually start Exchange ... services in case a windows cluster fail-over occurs (Windows cluster active ... active node as an SCR source and the passive node as an SCR target? ... the windows cluster so that they don't have to change Exchange server IP/name ...
    (microsoft.public.exchange.setup)
  • Re: HELP with Rolling-Upgrade for Exchange 2003 cluster
    ... the IIS settings for the Exchange VS website. ... The problem is doing a rolling upgrade of the OS on our ... The passive node is then RESUMED in cluster administrator, ... The virtual server fails back to the down-level ...
    (microsoft.public.exchange.setup)
  • Re: Exch 2003 SP2 - applied on one node, but cant move resources
    ... only upon taking the resources "offline" in the Cluster administrator tool. ... Virtual Exchange server and failover occurred normally again upon taking the ... We recommend that you upgrade one Exchange cluster node at a time. ...
    (microsoft.public.exchange.admin)
  • Re: Exch 2003 SP2 - applied on one node, but cant move resources
    ... resources to Node2, the failover did not complete because 'system attendant' ... Virtual Exchange server and failover occurred normally again upon taking ... cluster resources oline. ...
    (microsoft.public.exchange.admin)