Re: Troubleshooting KDC Event 11

In news:44039036$0$25081$470ef3ce@xxxxxxxxxxx,
Ronald Nissley <dont@xxxxxxx> stated, which I commented on below:
I have a parent domain (call it mydomain.tld for this example), and a
child domain (childdomain.mydomain.tld). The child domain has a single
domain controller (childdc.childdomain.mydomain.tld). Forest/Domain
functional level is Windows 2003 Server. All DCs are running Windows
2003 Server SP1. In childdc's system event logs are recurring entries
like:

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 2/27/2006
Time: 2:03:20 PM
User: N/A
Computer: CHILDDC
Description:
There are multiple accounts with name cifs/childdc of type
DS_SERVICE_PRINCIPAL_NAME.

and

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 2/27/2006
Time: 1:13:45 PM
User: N/A
Computer: CHILDDC
Description:
There are multiple accounts with name cifs/CHILDDC of type
DS_SERVICE_PRINCIPAL_NAME.

Notice the only differences between the events is the case
(upper/lower) of the computer name in the event description, and
obviously, the Time.
I have already tried to follow the steps at
http://support.microsoft.com/default.aspx?scid=kb;en-us;321044 as well
as several other suggestions found on different support groups,
forums, etc. At this time, I've performed only "read-only" steps. I
haven't made any changes using adsiedit.msc, or other tools.

One point that I need clarity on is this: In the child domain, as
expected, a CHILDDC computer account is listed in the _Domain
Controllers_ OU/Container. In the parent domain, the identically named
CHILDDC computer account (apparently a 2nd computer account for the
same server) is listed in the _Member Servers_ OU/Container. Is this
normal? I'm trying to recall if I had joined CHILDDC to the parent
domain before running 'dcpromo' to create the child domain. If the
'Member Server' CHILDDC computer account in the parent domain is not
normal, is it safe to delete that account? In the Service Principal
Name list I generated, the dupes I located were:

dn: CN=CHILDDC,OU=Domain Controllers,DC=CHILDDOMAIN,DC=MYDOMAIN,DC=TLD
servicePrincipalName: HOST/CHILDDC

and

dn: CN=CHILDDC,OU=Member Servers,DC=MYDOMAIN,DC=TLD
servicePrincipalName: HOST/CHILDDC

If you can refer me to documentation or a well-summarized resolution
:-) for this, I'd appreciate it. Generally, the problem doesn't seem
to be affecting functionality/performance, but there are a few
(relatively minor) issues I'm trying to resolve. Tips or suggestions
are welcomed. You can reply to this topic (preferred) or send e-mail
to rnissley.gmail.com, replacing the first period with @.

TIA,

Ronald

If there is a duplicate account of a domain controller machine object (with
an obvious duplicate SID) that exists in another domain (that it's NOT a DC
for), and you may or may not have remembered (but it seems likely that's
what happened) previously having joined it to that domain prior to promoting
it to a DC for the other domain (child or not), then I would immediately
delete it. That may be causing this SPN duplicate error, which is what I
believe it's all about.

See here for more info:
http://www.eventid.net/display.asp?eventid=11&eventno=569&source=KDC&phase=1

You can also use LDP (from the Windows support Tools) to view the SID and
compare them, but from your description, I really think it's a dupe that
needs to be removed.

I hope that helps.
--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations

"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.





.

Relevant Pages

  • Troubleshooting KDC Event 11
    ... child domain. ... functional level is Windows 2003 Server. ... In the parent domain, the identically named ... CHILDDC computer account (apparently a 2nd computer account for the same ...
    (microsoft.public.windows.server.active_directory)
  • Re: Configuring Exch2K Accept Incoming Mail
    ... The MX record for henvey.wbafn.com seems to be ok, and I can telnet to it, ... I have child domain henvey.wbafn.com which is ... > henvey.wbafn.com server to get this running. ... a valid email account nmartin@wbafn.com. ...
    (microsoft.public.exchange2000.win2000)
  • Re: RAS with two domains?
    ... server. ... > I can only logon when I use an account from the domain where RAS and IAS ... account in the parent -- this is just a guess since you provided ... child domain is trivial from the parent. ...
    (microsoft.public.windows.server.networking)
  • Re: OWA does not work
    ... I am logging into the child domain (root domain does not have any user ... account in it). ... The BE server is in the child domain with my mailbox ... >> (waiting to sort out OWA) before going live. ...
    (microsoft.public.exchange.admin)
  • Event ID 40960 and 40961 lsasrv
    ... The account operators have their XP Pro ... workstations and accounts in the child domain. ... server HTTP/Mmaserver. ...
    (microsoft.public.windows.server.active_directory)