Re: Cant Access Network Resources. Clock Sync errors
- From: "Scott Townsend" <scooter133@xxxxxxxxxxxxxxxx>
- Date: Wed, 21 Mar 2007 12:11:39 -0700
Okay more info..
Ran Network Monitor 3.
Tried to log in as the Problem user. Its talking to a Win2K3 Server, not the
Win2000 Server
I can see KerberosV5 packets.
On the user that fails, it looks like the KDC is replying with
KerberosV5: AS Request Cname: <Bad User ID> Realm: DOMAIN Sname:
krbtgt/DOMAIN
KerberosV5: AS Response Ticket[Realm: DOMAIN.COM, Sname:
krbtgt/DOMAIN.COM]
On the user that works, it replies with:
KerberosV5: AS Request Cname: <Good User ID> Realm: DOMAIN Sname:
krbtgt/DOMAIN
KerberosV5: KRB_ERROR - KDC_ERR_PREAUTH_REQUIRED (25)
Bunch of TCP packets, then another request from the client then
KerberosV5: AS Response Ticket[Realm: DOMAIN.COM, Sname:
krbtgt/DOMAIN.COM]
More TC Packets, then
KerberosV5: TGS Request Realm: DOMAIN.COM Sname:
host/pclient.domain.com
KerberosV5: TGS Response Cname: <Good User ID>
It looks like it is requiring a Pre-Auth for the user the works, but not for
the user that does not?
Scott<-
"Mike Luo [MSFT]" <v-miluo@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:5spaxY5aHHA.3820@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
Thank you for using newsgroup!
From your post, I think this problem is related to replication between
Windows Server 2003 R2 and Windows 2000. I have the following suggestion
to
narrow down the problem:
1. Run Repadmin /syncall under CMD on Windows Server 2003 R2 to check if
the error occurs. If the error occurs, please run Repadmin /syncall
c:\Repadmin.txt to export the result, post Aepadmin.txt to newsgroup.
Note: Repadmin is included Windows support tools, you need to install
manually.
2. If the replication works fine, I recommend you reset computer account
for Windows 2000 DC:
a. Find out which DC is the PDC in domain.
b. Stop the Kerberos Key Distribution Center service and set its Startup
type to Manual on all DCs except for the PDC.
c. At a command prompt, type the following command:
netdom resetpwd /server:Replication_Partner_Server_Name
/userd:domainname\administrator_id /passwordd:*
where Replication_Partner_Server_Name is the fully qualified DNS or
NetBIOS
name of a domain controller in the same domain as the local computer,
and domainname\administrator_id is the NetBIOS domain name and
administrator ID respectively, in the Security Accounts Manager (SAM)
account name credentials format.
d. Restart the server whose password was changed.
For more about resetting password information, refer to the following KB:
How To Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000
Domain Controller
http://support.microsoft.com/kb/260575/en-us
Thanks & Regards,
Mike Luo
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
.
- References:
- RE: Cant Access Network Resources. Clock Sync errors
- From: Mike Luo [MSFT]
- RE: Cant Access Network Resources. Clock Sync errors
- Prev by Date: Re: Blackberry SendAs Permissions
- Next by Date: Re: LDAP Authentication for Single Sign On
- Previous by thread: Re: Cant Access Network Resources. Clock Sync errors
- Next by thread: Re: Cant Access Network Resources. Clock Sync errors
- Index(es):
Relevant Pages
|
