Re: Kerberos Query
- From: JohnH <JohnH@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Oct 2008 00:29:01 -0700
Thanks Paul, that registry change worked perfectly.
Much appreciated!
--
-JohnH
"Paul Bergson [MVP-DS]" wrote:
I would go into dns and validate both forward and reverse names for both.
machines are gone as well as any alias'.
Then go to the new machine and from a command prompt key in
ipconfig /registerdns
Plus to create an alias on the machine edit:
HKEY_Local_Machine\System\CurrentControlSet\Services\LanmanServer\Parameters
Add Value: OptionalNames
REG_SZ String: "Alias"
If you make it a REG_MULTI_SZ, you can then create multiple aliases
Also use DNS and alias the machine name back to the new name
I doubt you have duplicate spn's but here is a bit of additional info to
help out:
http://msmvps.com/blogs/vandooren/archive/2008/03/11/getting-rid-of-the-duplicate-spn-in-active-directory.aspx
Kerberos troubleshooting
http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigration/unix/usecdirw/17wsdsu.mspx
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"JohnH" <JohnH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DFC0330A-BE4E-42D7-A8F4-B134E4699DB0@xxxxxxxxxxxxxxxx
Hi everyone,
I've managed to cause myself a bit of a problem with Kerberos that I'm not
100% sure how to diagnose... I've got two web servers, we'll say server1
(Win2k web server) and server2 (win2k3 web server - indended to replace
server1 hardware, which is now eol).
The plan was to migrate server1 to server 2, but keep the same IP address
due to a unknown number of badly-coded applications referencing the server
by
IP. So we built server2 on another IP address and copied all the websites
and data over. The final plan was to remove server1 from the domain and
shut
it down, then change the address of server2 to the desired IP address (and
create an alias for server1 in DNS to direct all traffic to server2).
Due to a mistake by myself I ended up having the two web servers on the
network at the same time with the same address - which was stupid I know.
The result of this was that all web traffic is fine to the new server, but
if
I try to connect to a fileshare using \\server1\share, it now shows an
error
about a duplicate name on the network. If you do this from server1
itself,
it actually shows a Windows authentication prompt, but no credentials work
and you end up with an access denied error.
Initally I was getting a KRB_AP_ERR_MODIFIED error logged in the eventlog.
Since then I've removed server2 from the domain, made sure all computer
accounts, DNS entries and WINS entries are all removed for both server1
and
server2, then re-added server2 to the domain but I still get the same
error
dialog windows, but no eventlog errors.
I'm now a bit lost as to where to troubleshoot next - any help would be
much
appreciated. Thanks.
--
-JohnH
- Follow-Ups:
- Re: Kerberos Query
- From: Paul Bergson [MVP-DS]
- Re: Kerberos Query
- References:
- Kerberos Query
- From: JohnH
- Re: Kerberos Query
- From: Paul Bergson [MVP-DS]
- Kerberos Query
- Prev by Date: Re: GPO Management Delegation
- Next by Date: Re: Kerberos Query
- Previous by thread: Re: Kerberos Query
- Next by thread: Re: Kerberos Query
- Index(es):
Relevant Pages
|
