RE: Event Id 4 Kerberos
From: Help_Pc (HelpPc_at_discussions.microsoft.com)
Date: 03/15/05
- Next message: Jerry zhao : "Re: Frontpage Problems With SBS2003"
- Previous message: David Copeland [MSFT]: "Re: change from WEP to AES"
- In reply to: Bill Peng [MSFT]: "RE: Event Id 4 Kerberos"
- Next in thread: Bill Peng [MSFT]: "RE: Event Id 4 Kerberos"
- Reply: Bill Peng [MSFT]: "RE: Event Id 4 Kerberos"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 14 Mar 2005 23:31:02 -0800
Waiting for the response the error went away.
In any case was a client computer.
Is it enough to remove the old non existing machine?
"Bill Peng [MSFT]" wrote:
> Hi,
>
> Thank you for posting here.
>
> If this is a client computer, I recommend you to remove the computer from
> Active Directory (if it is not online anymore). If it is still connecting
> to the domain, please try quit the domain and re-join to the SBS AD.
>
> If this is an additional domain controller, please follow this KB:
>
> 216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain
> http://support.microsoft.com/?id=216498
>
> Detail steps:
>
> 1. Click "Start", point to "Programs", point to "Accessories", and then
> click "Command Prompt".
>
> 2. At the command prompt, type "ntdsutil" (without the quotation marks),
> and then press ENTER.
>
> 3. Type "metadata cleanup" (without the quotation marks), and then press
> ENTER. Based on the options given, the administrator can perform the
> removal, but additional configuration parameters must be specified before
> the removal can occur.
>
> 4. Type "connections" (without the quotation marks) and press ENTER. This
> menu is used to connect to the specific server where the changes occur. If
> the currently logged on user does not have administrative permissions,
> different credentials can be supplied by specifying the credentials to use
> before making the connection.
>
> To do so, type "set creds <domain name><username><password>" (without the
> quotation marks) and press ENTER.
>
> For a null password, type "null" (without the quotation marks) for the
> password parameter.
>
> 5. Type "connect to server <servername>" (without the quotation marks), and
> then press ENTER.
>
> You should receive confirmation that the connection is successfully
> established. If an error occurs, verify that the domain controller being
> used in the connection is available and the credentials you supplied have
> administrative permissions on the server.
>
> [Note] If you try to connect to the same server that you want to delete,
> when you try to delete the server that step 15 refers to, you may receive
> the following error message:
>
> Error 2094. The DSA Object cannot be deleted 0x2094
>
> 6. Type "quit" (without the quotation marks), and then press ENTER. The
> Metadata Cleanup menu appears.
>
> 7. Type "select operation target" (without the quotation marks) and press
> ENTER.
>
> 8. Type "list domains" (without the quotation marks) and press ENTER. A
> list of domains in the forest is displayed, each with an associated number.
>
> 9. Type "select domain <number>" (without the quotation marks) and press
> ENTER, where <number> is the number associated with the domain the server
> you are removing is a member of. The domain you select is used to determine
> if the server being removed is the last domain controller of that domain.
>
> 10. Type "list sites" (without the quotation marks) and press ENTER. A list
> of sites, each with an associated number, is displayed.
>
> 11. Type "select site <number>" (without the quotation marks) and press
> ENTER, where <number> is the number associated with the site the server you
> are removing is a member of. You should receive a confirmation listing the
> site and domain you chose.
>
> 12. Type "list servers in site" (without the quotation marks) and press
> ENTER. A list of servers in the site, each with an associated number, is
> displayed.
>
> 13. Type "select server <number>" (without the quotation marks), where
> <number> is the number associated with the server you want to remove.
>
> You receive a confirmation listing the selected server, its Domain Name
> Server (DNS) host name, and the location of the server's computer account
> you want to remove.
>
> 14. Type "quit" (without the quotation marks) and press ENTER. The Metadata
> Cleanup menu appears.
>
> 15. Type "remove selected server" (without the quotation marks) and press
> ENTER. You should receive confirmation that the removal completed
> successfully.
>
> 16. Type "quit" (without the quotation marks) at each menu to quit the
> Ntdsutil utility. You should receive confirmation that the connection
> disconnected successfully.
>
> 17. Remove the cname record in the _msdcs.<root domain of forest> zone in
> DNS. Assuming that DC is going to be reinstalled and re-promoted, a new
> NTDS Settings object is created with a new GUID and a matching cname record
> in DNS.
>
> You do not want the DC's that exist to use the old cname record. As best
> practice you should delete the hostname and other DNS records.
>
> If the lease time that remains on Dynamic Host Configuration Protocol
> (DHCP) address assigned to offline server is exceeded then another client
> can obtain the IP address of the problem DC.
>
> Now that the NTDS Settings object has been deleted, you can delete the
> computer account, the FRS member object, the cname (or Alias) record in the
> _msdcs container, the A (or Host) record in DNS, the trustDomain object for
> a deleted child domain, and the domain controller.
>
> 1. Use ADSIEdit to delete the computer account. To do this, follow these
> steps:
>
> a. Start ADSIEdit.
> b. Expand the "Domain NC" container.
> c. Expand "DC=<Your Domain>, DC=COM, PRI, LOCAL, NET".
> d. Expand "OU=Domain Controllers".
> e. Right-click "CN=<domain controller name>", and then click "Delete". If
> you receive the "DSA object cannot be deleted" error when you try to delete
> the object, change the UserAccountControl value. To change the
> UserAccountControl value, right-click the domain controller in ADSIEdit,
> and then click "Properties". Under "Select a property to view", click
> "UserAccountControl". Click "Clear", change the value to 4096, and then
> click "Set". You can now delete the object.
>
> [Note] The FRS subscriber object is deleted when the computer object is
> deleted because it is a child of the computer account.
>
> 2. Use ADSIEdit to delete the FRS member object. To do this, follow these
> steps:
>
> a. Start ADSIEdit.
> b. Expand the "Domain NC" container.
> c. Expand "DC=<Your Domain>, DC=COM, PRI, LOCAL, NET".
> d. Expand "CN=System".
> e. Expand "CN=File Replication Service".
> f. Expand "CN=Domain System Volume (SYSVOL share)".
> g. Right-click the domain controller you are removing, and then click
> "Delete" (without the quotation marks).
>
> 3. In the DNS console, use the DNS MMC to delete the A record in DNS.
>
> The A record is also known as the Host record.
>
> To delete the A record, right-click the A record, and then click "Delete".
> Also delete the cname (also known as the Alias) record in the "_msdcs"
> container.
>
> To do so, expand the "_msdcs" container, right-click the cname, and then
> click "Delete". Important If this was a DNS server, remove the reference to
> this DC under the "Name Servers" (without the quotation marks) tab. To do
> this, in the DNS console, click the domain name under "Forward Lookup
> Zones" (without the quotation marks), and then remove this server from the
> "Name Servers" (without the quotation marks) tab.
>
> [Note] If you have reverse lookup zones, also remove the server from these
> zones.
>
> 4. Use Active Directory Sites and Services to remove the domain controller.
>
> To do this, follow these steps:
>
> a. Start Active Directory Sites and Services.
> b. Expand "Sites".
> c. Expand the server''s site. The default site is "Default-First-Site-Name".
> d. Expand "Server".
> e. Right-click the domain controller, and then click "Delete" (without the
> quotation marks).
>
> More information:
> Active Directory Operations Guide
> Managing Domain Controllers with Active Directory Directory Services
>
> Restoring and Rebuilding SYSVOL
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
> tivedirectory/maintain/opsguide/part2/adogdapa.mspx#EDAA
>
> I hope the above info helps.
>
> If you have any update, please feel free to post back.
>
> Bill Peng
> MCSE 2000, MCDBA
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> >Thread-Topic: Event Id 4 Kerberos
> >thread-index: AcUnMVzToLLy1tjFSrGaIl+FFxhvXg==
> >X-WBNR-Posting-Host: 212.29.138.14
> >From: "=?Utf-8?B?SGVscF9QYw==?=" <HelpPc@discussions.microsoft.com>
> >Subject: Event Id 4 Kerberos
> >Date: Sat, 12 Mar 2005 10:29:01 -0800
> >Lines: 7
> >Message-ID: <AB00D8F4-3338-4ED4-9A53-E2D47385B5E2@microsoft.com>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
> >Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:153659
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >I added a new machine to SBS with name Quality1 .I didn't remove from the
> >list (but the machine no longer exists) with name Quality. Now Kerberos
> tries
> >to releas ticket of the old machine and I get the error.
> >What to do?
> >Removing the old machine from AD?
> >Waiting for old machine being tombstoned or other?
> >TIA
> >
>
>
- Next message: Jerry zhao : "Re: Frontpage Problems With SBS2003"
- Previous message: David Copeland [MSFT]: "Re: change from WEP to AES"
- In reply to: Bill Peng [MSFT]: "RE: Event Id 4 Kerberos"
- Next in thread: Bill Peng [MSFT]: "RE: Event Id 4 Kerberos"
- Reply: Bill Peng [MSFT]: "RE: Event Id 4 Kerberos"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
