RE: Critical Errors in System Log
- From: v-chacez@xxxxxxxxxxxxx (chace zhang)
- Date: Tue, 27 Jun 2006 06:49:23 GMT
Hi Noone,
Thanks for posting here!
From the post, I understand that you receive the following Kerberos erroron Small Business Server 2003 domain controllers:
------------------------------------------------------------
EventID: 4 Source: Kerberos
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/exchange.domain.local. The target name used was
cifs/server.domain.local. This indicates that the password used to encrypt
the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target
realm (DOMAIN.LOCAL), and the client realm. Please contact your system
administrator.
------------------------------------------------------------
If I have misunderstood your concern, please let me know.
Below is the explanation about the Kerberos error:
============================
The Kerberos Error 4 error "KRB_AP_ERR_MODIFIED" was added in XP and
Windows 2003 in response to issues around Kerberos failures seen in the
field. In short this error indicates that the ticket was encrypted with a
password which is different than the password currently on the target
server.
This issue may occur if:
===================
1. DHCP allocated recently released addresses to clients requesting an
address. In this circumstance the client will obtain the recently released
ip address and update its host record on the DNS server. If Server queries
a dns server for the clients address and is returned the ip address that
was just assigned to another client. This generates the error because the
new client is not able to decrypt its part of the kerberos ticket.
Generally, this will occur if DHCP scope is running out. If that is the
case, you need to increase the DHCP scope.
2. WINS / DNS mis-configuration. The name of the target server is
mistakenly resolved to a different machine.
3. Service mis-configuration such as incorrect SPN registration.
4. Corrupted Secure Channel between computers.
5. Service is running on a cluster which isn't configured to use Kerberos.
If there is no Cluster configured, you can ignore this.
Therefore, I suggest that we do the following:
===================
1. Check the DHCP Server to make sure that there are enough free IP
addresses in the DHCP scope.
2. Open the DNS console on the DC. Open the Forward Lookup zone, expand the
dns domain. Check if there is an A record for each of the domain
controller. if there is, delete it. Then, re-register the A record by
running the command: ipconfig /registerdns
3. Open the DNS console, check the forward lookup zone to make sure that
there is no two records pointing to a same IP address. If there is an A
record for server.domain.local, please delete it.
4. Open Wins Management console, expand [Server name]\Active Registrations,
right click the Active Registrations, select Display Records, in Record
Owners tab, select All the owners and then click Find Now. Check the WINS
database to make sure that there is no two records pointing to the same IP
address and there is no a record for the removed machine "server".
Hope the information above is helpful. I'm standing by for an update from
you and if you have any other concerns, please do not hesitate to let me
know.
Have a nice day!
Best Regards,
Chace Zhang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- RE: Critical Errors in System Log
- From: chace zhang
- Re: Critical Errors in System Log
- From: Mark Gibbons
- RE: Critical Errors in System Log
- References:
- Critical Errors in System Log
- From: Mark Gibbons
- Critical Errors in System Log
- Prev by Date: Workstation ODBC slow down, but server is fast
- Next by Date: RE: Remote user could connect but not to all resources
- Previous by thread: Critical Errors in System Log
- Next by thread: Re: Critical Errors in System Log
- Index(es):
Relevant Pages
|
