"Charles" <> wrote in message
news:...
> Does anyone have any ideas about this? Any suggestions of things I can try
> or places I can look are welcome.
>
> Thanks
>
> Charles
>
>
> "Charles" <> wrote in message
> news:...
>> There seems to be a lot written about this on the net, and yet I can't
>> find the answer that fixes it for me.
>>
>> I have a 2-node cluster on Windows Server 2003. Whenever it fails over it
>> takes 2 minutes to do it, and gets stuck waiting on Cluster Name and
>> MSDTC Resource in the Cluster Group.
>>
>> When it fails over I get the following event in the System event log:
>>
>> "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
>> host/server2.mydomain.local. The target name used was . This indicates
>> that the password used to encrypt the kerberos service ticket is
>> different than that on the target server. Commonly, this is due to
>> identically named machine accounts in the target realm (MYDOMAIN.LOCAL),
>> and the client realm. Please contact your system administrator."
>>
>> I have no idea how to resolve this, or even if it is the cause of the
>> problem.
>>
>> I also note that in dnsmgmt, the private IP addresses of the two cluster
>> nodes keep appearing in the A records. I delete them on both servers and
>> they come back. I have been through the advanced TCP/IP properties and
>> checked that "Register the connection's addresses in DNS" is not checked,
>> but still they come back. Again, I don't know if this is a red herring.
>>
>> Can anyone shed any light on this?
>>
>> TIA
>>
>> Charles
>>
>>
Charles,
I am not a Cluster expert, so I can't help with that portion. But as far as
DNS and what's being registered, you are seeing default functionality.
pparently whatever record you are creating and deleting the default hostname
record, the system is seeing that as an SPN mismatch to the machine's
default FQDN, which is causing the kerb issues.
If the server is a DC, the netlogon service will always refresh it's
LdapIpAddress, A record, and GcIpAddress every 24 hours. If a DNS server, it
will register its nameserver record, hence what you are seeing. You can try,
as one poster mentioned, to tell it to only listen to a specific IP so that
registers.
You can also disable registration completely. Once that's done, if a DC, you
can then configure the netlogon registry entry to 'publish' (create) the
necessary records and IP you want, or if a DNS server, simply create static
entries.
Keep in mind, whatever you want to force register, the SPN of the machine,
which is based on it's configured FQDN must be registered properly, or you
will see kerb issues.
To get an idea of what's involved, I have a blog on multihomed DCs which
shows how to disable registration and create your own records. You can read
through the steps involved and apply what is applicable to your scenario.
Multihomed DCs with DNS, RRAS, and/or PPPoE adapters
http://msmvps.com/blogs/acefekay/arc...-adapters.aspx
I hope that helps.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Similar Threads
Linear Mode
