Directory Service Access

Discussion in 'Server Migration' started by Spale, Jul 7, 2004.

  1. Spale

    Spale Guest

    After upgrade from Windows 2000 to Windows 2003 i have a problem with one
    machine on my DC this is the event:


    Source:Security

    Event ID 566

    Object Operation:

    Object Server: DS

    Operation Type: Object Access

    Object Type: dnsNode

    Object Name:
    DC=KDYD2AR,DC=vbba.volksbank.ba,CN=MicrosoftDNS,CN=System,DC=vbba,DC=volksba
    nk,DC=ba

    Handle ID: -

    Primary User Name: BL1DC1$

    Primary Domain: VBBA

    Primary Logon ID: (0x0,0x3E7)

    Client User Name: KDYD2AR$

    Client Domain: VBBA

    Client Logon ID: (0x0,0x5580A9)

    Accesses: Write Self


    Properties:

    ---

    Default property set

    dnsRecord

    dNSTombstoned

    dnsNode

    Additional Info:

    Additional Info2:

    Access Mask: 0x8



    I think it's something reklated to Kerberos Event ID 4.I couldn't find
    anything related to this event.Any idea?
     
    Spale, Jul 7, 2004
    #1
    1. Advertisements

  2. Hi Spale,

    I would like to suggest that you check if there is any related error in the
    event logs on the KDYD2AR computer. Please refer to the date and time of
    the events.

    If you find any netlogon error, please copy the whole event in your post.

    Thank you,

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 8, 2004
    #2
    1. Advertisements

  3. Spale

    Spale Guest

    Problem is this.I have a several machines in a different sites that have
    this problem.I cannot connect through computer management to event viewer to
    see events on that remote machine.If you remember i've had a same problem
    with Windows 2003 server few months ago.We use PC anywhere to access remote
    machines butt i cannot access services and event viewer on that machine to
    start PC anywhere service or to see events.On server i've found this event:


    Source :Kerberos

    Event ID:4


    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
    KDYD2AH$. The target name used was cifs/KDYD2AR.vbba.volksbank.ba. This
    indicates that the password used to encrypt the kerberos service ticket is
    different than that on the target server. Commonly, this is due to
    identically named machine accounts in the target realm (VBBA.VOLKSBANK.BA),
    and the client realm. Please contact your system administrator.



    What to do?
     
    Spale, Jul 8, 2004
    #3
  4. Spale

    Spale Guest

    Strange thing is that i have a same problem with my administrative
    machine.When i connect to the server and try to access remotely to event
    viewer it says Network path not found and access is denied.Also on my
    machine i've found Kerberos errors:


    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
    SA1VIDEO$. This indicates that the password used to encrypt the kerberos
    service ticket is different than that on the target server. Commonly, this
    is due to identically named machine accounts in the target realm
    (VBBA.VOLKSBANK.BA), and the client realm. Please contact your system
    administrator.



    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
    KDYD2AH$. This indicates that the password used to encrypt the kerberos
    service ticket is different than that on the target server. Commonly, this
    is due to identically named machine accounts in the target realm
    (VBBA.VOLKSBANK.BA), and the client realm. Please contact your system
    administrator.



    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
    KDYD2AN$. This indicates that the password used to encrypt the kerberos
    service ticket is different than that on the target server. Commonly, this
    is due to identically named machine accounts in the target realm
    (VBBA.VOLKSBANK.BA), and the client realm. Please contact your system
    administrator.



    Why do i have Kerberos errors on my machine?!Strange.I hope this is not too
    much for you.



    Thanks in advance.
     
    Spale, Jul 8, 2004
    #4
  5. Hi Spale,

    As for the original error, it is related to the KDYD2AR server. So it will
    be better that we get the event logs on KDYD2AR server. What is the error
    message you got that when you connect to the remote computer in Event
    Viewer? If the KDYD2AR server is running Windows 2000 server or Windows
    2003, you can also install Terminal Server on it so that you can remotely
    connect it.

    As for the kerberos error, you can try to stop the kerberos key
    distribution center service (
    KDC) service on all the DCs and reset the secure channel on each DC using
    the command.

    You can use the following command " netdom resetpwd
    /server:ip_address_of_PDC
    /userd:domainname\administrator /passwordd:admin_password" one server at a
    time.

    After resetting the secure channel password, you can reboot the server.
    Repeat the process on the remaining DC's. Turn the KDC back on ,

    If the error still persists, it may requires a network trace for analysis.

    Have a nice day!

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 9, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.