problem this my AD system - like.. [FATAL] Kerberos does not have a ticket for host/blofeld.phonera.

Discussion in 'Active Directory' started by Lennie, Apr 28, 2004.

  1. Lennie

    Lennie Guest

    In my Eventlog-Application I get this error message.



    Event Type: Error

    Event Source: Userenv

    Event Category: None

    Event ID: 1030

    Date: 2004-04-28

    Time: 08:51:46

    User: PHONERA\sysadmin

    Computer: GOLDFINGER

    Description:

    Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this.



    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.



    The server Goldfinger is a large MSSQL 2000 server.

    And the server that is running AD is server: BLOFELD



    If I run netdiag on the Goldfinger server I get this information back.



    Computer Name: GOLDFINGER

    DNS Host Name: goldfinger.phonera.local

    System info : Windows 2000 Server (Build 3790)

    Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel

    List of installed hotfixes :

    KB819696

    KB823182

    KB823559

    KB824105

    KB824141

    KB825119

    KB828035

    KB828741

    KB832894

    KB835732

    KB837001

    KB837009

    Q147222

    Q828026





    Netcard queries test . . . . . . . : Passed







    Per interface results:



    Adapter : Network Bridge



    Netcard queries test . . . : Passed



    Host Name. . . . . . . . . : goldfinger

    IP Address . . . . . . . . : 172.17.60.11

    Subnet Mask. . . . . . . . : 255.255.255.0

    Default Gateway. . . . . . : 172.17.60.1

    Primary WINS Server. . . . : 172.17.60.10

    Dns Servers. . . . . . . . : 172.17.60.10

    62.209.162.230





    AutoConfiguration results. . . . . . : Passed



    Default gateway test . . . : Passed



    NetBT name test. . . . . . : Passed

    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenger Service', <20> 'WINS' names is missing.



    WINS service test. . . . . : Passed





    Global results:





    Domain membership test . . . . . . : Passed





    NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

    NetBT_Tcpip_{6A32ECBC-FC0D-4DB9-9E4F-AC5500645EEA}

    1 NetBt transport currently configured.





    Autonet address test . . . . . . . : Passed





    IP loopback ping test. . . . . . . : Passed





    Default gateway test . . . . . . . : Passed





    NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Service', <03> 'Messenger Service', <20> 'WINS' names defined.





    Winsock test . . . . . . . . . . . : Passed





    DNS test . . . . . . . . . . . . . : Passed





    Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

    NetBT_Tcpip_{6A32ECBC-FC0D-4DB9-9E4F-AC5500645EEA}

    The redir is bound to 1 NetBt transport.



    List of NetBt transports currently bound to the browser

    NetBT_Tcpip_{6A32ECBC-FC0D-4DB9-9E4F-AC5500645EEA}

    The browser is bound to 1 NetBt transport.





    DC discovery test. . . . . . . . . : Passed





    DC list test . . . . . . . . . . . : Passed





    Trust relationship test. . . . . . : Passed

    Secure channel for domain 'PHONERA' is to '\\blofeld.phonera.local'.





    Kerberos test. . . . . . . . . . . : Passed





    LDAP test. . . . . . . . . . . . . : Passed





    Bindings test. . . . . . . . . . . : Passed





    WAN configuration test . . . . . . : Skipped

    No active remote access connections.





    Modem diagnostics test . . . . . . : Passed



    IP Security test . . . . . . . . . : Skipped



    Note: run "netsh ipsec dynamic show /?" for more detailed information





    The command completed successfully







    And if I runt the same command on the Blofeld server I get this message
    back.





    Computer Name: BLOFELD

    DNS Host Name: blofeld.phonera.local

    System info : Windows 2000 Server (Build 3790)

    Processor : x86 Family 15 Model 2 Stepping 7, GenuineIntel

    List of installed hotfixes :

    KB819696

    KB823182

    KB823559

    KB824105

    KB824141

    KB825119

    KB828035

    KB828741

    KB830352

    KB832894

    KB835732

    KB837001

    KB837009

    Q147222

    Q828026





    Netcard queries test . . . . . . . : Passed







    Per interface results:



    Adapter : Network Bridge



    Netcard queries test . . . : Passed



    Host Name. . . . . . . . . : blofeld

    IP Address . . . . . . . . : 172.17.60.10

    Subnet Mask. . . . . . . . : 255.255.255.0

    Default Gateway. . . . . . : 172.17.60.1

    Primary WINS Server. . . . : 172.17.60.10

    Dns Servers. . . . . . . . : 172.17.60.10

    62.209.162.230





    AutoConfiguration results. . . . . . : Passed



    Default gateway test . . . : Passed



    NetBT name test. . . . . . : Passed

    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenger Service', <20> 'WINS' names is missing.



    WINS service test. . . . . : Passed





    Global results:





    Domain membership test . . . . . . : Passed





    NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

    NetBT_Tcpip_{ACCE3B87-CD7F-488C-9759-AE08C4D343F4}

    1 NetBt transport currently configured.





    Autonet address test . . . . . . . : Passed





    IP loopback ping test. . . . . . . : Passed





    Default gateway test . . . . . . . : Passed





    NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Service', <03> 'Messenger Service', <20> 'WINS' names defined.





    Winsock test . . . . . . . . . . . : Passed





    DNS test . . . . . . . . . . . . . : Passed

    PASS - All the DNS entries for DC are registered on DNS server
    '172.17.60.10' and other DCs also have some of the names registered.

    PASS - All the DNS entries for DC are registered on DNS server
    '62.209.162.230' and other DCs also have some of the names registered.





    Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

    NetBT_Tcpip_{ACCE3B87-CD7F-488C-9759-AE08C4D343F4}

    The redir is bound to 1 NetBt transport.



    List of NetBt transports currently bound to the browser

    NetBT_Tcpip_{ACCE3B87-CD7F-488C-9759-AE08C4D343F4}

    The browser is bound to 1 NetBt transport.





    DC discovery test. . . . . . . . . : Passed





    DC list test . . . . . . . . . . . : Passed





    Trust relationship test. . . . . . : Skipped





    Kerberos test. . . . . . . . . . . : Failed

    [FATAL] Kerberos does not have a ticket for
    host/blofeld.phonera.local.





    LDAP test. . . . . . . . . . . . . : Passed





    Bindings test. . . . . . . . . . . : Passed





    WAN configuration test . . . . . . : Skipped

    No active remote access connections.





    Modem diagnostics test . . . . . . : Passed



    IP Security test . . . . . . . . . : Skipped



    Note: run "netsh ipsec dynamic show /?" for more detailed information





    The command completed successfully





    I don't know what all this information means. But is this the problem that I
    see in the event log.



    If we look at the Blofeld netdiag log. What doss this mean?





    NetBT name test. . . . . . : Passed

    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenger Service', <20> 'WINS' names is missing.



    NetBT transports test. . . . . . . : Passed

    List of NetBt transports currently configured:

    NetBT_Tcpip_{ACCE3B87-CD7F-488C-9759-AE08C4D343F4}

    1 NetBt transport currently configured.



    NetBT name test. . . . . . . . . . : Passed

    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Service', <03> 'Messenger Service', <20> 'WINS' names defined.



    Redir and Browser test . . . . . . : Passed

    List of NetBt transports currently bound to the Redir

    NetBT_Tcpip_{ACCE3B87-CD7F-488C-9759-AE08C4D343F4}

    The redir is bound to 1 NetBt transport.



    List of NetBt transports currently bound to the browser

    NetBT_Tcpip_{ACCE3B87-CD7F-488C-9759-AE08C4D343F4}

    The browser is bound to 1 NetBt transport.



    Kerberos test. . . . . . . . . . . : Failed

    [FATAL] Kerberos does not have a ticket for
    host/blofeld.phonera.local.





    Please help me.

    Lennie

    Network manager Phonera AB
     
    Lennie, Apr 28, 2004
    #1
    1. Advertisements

  2. Lennie

    Arild Bakken Guest

    DNS on the servers (all servers, including DC) should ONLY point to the DC
    (Blofeld) and NOT any external DNS servers. The DNS server on the DC should
    have forwarders setup for external DNS servers (at ISP).

    It may be that some records are missing in the DNS. Verify that all SRV
    records for gc, ldap, kerberos etc are correct.

    Run gpresult on the memberserver and see what it reports.


    Arild

     
    Arild Bakken, Apr 28, 2004
    #2
    1. Advertisements

  3. Lennie

    Lennie Guest

    The server: (62.209.162.230) is also a AD server that is standing on the DMZ
    zone.
    I am running exchange 2003 on this server.
    I will run gpresult and see what the report says.



    // Lennie


     
    Lennie, Apr 28, 2004
    #3
  4. Lennie

    Lennie Guest

    This is the information i get when running gpresult on goldfinger
    // Lennie

    ----------------------------------

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 4/28/2004 at 11:57:20 AM



    RSOP data for PHONERA\sysadmin on GOLDFINGER : Logging Mode
    ------------------------------------------------------------

    OS Type: Microsoft(R) Windows(R) Server 2003, Standard
    Edition
    OS Configuration: Member Server
    OS Version: 5.2.3790
    Terminal Server Mode: Remote Administration
    Site Name: Default-First-Site-Name
    Roaming Profile:
    Local Profile: C:\Documents and Settings\sysadmin
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
    CN=GOLDFINGER,OU=servrar,OU=malmo,DC=phonera,DC=local
    Last time Group Policy was applied: 4/28/2004 at 10:30:44 AM
    Group Policy was applied from: blofeld.phonera.local
    Group Policy slow link threshold: 500 kbps
    Domain Name: PHONERA
    Domain Type: Windows 2000

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy
    Local Group Policy

    The computer is a part of the following security groups
    -------------------------------------------------------
    BUILTIN\Administrators
    Everyone
    BUILTIN\Users
    NT AUTHORITY\NETWORK
    NT AUTHORITY\Authenticated Users
    This Organization
    GOLDFINGER$
    Domain Computers


    USER SETTINGS
    --------------
    CN=Sysadmin,OU=malmo,DC=phonera,DC=local
    Last time Group Policy was applied: 4/28/2004 at 11:53:35 AM
    Group Policy was applied from: blofeld.phonera.local
    Group Policy slow link threshold: 500 kbps
    Domain Name: PHONERA
    Domain Type: Windows 2000

    Applied Group Policy Objects
    -----------------------------
    Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
    Local Group Policy
    Filtering: Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    BUILTIN\Administrators
    REMOTE INTERACTIVE LOGON
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    This Organization
    LOCAL
    exchange_admin
    Schema Admins
    Group Policy Creator Owners
    Enterprise Admins
    Domain Admins
     
    Lennie, Apr 28, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.