Win2k8 R2 DC kerberos errors

Discussion in 'Windows Server' started by Chris, Mar 3, 2010.

  1. Chris

    Chris Guest

    Added a few win2k8 R2 DC into a Win2k3 domain. Got lots of kerberos errors
    with event ID 4771, 4769 on these new R2 DCs. Can't find much information on
    the errors. Can someone advice?

    Chris, Mar 3, 2010
    1. Advertisements

  2. Meinolf Weber [MVP-DS], Mar 3, 2010
    1. Advertisements

  3. Meinolf Weber [MVP-DS], Mar 3, 2010
  4. Chris

    Chris Guest

    Thanks, Meinolf. I'll read them. Got a couple more questions.

    1. I'm introducing w2k8 DC into a w2k3 forest/domain. Do I have to run
    adprep/domainprep /gpprep? I don't know if we ran that under w2k3. Other
    than RSop does it change anything else?

    2. Does w2k8 DC has more restricted rights to Administrators? We have an
    app which service account is a member of Administrators. When it
    autheticated by w2k3 DC it worked fine. But failed with those errors when
    authenticed by w2k8 DC. Vendor said that it's the permission "log on as a
    batch" and "log on as a service" on the DC. Does w2k8 DC restrict these
    permissions by default?

    Chris, Mar 5, 2010
  5. Hello chris,

    1. If you have upgraded the Windows 2003 domain from Windows 2000 domain
    without running it, yes use /domainprep /gpprep. There is no problem if running
    the adprep commands multiple times, you get an information that it is already
    run, that's it.

    2. Check the user rights assignment under computer configuration, windows
    settings, security settings, local policies. Also you have to keep in mind
    that with Windwows server 2008 UAC(user account control) comes into play,
    which restricts also domain admins for some tasks to use the RUNAS function,
    this will come into play in your case i assume. So you can disable UAC(of
    course the badest option for security) for testing or configure your task
    to run with elevated permissions. Also have a look into the UserAccountControl:..............
    options you can configure under computer configuration, windows settings,
    security settings, security options

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Mar 5, 2010
  6. Chris

    Chris Guest

    I didn't run adprep/domainprep /gpprep with w2k8 and don't remember if we
    did with w2k3. I can run it again since it won't hurt anything. My question
    is that what I would lose if NOT to run /gpprep? Could my Kerberos issue
    relate to that? I thought /gpprep just give you RSoP which is a management
    component for GPO not really the real permissions.

    Chris, Mar 5, 2010
  7. Hello chris,

    /gpprep is for RSOP functionality and shouldn't have anything to do with
    the Kerberos errors. Did you check the previous links about the event ids
    and the auditing settings?

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Mar 5, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.