FAQ  Search  Memberlist  Usergroups  Register  Profile  Private messages  Log in

Domain Controller - AD Communication Problem

Forum Index -> microsoft.public.windows.server.active_directory

Author	Message
Jim Foster LSG Guest	Posted: Fri May 12, 2006 10:16 pm    Post subject: Domain Controller - AD Communication Problem I have a very tough problem on my domain. My only DC (Server 2003) is not properly communicating with the Active Dir. I have troubleshot for a week with help of another post. Errors on dc are: 1. Application log error - event 1053 (every 5 min. when dc tries to refresh dc policies) - "Windows cannot determine the user or computer name. (Access is denied) Group Policy processing aborted." 2. Every hour as AD replicates - 3 events in Directory Service log - info - AD has located a gc; warning - AD unsuccessful in commuinicating with gc ( error value 5 access denied; error - AD unable to establish connection with gc. 3. DClog from dcdiag /v /c /e shows a KRB_AP_ERR_MODIFIED error - "indicates that the password used to encrypt the kerberos service ticket is different than that on the target server" Other tests seem ok. But symptoms are that Windows 2k/XP clients cannot properly authenticate and the DNS cannot communicate with AD and integrate the zone into the AD. "DNS server unable to open active directory" was one error. From all of this I an concluding that something is corrupted on the server such that the AD to DC communication is not fully functional. In many ways it is functional - for example ADUC works as far as adding users, etc. Any experts out there that can help? Jim Foster - LAN Service Group
Back to top
Kidem Guest	Posted: Fri May 12, 2006 10:39 pm    Post subject: Re: Domain Controller - AD Communication Problem Jim Foster LSG wrote: Quote: I have a very tough problem on my domain. My only DC (Server 2003) is not properly communicating with the Active Dir. I have troubleshot for a week with help of another post. Errors on dc are: 1. Application log error - event 1053 (every 5 min. when dc tries to refresh dc policies) - "Windows cannot determine the user or computer name. (Access is denied) Group Policy processing aborted." 2. Every hour as AD replicates - 3 events in Directory Service log - info - AD has located a gc; warning - AD unsuccessful in commuinicating with gc ( error value 5 access denied; error - AD unable to establish connection with gc. 3. DClog from dcdiag /v /c /e shows a KRB_AP_ERR_MODIFIED error - "indicates that the password used to encrypt the kerberos service ticket is different than that on the target server" Other tests seem ok. But symptoms are that Windows 2k/XP clients cannot properly authenticate and the DNS cannot communicate with AD and integrate the zone into the AD. "DNS server unable to open active directory" was one error. From all of this I an concluding that something is corrupted on the server such that the AD to DC communication is not fully functional. In many ways it is functional - for example ADUC works as far as adding users, etc. Any experts out there that can help? Jim Foster - LAN Service Group you look at this http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx#EXIAG
Back to top
Jim Foster LSG Guest	Posted: Mon May 15, 2006 7:31 pm    Post subject: Re: Domain Controller - AD Communication Problem I studied the 46 pages on Troubleshooting Kerberos errors but have not been able to find the cause or solution to my problem. Any Kerberos experts out there who can help? -- Jim Foster - LAN Service Group "Kidem" wrote: Quote: Jim Foster LSG wrote: I have a very tough problem on my domain. My only DC (Server 2003) is not properly communicating with the Active Dir. I have troubleshot for a week with help of another post. Errors on dc are: 1. Application log error - event 1053 (every 5 min. when dc tries to refresh dc policies) - "Windows cannot determine the user or computer name. (Access is denied) Group Policy processing aborted." 2. Every hour as AD replicates - 3 events in Directory Service log - info - AD has located a gc; warning - AD unsuccessful in commuinicating with gc ( error value 5 access denied; error - AD unable to establish connection with gc. 3. DClog from dcdiag /v /c /e shows a KRB_AP_ERR_MODIFIED error - "indicates that the password used to encrypt the kerberos service ticket is different than that on the target server" Other tests seem ok. But symptoms are that Windows 2k/XP clients cannot properly authenticate and the DNS cannot communicate with AD and integrate the zone into the AD. "DNS server unable to open active directory" was one error. From all of this I an concluding that something is corrupted on the server such that the AD to DC communication is not fully functional. In many ways it is functional - for example ADUC works as far as adding users, etc. Any experts out there that can help? Jim Foster - LAN Service Group you look at this http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx#EXIAG
Back to top
Jim Foster LSG Guest	Posted: Mon May 15, 2006 9:29 pm    Post subject: Re: Domain Controller - AD Communication Problem Success!! For the benefit of anyone following this thread for a similar problem.... The problem was fixed by reseting the machine account password on the dc. I used the netdom utility from Windows Support Tools as described in kb article 260575. -- Jim Foster - LAN Service Group "Jim Foster LSG" wrote: Quote: I studied the 46 pages on Troubleshooting Kerberos errors but have not been able to find the cause or solution to my problem. Any Kerberos experts out there who can help? -- Jim Foster - LAN Service Group "Kidem" wrote: Jim Foster LSG wrote: I have a very tough problem on my domain. My only DC (Server 2003) is not properly communicating with the Active Dir. I have troubleshot for a week with help of another post. Errors on dc are: 1. Application log error - event 1053 (every 5 min. when dc tries to refresh dc policies) - "Windows cannot determine the user or computer name. (Access is denied) Group Policy processing aborted." 2. Every hour as AD replicates - 3 events in Directory Service log - info - AD has located a gc; warning - AD unsuccessful in commuinicating with gc ( error value 5 access denied; error - AD unable to establish connection with gc. 3. DClog from dcdiag /v /c /e shows a KRB_AP_ERR_MODIFIED error - "indicates that the password used to encrypt the kerberos service ticket is different than that on the target server" Other tests seem ok. But symptoms are that Windows 2k/XP clients cannot properly authenticate and the DNS cannot communicate with AD and integrate the zone into the AD. "DNS server unable to open active directory" was one error. From all of this I an concluding that something is corrupted on the server such that the AD to DC communication is not fully functional. In many ways it is functional - for example ADUC works as far as adding users, etc. Any experts out there that can help? Jim Foster - LAN Service Group you look at this http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx#EXIAG
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First

	Forum Index -> microsoft.public.windows.server.active_directory	All times are GMT
Page 1 of 1