Possible KDC issues win2k3

[Guest theeinstein]

I have a small office with 2 domain controllers both running w2k3 sp1.

 

With in the last week I have noticed some odd issues noted below..

 

this is a netdiag and dcdiag from my primary DC (GC)

 

Per interface results:

 

Adapter : Local Area Connection

 

 

Netcard queries test . . . : Passed

 

Host Name. . . . . . . . . : xxxxxx(masked)

IP Address . . . . . . . . : 172.16.1.13

Subnet Mask. . . . . . . . : 255.255.255.0

Default Gateway. . . . . . : 172.16.1.3

Dns Servers. . . . . . . . : 172.16.1.13

 

 

AutoConfiguration results. . . . . . : Passed

 

Default gateway test . . . : Passed

 

NetBT name test. . . . . . : Passed

[WARNING] At least one of the <00> 'WorkStation Service', <03>

'Messeng

r Service', <20> 'WINS' names is missing.

 

WINS service test. . . . . : Skipped

There are no WINS servers configured for this interface.

 

 

Global results:

 

 

Domain membership test . . . . . . : Passed

 

 

NetBT transports test. . . . . . . : Passed

List of NetBt transports currently configured:

NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

1 NetBt transport currently configured.

 

 

Autonet address test . . . . . . . : Passed

 

 

IP loopback ping test. . . . . . . : Passed

 

 

Default gateway test . . . . . . . : Passed

 

 

NetBT name test. . . . . . . . . . : Passed

[WARNING] You don't have a single interface with the <00> 'WorkStation

Serv

ce', <03> 'Messenger Service', <20> 'WINS' names defined.

 

 

Winsock test . . . . . . . . . . . : Passed

 

 

DNS test . . . . . . . . . . . . . : Passed

PASS - All the DNS entries for DC are registered on DNS server

'172.16.1.13

and other DCs also have some of the names registered.

 

 

Redir and Browser test . . . . . . : Passed

List of NetBt transports currently bound to the Redir

NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

The redir is bound to 1 NetBt transport.

 

List of NetBt transports currently bound to the browser

NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

The browser is bound to 1 NetBt transport.

 

 

DC discovery test. . . . . . . . . : Passed

 

 

DC list test . . . . . . . . . . . : Passed

 

 

Trust relationship test. . . . . . : Skipped

 

 

Kerberos test. . . . . . . . . . . : Passed

 

 

LDAP test. . . . . . . . . . . . . : Passed

 

 

Bindings test. . . . . . . . . . . : Passed

 

 

WAN configuration test . . . . . . : Skipped

No active remote access connections.

 

 

Modem diagnostics test . . . . . . : Passed

 

IP Security test . . . . . . . . . : Skipped

 

Note: run "netsh ipsec dynamic show /?" for more detailed information

 

 

The command completed successfully

 

C:\Documents and Settings\Administrator.VOTENASSAU>

C:\Documents and Settings\Administrator.VOTENASSAU>dcdiag

 

Domain Controller Diagnosis

 

Performing initial setup:

Done gathering initial info.

 

Doing initial required tests

 

Testing server: Default-First-Site-Name\SOEMAIN10

Starting test: Connectivity

......................... SOEMAIN10 passed test Connectivity

 

Doing primary tests

 

Testing server: Default-First-Site-Name\SOEMAIN10

Starting test: Replications

......................... SOEMAIN10 passed test Replications

Starting test: NCSecDesc

......................... SOEMAIN10 passed test NCSecDesc

Starting test: NetLogons

......................... SOEMAIN10 passed test NetLogons

Starting test: Advertising

......................... SOEMAIN10 passed test Advertising

Starting test: KnowsOfRoleHolders

......................... SOEMAIN10 passed test KnowsOfRoleHolders

Starting test: RidManager

......................... SOEMAIN10 passed test RidManager

Starting test: MachineAccount

......................... SOEMAIN10 passed test MachineAccount

Starting test: Services

......................... SOEMAIN10 passed test Services

Starting test: ObjectsReplicated

......................... SOEMAIN10 passed test ObjectsReplicated

Starting test: frssysvol

......................... SOEMAIN10 passed test frssysvol

Starting test: frsevent

......................... SOEMAIN10 passed test frsevent

Starting test: kccevent

......................... SOEMAIN10 passed test kccevent

Starting test: systemlog

An Error Event occured. EventID: 0x00000457

Time Generated: 07/31/2007 19:02:19

(Event String could not be retrieved)

An Error Event occured. EventID: 0x00000457

Time Generated: 07/31/2007 19:07:35

(Event String could not be retrieved)

An Error Event occured. EventID: 0x00000457

Time Generated: 07/31/2007 19:09:31

(Event String could not be retrieved)

......................... SOEMAIN10 failed test systemlog

Starting test: VerifyReferences

......................... SOEMAIN10 passed test VerifyReferences

 

Running partition tests on : ForestDnsZones

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidatio

 

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

 

Running partition tests on : DomainDnsZones

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidatio

 

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

 

Running partition tests on : Schema

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

 

Running partition tests on : Configuration

Starting test: CrossRefValidation

......................... Configuration passed test

CrossRefValidation

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

 

Running partition tests on : votenassau

Starting test: CrossRefValidation

......................... votenassau passed test CrossRefValidation

Starting test: CheckSDRefDom

......................... votenassau passed test CheckSDRefDom

 

Running enterprise tests on : votenassau.com

Starting test: Intersite

......................... votenassau.com passed test Intersite

Starting test: FsmoCheck

......................... votenassau.com passed test FsmoCheck

 

 

I see this KDC warning in the log on the server

 

The currently selected KDC certificate was once valid, but now is invalid

and no suitable replacement was found. Smartcard logon may not function

correctly if this problem is not remedied. Have the system administrator

check on the state of the domain's public key infrastructure. The chain

status is in the error data.

 

 

Currently no user is having any issues logging in or communicating with the

servers... I also see a varation of auth. to both DC's during the normal day.

 

What makes me worry is this today I just joined 2 new win xp sp2 machines to

the domain.. The join went fine on the reboot when I attempted to select the

domain to login to I got the normal "please wait while the domain list is

created" message. this to a little longer than normal but also when I

selected the correct domain I got the message again and it then sits there

for about 4-5 minutes finally allowing me to login and seems to be ok.. On

those workstations immediately after I login I see these events logged

 

Event 40961

The Security System could not establish a secured connection with the server

LDAP/soemain10.votenassau.com. No authentication protocol was available.

 

AND

 

Attempt to update DNS Host Name of the computer object in Active Directory

failed. The updated value was 'machinename'. The following error occurred:

Access is denied.

 

AND

 

Attempt to update HOST Service Principal Names (SPNs) of the computer object

in Active Directory failed. The updated values were 'HOST/machinename' and

'HOST/machinename'. The following error occurred:

Access is denied.

 

 

however the machine seems to run ok... Can anyone please shed some light on

this for me.

 

Thx

[Guest theeinstein]

RE: Possible KDC issues win2k3

 

Anyone??

 

"theeinstein" wrote:

> I have a small office with 2 domain controllers both running w2k3 sp1.

>

> With in the last week I have noticed some odd issues noted below..

>

> this is a netdiag and dcdiag from my primary DC (GC)

>

> Per interface results:

>

> Adapter : Local Area Connection

>

>

> Netcard queries test . . . : Passed

>

> Host Name. . . . . . . . . : xxxxxx(masked)

> IP Address . . . . . . . . : 172.16.1.13

> Subnet Mask. . . . . . . . : 255.255.255.0

> Default Gateway. . . . . . : 172.16.1.3

> Dns Servers. . . . . . . . : 172.16.1.13

>

>

> AutoConfiguration results. . . . . . : Passed

>

> Default gateway test . . . : Passed

>

> NetBT name test. . . . . . : Passed

> [WARNING] At least one of the <00> 'WorkStation Service', <03>

> 'Messeng

> r Service', <20> 'WINS' names is missing.

>

> WINS service test. . . . . : Skipped

> There are no WINS servers configured for this interface.

>

>

> Global results:

>

>

> Domain membership test . . . . . . : Passed

>

>

> NetBT transports test. . . . . . . : Passed

> List of NetBt transports currently configured:

> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

> 1 NetBt transport currently configured.

>

>

> Autonet address test . . . . . . . : Passed

>

>

> IP loopback ping test. . . . . . . : Passed

>

>

> Default gateway test . . . . . . . : Passed

>

>

> NetBT name test. . . . . . . . . . : Passed

> [WARNING] You don't have a single interface with the <00> 'WorkStation

> Serv

> ce', <03> 'Messenger Service', <20> 'WINS' names defined.

>

>

> Winsock test . . . . . . . . . . . : Passed

>

>

> DNS test . . . . . . . . . . . . . : Passed

> PASS - All the DNS entries for DC are registered on DNS server

> '172.16.1.13

> and other DCs also have some of the names registered.

>

>

> Redir and Browser test . . . . . . : Passed

> List of NetBt transports currently bound to the Redir

> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

> The redir is bound to 1 NetBt transport.

>

> List of NetBt transports currently bound to the browser

> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

> The browser is bound to 1 NetBt transport.

>

>

> DC discovery test. . . . . . . . . : Passed

>

>

> DC list test . . . . . . . . . . . : Passed

>

>

> Trust relationship test. . . . . . : Skipped

>

>

> Kerberos test. . . . . . . . . . . : Passed

>

>

> LDAP test. . . . . . . . . . . . . : Passed

>

>

> Bindings test. . . . . . . . . . . : Passed

>

>

> WAN configuration test . . . . . . : Skipped

> No active remote access connections.

>

>

> Modem diagnostics test . . . . . . : Passed

>

> IP Security test . . . . . . . . . : Skipped

>

> Note: run "netsh ipsec dynamic show /?" for more detailed information

>

>

> The command completed successfully

>

> C:\Documents and Settings\Administrator.VOTENASSAU>

> C:\Documents and Settings\Administrator.VOTENASSAU>dcdiag

>

> Domain Controller Diagnosis

>

> Performing initial setup:

> Done gathering initial info.

>

> Doing initial required tests

>

> Testing server: Default-First-Site-Name\SOEMAIN10

> Starting test: Connectivity

> ......................... SOEMAIN10 passed test Connectivity

>

> Doing primary tests

>

> Testing server: Default-First-Site-Name\SOEMAIN10

> Starting test: Replications

> ......................... SOEMAIN10 passed test Replications

> Starting test: NCSecDesc

> ......................... SOEMAIN10 passed test NCSecDesc

> Starting test: NetLogons

> ......................... SOEMAIN10 passed test NetLogons

> Starting test: Advertising

> ......................... SOEMAIN10 passed test Advertising

> Starting test: KnowsOfRoleHolders

> ......................... SOEMAIN10 passed test KnowsOfRoleHolders

> Starting test: RidManager

> ......................... SOEMAIN10 passed test RidManager

> Starting test: MachineAccount

> ......................... SOEMAIN10 passed test MachineAccount

> Starting test: Services

> ......................... SOEMAIN10 passed test Services

> Starting test: ObjectsReplicated

> ......................... SOEMAIN10 passed test ObjectsReplicated

> Starting test: frssysvol

> ......................... SOEMAIN10 passed test frssysvol

> Starting test: frsevent

> ......................... SOEMAIN10 passed test frsevent

> Starting test: kccevent

> ......................... SOEMAIN10 passed test kccevent

> Starting test: systemlog

> An Error Event occured. EventID: 0x00000457

> Time Generated: 07/31/2007 19:02:19

> (Event String could not be retrieved)

> An Error Event occured. EventID: 0x00000457

> Time Generated: 07/31/2007 19:07:35

> (Event String could not be retrieved)

> An Error Event occured. EventID: 0x00000457

> Time Generated: 07/31/2007 19:09:31

> (Event String could not be retrieved)

> ......................... SOEMAIN10 failed test systemlog

> Starting test: VerifyReferences

> ......................... SOEMAIN10 passed test VerifyReferences

>

> Running partition tests on : ForestDnsZones

> Starting test: CrossRefValidation

> ......................... ForestDnsZones passed test

> CrossRefValidatio

>

> Starting test: CheckSDRefDom

> ......................... ForestDnsZones passed test CheckSDRefDom

>

> Running partition tests on : DomainDnsZones

> Starting test: CrossRefValidation

> ......................... DomainDnsZones passed test

> CrossRefValidatio

>

> Starting test: CheckSDRefDom

> ......................... DomainDnsZones passed test CheckSDRefDom

>

> Running partition tests on : Schema

> Starting test: CrossRefValidation

> ......................... Schema passed test CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Schema passed test CheckSDRefDom

>

> Running partition tests on : Configuration

> Starting test: CrossRefValidation

> ......................... Configuration passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Configuration passed test CheckSDRefDom

>

> Running partition tests on : votenassau

> Starting test: CrossRefValidation

> ......................... votenassau passed test CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... votenassau passed test CheckSDRefDom

>

> Running enterprise tests on : votenassau.com

> Starting test: Intersite

> ......................... votenassau.com passed test Intersite

> Starting test: FsmoCheck

> ......................... votenassau.com passed test FsmoCheck

>

>

> I see this KDC warning in the log on the server

>

> The currently selected KDC certificate was once valid, but now is invalid

> and no suitable replacement was found. Smartcard logon may not function

> correctly if this problem is not remedied. Have the system administrator

> check on the state of the domain's public key infrastructure. The chain

> status is in the error data.

>

>

> Currently no user is having any issues logging in or communicating with the

> servers... I also see a varation of auth. to both DC's during the normal day.

>

> What makes me worry is this today I just joined 2 new win xp sp2 machines to

> the domain.. The join went fine on the reboot when I attempted to select the

> domain to login to I got the normal "please wait while the domain list is

> created" message. this to a little longer than normal but also when I

> selected the correct domain I got the message again and it then sits there

> for about 4-5 minutes finally allowing me to login and seems to be ok.. On

> those workstations immediately after I login I see these events logged

>

> Event 40961

> The Security System could not establish a secured connection with the server

> LDAP/soemain10.votenassau.com. No authentication protocol was available.

>

> AND

>

> Attempt to update DNS Host Name of the computer object in Active Directory

> failed. The updated value was 'machinename'. The following error occurred:

> Access is denied.

>

> AND

>

> Attempt to update HOST Service Principal Names (SPNs) of the computer object

> in Active Directory failed. The updated values were 'HOST/machinename' and

> 'HOST/machinename'. The following error occurred:

> Access is denied.

>

>

> however the machine seems to run ok... Can anyone please shed some light on

> this for me.

>

> Thx

>

>

>

>

>

[Guest theeinstein]

RE: Possible KDC issues win2k3

 

Can someone at least look at the post please..

 

"theeinstein" wrote:

> I have a small office with 2 domain controllers both running w2k3 sp1.

>

> With in the last week I have noticed some odd issues noted below..

>

> this is a netdiag and dcdiag from my primary DC (GC)

>

> Per interface results:

>

> Adapter : Local Area Connection

>

>

> Netcard queries test . . . : Passed

>

> Host Name. . . . . . . . . : xxxxxx(masked)

> IP Address . . . . . . . . : 172.16.1.13

> Subnet Mask. . . . . . . . : 255.255.255.0

> Default Gateway. . . . . . : 172.16.1.3

> Dns Servers. . . . . . . . : 172.16.1.13

>

>

> AutoConfiguration results. . . . . . : Passed

>

> Default gateway test . . . : Passed

>

> NetBT name test. . . . . . : Passed

> [WARNING] At least one of the <00> 'WorkStation Service', <03>

> 'Messeng

> r Service', <20> 'WINS' names is missing.

>

> WINS service test. . . . . : Skipped

> There are no WINS servers configured for this interface.

>

>

> Global results:

>

>

> Domain membership test . . . . . . : Passed

>

>

> NetBT transports test. . . . . . . : Passed

> List of NetBt transports currently configured:

> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

> 1 NetBt transport currently configured.

>

>

> Autonet address test . . . . . . . : Passed

>

>

> IP loopback ping test. . . . . . . : Passed

>

>

> Default gateway test . . . . . . . : Passed

>

>

> NetBT name test. . . . . . . . . . : Passed

> [WARNING] You don't have a single interface with the <00> 'WorkStation

> Serv

> ce', <03> 'Messenger Service', <20> 'WINS' names defined.

>

>

> Winsock test . . . . . . . . . . . : Passed

>

>

> DNS test . . . . . . . . . . . . . : Passed

> PASS - All the DNS entries for DC are registered on DNS server

> '172.16.1.13

> and other DCs also have some of the names registered.

>

>

> Redir and Browser test . . . . . . : Passed

> List of NetBt transports currently bound to the Redir

> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

> The redir is bound to 1 NetBt transport.

>

> List of NetBt transports currently bound to the browser

> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}

> The browser is bound to 1 NetBt transport.

>

>

> DC discovery test. . . . . . . . . : Passed

>

>

> DC list test . . . . . . . . . . . : Passed

>

>

> Trust relationship test. . . . . . : Skipped

>

>

> Kerberos test. . . . . . . . . . . : Passed

>

>

> LDAP test. . . . . . . . . . . . . : Passed

>

>

> Bindings test. . . . . . . . . . . : Passed

>

>

> WAN configuration test . . . . . . : Skipped

> No active remote access connections.

>

>

> Modem diagnostics test . . . . . . : Passed

>

> IP Security test . . . . . . . . . : Skipped

>

> Note: run "netsh ipsec dynamic show /?" for more detailed information

>

>

> The command completed successfully

>

> C:\Documents and Settings\Administrator.VOTENASSAU>

> C:\Documents and Settings\Administrator.VOTENASSAU>dcdiag

>

> Domain Controller Diagnosis

>

> Performing initial setup:

> Done gathering initial info.

>

> Doing initial required tests

>

> Testing server: Default-First-Site-Name\SOEMAIN10

> Starting test: Connectivity

> ......................... SOEMAIN10 passed test Connectivity

>

> Doing primary tests

>

> Testing server: Default-First-Site-Name\SOEMAIN10

> Starting test: Replications

> ......................... SOEMAIN10 passed test Replications

> Starting test: NCSecDesc

> ......................... SOEMAIN10 passed test NCSecDesc

> Starting test: NetLogons

> ......................... SOEMAIN10 passed test NetLogons

> Starting test: Advertising

> ......................... SOEMAIN10 passed test Advertising

> Starting test: KnowsOfRoleHolders

> ......................... SOEMAIN10 passed test KnowsOfRoleHolders

> Starting test: RidManager

> ......................... SOEMAIN10 passed test RidManager

> Starting test: MachineAccount

> ......................... SOEMAIN10 passed test MachineAccount

> Starting test: Services

> ......................... SOEMAIN10 passed test Services

> Starting test: ObjectsReplicated

> ......................... SOEMAIN10 passed test ObjectsReplicated

> Starting test: frssysvol

> ......................... SOEMAIN10 passed test frssysvol

> Starting test: frsevent

> ......................... SOEMAIN10 passed test frsevent

> Starting test: kccevent

> ......................... SOEMAIN10 passed test kccevent

> Starting test: systemlog

> An Error Event occured. EventID: 0x00000457

> Time Generated: 07/31/2007 19:02:19

> (Event String could not be retrieved)

> An Error Event occured. EventID: 0x00000457

> Time Generated: 07/31/2007 19:07:35

> (Event String could not be retrieved)

> An Error Event occured. EventID: 0x00000457

> Time Generated: 07/31/2007 19:09:31

> (Event String could not be retrieved)

> ......................... SOEMAIN10 failed test systemlog

> Starting test: VerifyReferences

> ......................... SOEMAIN10 passed test VerifyReferences

>

> Running partition tests on : ForestDnsZones

> Starting test: CrossRefValidation

> ......................... ForestDnsZones passed test

> CrossRefValidatio

>

> Starting test: CheckSDRefDom

> ......................... ForestDnsZones passed test CheckSDRefDom

>

> Running partition tests on : DomainDnsZones

> Starting test: CrossRefValidation

> ......................... DomainDnsZones passed test

> CrossRefValidatio

>

> Starting test: CheckSDRefDom

> ......................... DomainDnsZones passed test CheckSDRefDom

>

> Running partition tests on : Schema

> Starting test: CrossRefValidation

> ......................... Schema passed test CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Schema passed test CheckSDRefDom

>

> Running partition tests on : Configuration

> Starting test: CrossRefValidation

> ......................... Configuration passed test

> CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... Configuration passed test CheckSDRefDom

>

> Running partition tests on : votenassau

> Starting test: CrossRefValidation

> ......................... votenassau passed test CrossRefValidation

> Starting test: CheckSDRefDom

> ......................... votenassau passed test CheckSDRefDom

>

> Running enterprise tests on : votenassau.com

> Starting test: Intersite

> ......................... votenassau.com passed test Intersite

> Starting test: FsmoCheck

> ......................... votenassau.com passed test FsmoCheck

>

>

> I see this KDC warning in the log on the server

>

> The currently selected KDC certificate was once valid, but now is invalid

> and no suitable replacement was found. Smartcard logon may not function

> correctly if this problem is not remedied. Have the system administrator

> check on the state of the domain's public key infrastructure. The chain

> status is in the error data.

>

>

> Currently no user is having any issues logging in or communicating with the

> servers... I also see a varation of auth. to both DC's during the normal day.

>

> What makes me worry is this today I just joined 2 new win xp sp2 machines to

> the domain.. The join went fine on the reboot when I attempted to select the

> domain to login to I got the normal "please wait while the domain list is

> created" message. this to a little longer than normal but also when I

> selected the correct domain I got the message again and it then sits there

> for about 4-5 minutes finally allowing me to login and seems to be ok.. On

> those workstations immediately after I login I see these events logged

>

> Event 40961

> The Security System could not establish a secured connection with the server

> LDAP/soemain10.votenassau.com. No authentication protocol was available.

>

> AND

>

> Attempt to update DNS Host Name of the computer object in Active Directory

> failed. The updated value was 'machinename'. The following error occurred:

> Access is denied.

>

> AND

>

> Attempt to update HOST Service Principal Names (SPNs) of the computer object

> in Active Directory failed. The updated values were 'HOST/machinename' and

> 'HOST/machinename'. The following error occurred:

> Access is denied.

>

>

> however the machine seems to run ok... Can anyone please shed some light on

> this for me.

>

> Thx

>

>

>

>

>