Possible KDC issues win2k3

T

theeinstein

I have a small office with 2 domain controllers both running w2k3 sp1.

With in the last week I have noticed some odd issues noted below..

this is a netdiag and dcdiag from my primary DC (GC)

Per interface results:

Adapter : Local Area Connection


Netcard queries test . . . : Passed

Host Name. . . . . . . . . : xxxxxx(masked)
IP Address . . . . . . . . : 172.16.1.13
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.16.1.3
Dns Servers. . . . . . . . : 172.16.1.13


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messeng
r Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Serv
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'172.16.1.13
and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully

C:\Documents and Settings\Administrator.VOTENASSAU>
C:\Documents and Settings\Administrator.VOTENASSAU>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SOEMAIN10
Starting test: Connectivity
......................... SOEMAIN10 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SOEMAIN10
Starting test: Replications
......................... SOEMAIN10 passed test Replications
Starting test: NCSecDesc
......................... SOEMAIN10 passed test NCSecDesc
Starting test: NetLogons
......................... SOEMAIN10 passed test NetLogons
Starting test: Advertising
......................... SOEMAIN10 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SOEMAIN10 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SOEMAIN10 passed test RidManager
Starting test: MachineAccount
......................... SOEMAIN10 passed test MachineAccount
Starting test: Services
......................... SOEMAIN10 passed test Services
Starting test: ObjectsReplicated
......................... SOEMAIN10 passed test ObjectsReplicated
Starting test: frssysvol
......................... SOEMAIN10 passed test frssysvol
Starting test: frsevent
......................... SOEMAIN10 passed test frsevent
Starting test: kccevent
......................... SOEMAIN10 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 07/31/2007 19:02:19
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/31/2007 19:07:35
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 07/31/2007 19:09:31
(Event String could not be retrieved)
......................... SOEMAIN10 failed test systemlog
Starting test: VerifyReferences
......................... SOEMAIN10 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidatio

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidatio

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : votenassau
Starting test: CrossRefValidation
......................... votenassau passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... votenassau passed test CheckSDRefDom

Running enterprise tests on : votenassau.com
Starting test: Intersite
......................... votenassau.com passed test Intersite
Starting test: FsmoCheck
......................... votenassau.com passed test FsmoCheck


I see this KDC warning in the log on the server

The currently selected KDC certificate was once valid, but now is invalid
and no suitable replacement was found. Smartcard logon may not function
correctly if this problem is not remedied. Have the system administrator
check on the state of the domain's public key infrastructure. The chain
status is in the error data.


Currently no user is having any issues logging in or communicating with the
servers... I also see a varation of auth. to both DC's during the normal day.

What makes me worry is this today I just joined 2 new win xp sp2 machines to
the domain.. The join went fine on the reboot when I attempted to select the
domain to login to I got the normal "please wait while the domain list is
created" message. this to a little longer than normal but also when I
selected the correct domain I got the message again and it then sits there
for about 4-5 minutes finally allowing me to login and seems to be ok.. On
those workstations immediately after I login I see these events logged

Event 40961
The Security System could not establish a secured connection with the server
LDAP/soemain10.votenassau.com. No authentication protocol was available.

AND

Attempt to update DNS Host Name of the computer object in Active Directory
failed. The updated value was 'machinename'. The following error occurred:
Access is denied.

AND

Attempt to update HOST Service Principal Names (SPNs) of the computer object
in Active Directory failed. The updated values were 'HOST/machinename' and
'HOST/machinename'. The following error occurred:
Access is denied.


however the machine seems to run ok... Can anyone please shed some light on
this for me.

Thx
 
T

theeinstein

Anyone??

"theeinstein" wrote:

> I have a small office with 2 domain controllers both running w2k3 sp1.
>
> With in the last week I have noticed some odd issues noted below..
>
> this is a netdiag and dcdiag from my primary DC (GC)
>
> Per interface results:
>
> Adapter : Local Area Connection
>
>
> Netcard queries test . . . : Passed
>
> Host Name. . . . . . . . . : xxxxxx(masked)
> IP Address . . . . . . . . : 172.16.1.13
> Subnet Mask. . . . . . . . : 255.255.255.0
> Default Gateway. . . . . . : 172.16.1.3
> Dns Servers. . . . . . . . : 172.16.1.13
>
>
> AutoConfiguration results. . . . . . : Passed
>
> Default gateway test . . . : Passed
>
> NetBT name test. . . . . . : Passed
> [WARNING] At least one of the <00> 'WorkStation Service', <03>
> 'Messeng
> r Service', <20> 'WINS' names is missing.
>
> WINS service test. . . . . : Skipped
> There are no WINS servers configured for this interface.
>
>
> Global results:
>
>
> Domain membership test . . . . . . : Passed
>
>
> NetBT transports test. . . . . . . : Passed
> List of NetBt transports currently configured:
> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
> 1 NetBt transport currently configured.
>
>
> Autonet address test . . . . . . . : Passed
>
>
> IP loopback ping test. . . . . . . : Passed
>
>
> Default gateway test . . . . . . . : Passed
>
>
> NetBT name test. . . . . . . . . . : Passed
> [WARNING] You don't have a single interface with the <00> 'WorkStation
> Serv
> ce', <03> 'Messenger Service', <20> 'WINS' names defined.
>
>
> Winsock test . . . . . . . . . . . : Passed
>
>
> DNS test . . . . . . . . . . . . . : Passed
> PASS - All the DNS entries for DC are registered on DNS server
> '172.16.1.13
> and other DCs also have some of the names registered.
>
>
> Redir and Browser test . . . . . . : Passed
> List of NetBt transports currently bound to the Redir
> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
> The redir is bound to 1 NetBt transport.
>
> List of NetBt transports currently bound to the browser
> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
> The browser is bound to 1 NetBt transport.
>
>
> DC discovery test. . . . . . . . . : Passed
>
>
> DC list test . . . . . . . . . . . : Passed
>
>
> Trust relationship test. . . . . . : Skipped
>
>
> Kerberos test. . . . . . . . . . . : Passed
>
>
> LDAP test. . . . . . . . . . . . . : Passed
>
>
> Bindings test. . . . . . . . . . . : Passed
>
>
> WAN configuration test . . . . . . : Skipped
> No active remote access connections.
>
>
> Modem diagnostics test . . . . . . : Passed
>
> IP Security test . . . . . . . . . : Skipped
>
> Note: run "netsh ipsec dynamic show /?" for more detailed information
>
>
> The command completed successfully
>
> C:\Documents and Settings\Administrator.VOTENASSAU>
> C:\Documents and Settings\Administrator.VOTENASSAU>dcdiag
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\SOEMAIN10
> Starting test: Connectivity
> ......................... SOEMAIN10 passed test Connectivity
>
> Doing primary tests
>
> Testing server: Default-First-Site-Name\SOEMAIN10
> Starting test: Replications
> ......................... SOEMAIN10 passed test Replications
> Starting test: NCSecDesc
> ......................... SOEMAIN10 passed test NCSecDesc
> Starting test: NetLogons
> ......................... SOEMAIN10 passed test NetLogons
> Starting test: Advertising
> ......................... SOEMAIN10 passed test Advertising
> Starting test: KnowsOfRoleHolders
> ......................... SOEMAIN10 passed test KnowsOfRoleHolders
> Starting test: RidManager
> ......................... SOEMAIN10 passed test RidManager
> Starting test: MachineAccount
> ......................... SOEMAIN10 passed test MachineAccount
> Starting test: Services
> ......................... SOEMAIN10 passed test Services
> Starting test: ObjectsReplicated
> ......................... SOEMAIN10 passed test ObjectsReplicated
> Starting test: frssysvol
> ......................... SOEMAIN10 passed test frssysvol
> Starting test: frsevent
> ......................... SOEMAIN10 passed test frsevent
> Starting test: kccevent
> ......................... SOEMAIN10 passed test kccevent
> Starting test: systemlog
> An Error Event occured. EventID: 0x00000457
> Time Generated: 07/31/2007 19:02:19
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 07/31/2007 19:07:35
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 07/31/2007 19:09:31
> (Event String could not be retrieved)
> ......................... SOEMAIN10 failed test systemlog
> Starting test: VerifyReferences
> ......................... SOEMAIN10 passed test VerifyReferences
>
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidatio
>
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test CheckSDRefDom
>
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidatio
>
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test CheckSDRefDom
>
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
>
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test CheckSDRefDom
>
> Running partition tests on : votenassau
> Starting test: CrossRefValidation
> ......................... votenassau passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... votenassau passed test CheckSDRefDom
>
> Running enterprise tests on : votenassau.com
> Starting test: Intersite
> ......................... votenassau.com passed test Intersite
> Starting test: FsmoCheck
> ......................... votenassau.com passed test FsmoCheck
>
>
> I see this KDC warning in the log on the server
>
> The currently selected KDC certificate was once valid, but now is invalid
> and no suitable replacement was found. Smartcard logon may not function
> correctly if this problem is not remedied. Have the system administrator
> check on the state of the domain's public key infrastructure. The chain
> status is in the error data.
>
>
> Currently no user is having any issues logging in or communicating with the
> servers... I also see a varation of auth. to both DC's during the normal day.
>
> What makes me worry is this today I just joined 2 new win xp sp2 machines to
> the domain.. The join went fine on the reboot when I attempted to select the
> domain to login to I got the normal "please wait while the domain list is
> created" message. this to a little longer than normal but also when I
> selected the correct domain I got the message again and it then sits there
> for about 4-5 minutes finally allowing me to login and seems to be ok.. On
> those workstations immediately after I login I see these events logged
>
> Event 40961
> The Security System could not establish a secured connection with the server
> LDAP/soemain10.votenassau.com. No authentication protocol was available.
>
> AND
>
> Attempt to update DNS Host Name of the computer object in Active Directory
> failed. The updated value was 'machinename'. The following error occurred:
> Access is denied.
>
> AND
>
> Attempt to update HOST Service Principal Names (SPNs) of the computer object
> in Active Directory failed. The updated values were 'HOST/machinename' and
> 'HOST/machinename'. The following error occurred:
> Access is denied.
>
>
> however the machine seems to run ok... Can anyone please shed some light on
> this for me.
>
> Thx
>
>
>
>
>
 
T

theeinstein

Can someone at least look at the post please..

"theeinstein" wrote:

> I have a small office with 2 domain controllers both running w2k3 sp1.
>
> With in the last week I have noticed some odd issues noted below..
>
> this is a netdiag and dcdiag from my primary DC (GC)
>
> Per interface results:
>
> Adapter : Local Area Connection
>
>
> Netcard queries test . . . : Passed
>
> Host Name. . . . . . . . . : xxxxxx(masked)
> IP Address . . . . . . . . : 172.16.1.13
> Subnet Mask. . . . . . . . : 255.255.255.0
> Default Gateway. . . . . . : 172.16.1.3
> Dns Servers. . . . . . . . : 172.16.1.13
>
>
> AutoConfiguration results. . . . . . : Passed
>
> Default gateway test . . . : Passed
>
> NetBT name test. . . . . . : Passed
> [WARNING] At least one of the <00> 'WorkStation Service', <03>
> 'Messeng
> r Service', <20> 'WINS' names is missing.
>
> WINS service test. . . . . : Skipped
> There are no WINS servers configured for this interface.
>
>
> Global results:
>
>
> Domain membership test . . . . . . : Passed
>
>
> NetBT transports test. . . . . . . : Passed
> List of NetBt transports currently configured:
> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
> 1 NetBt transport currently configured.
>
>
> Autonet address test . . . . . . . : Passed
>
>
> IP loopback ping test. . . . . . . : Passed
>
>
> Default gateway test . . . . . . . : Passed
>
>
> NetBT name test. . . . . . . . . . : Passed
> [WARNING] You don't have a single interface with the <00> 'WorkStation
> Serv
> ce', <03> 'Messenger Service', <20> 'WINS' names defined.
>
>
> Winsock test . . . . . . . . . . . : Passed
>
>
> DNS test . . . . . . . . . . . . . : Passed
> PASS - All the DNS entries for DC are registered on DNS server
> '172.16.1.13
> and other DCs also have some of the names registered.
>
>
> Redir and Browser test . . . . . . : Passed
> List of NetBt transports currently bound to the Redir
> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
> The redir is bound to 1 NetBt transport.
>
> List of NetBt transports currently bound to the browser
> NetBT_Tcpip_{5078AD36-BD00-4F90-883C-90F23F049102}
> The browser is bound to 1 NetBt transport.
>
>
> DC discovery test. . . . . . . . . : Passed
>
>
> DC list test . . . . . . . . . . . : Passed
>
>
> Trust relationship test. . . . . . : Skipped
>
>
> Kerberos test. . . . . . . . . . . : Passed
>
>
> LDAP test. . . . . . . . . . . . . : Passed
>
>
> Bindings test. . . . . . . . . . . : Passed
>
>
> WAN configuration test . . . . . . : Skipped
> No active remote access connections.
>
>
> Modem diagnostics test . . . . . . : Passed
>
> IP Security test . . . . . . . . . : Skipped
>
> Note: run "netsh ipsec dynamic show /?" for more detailed information
>
>
> The command completed successfully
>
> C:\Documents and Settings\Administrator.VOTENASSAU>
> C:\Documents and Settings\Administrator.VOTENASSAU>dcdiag
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\SOEMAIN10
> Starting test: Connectivity
> ......................... SOEMAIN10 passed test Connectivity
>
> Doing primary tests
>
> Testing server: Default-First-Site-Name\SOEMAIN10
> Starting test: Replications
> ......................... SOEMAIN10 passed test Replications
> Starting test: NCSecDesc
> ......................... SOEMAIN10 passed test NCSecDesc
> Starting test: NetLogons
> ......................... SOEMAIN10 passed test NetLogons
> Starting test: Advertising
> ......................... SOEMAIN10 passed test Advertising
> Starting test: KnowsOfRoleHolders
> ......................... SOEMAIN10 passed test KnowsOfRoleHolders
> Starting test: RidManager
> ......................... SOEMAIN10 passed test RidManager
> Starting test: MachineAccount
> ......................... SOEMAIN10 passed test MachineAccount
> Starting test: Services
> ......................... SOEMAIN10 passed test Services
> Starting test: ObjectsReplicated
> ......................... SOEMAIN10 passed test ObjectsReplicated
> Starting test: frssysvol
> ......................... SOEMAIN10 passed test frssysvol
> Starting test: frsevent
> ......................... SOEMAIN10 passed test frsevent
> Starting test: kccevent
> ......................... SOEMAIN10 passed test kccevent
> Starting test: systemlog
> An Error Event occured. EventID: 0x00000457
> Time Generated: 07/31/2007 19:02:19
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 07/31/2007 19:07:35
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 07/31/2007 19:09:31
> (Event String could not be retrieved)
> ......................... SOEMAIN10 failed test systemlog
> Starting test: VerifyReferences
> ......................... SOEMAIN10 passed test VerifyReferences
>
> Running partition tests on : ForestDnsZones
> Starting test: CrossRefValidation
> ......................... ForestDnsZones passed test
> CrossRefValidatio
>
> Starting test: CheckSDRefDom
> ......................... ForestDnsZones passed test CheckSDRefDom
>
> Running partition tests on : DomainDnsZones
> Starting test: CrossRefValidation
> ......................... DomainDnsZones passed test
> CrossRefValidatio
>
> Starting test: CheckSDRefDom
> ......................... DomainDnsZones passed test CheckSDRefDom
>
> Running partition tests on : Schema
> Starting test: CrossRefValidation
> ......................... Schema passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Schema passed test CheckSDRefDom
>
> Running partition tests on : Configuration
> Starting test: CrossRefValidation
> ......................... Configuration passed test
> CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... Configuration passed test CheckSDRefDom
>
> Running partition tests on : votenassau
> Starting test: CrossRefValidation
> ......................... votenassau passed test CrossRefValidation
> Starting test: CheckSDRefDom
> ......................... votenassau passed test CheckSDRefDom
>
> Running enterprise tests on : votenassau.com
> Starting test: Intersite
> ......................... votenassau.com passed test Intersite
> Starting test: FsmoCheck
> ......................... votenassau.com passed test FsmoCheck
>
>
> I see this KDC warning in the log on the server
>
> The currently selected KDC certificate was once valid, but now is invalid
> and no suitable replacement was found. Smartcard logon may not function
> correctly if this problem is not remedied. Have the system administrator
> check on the state of the domain's public key infrastructure. The chain
> status is in the error data.
>
>
> Currently no user is having any issues logging in or communicating with the
> servers... I also see a varation of auth. to both DC's during the normal day.
>
> What makes me worry is this today I just joined 2 new win xp sp2 machines to
> the domain.. The join went fine on the reboot when I attempted to select the
> domain to login to I got the normal "please wait while the domain list is
> created" message. this to a little longer than normal but also when I
> selected the correct domain I got the message again and it then sits there
> for about 4-5 minutes finally allowing me to login and seems to be ok.. On
> those workstations immediately after I login I see these events logged
>
> Event 40961
> The Security System could not establish a secured connection with the server
> LDAP/soemain10.votenassau.com. No authentication protocol was available.
>
> AND
>
> Attempt to update DNS Host Name of the computer object in Active Directory
> failed. The updated value was 'machinename'. The following error occurred:
> Access is denied.
>
> AND
>
> Attempt to update HOST Service Principal Names (SPNs) of the computer object
> in Active Directory failed. The updated values were 'HOST/machinename' and
> 'HOST/machinename'. The following error occurred:
> Access is denied.
>
>
> however the machine seems to run ok... Can anyone please shed some light on
> this for me.
>
> Thx
>
>
>
>
>
 
You must log in or register to reply here.

Similar threads

J
Performing initial setup: Trying to find home server... Home Server = * Identified AD Forest. Done gathering initial info.
Replies
0
Views
284
JRPANGET
J
M
Server 2016 additional domain controller - The RPC server is unavailable
Replies
0
Views
548
Mahmoud87
M
D
DCPROMO ok, but replication immediately not working via VPN
Replies
0
Views
888
David N. Spink
D
K
DCDIAG and NETDIAG point to no Issue but many Error Events
Replies
4
Views
452
Meinolf Weber
M
W
No Domain Controller is available
Replies
3
Views
344
Meinolf Weber
M
Back
Top Bottom