Restart and everything? -----Original Message----- From: Svetlana Kouznetsova [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 1:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
OK, just tried this. Nope - didn't work :-( Forced all TCP packets - still exactly the same kerberos error, nothing in event logs... This appears not related. Lana. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 17 May 2004 18:02 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server The article talks about tcp vs. udp. This part is what caught my attention the most' By default, Windows 2000 and Windows XP use UDP when the data can be fit in packets under 2,000 bytes. Any data above this value uses TCP to carry the packets. The value of 2,000 bytes is configurable by modifying a registry key and value. Start Registry Editor. Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Kerberos\Parameters If the Parameters key does not exist, you can create it now. On the Edit menu, click Add Value, and then add the following registry value: Value Name: MaxPacketSize Data Type: REG_DWORD Value: any integer value in the range 1 to 2000 (in bytes) Quit Registry Editor. Restart your computer. The data value to which you set this value is the maximum size to be used with UDP. If the packet size exceeds this value, TCP is used. Again, 2,000 bytes is the default if the value is not present. To prevent UDP from ever being used, set the value to 1; TCP will be used for all packets. Forcing TCP packets only is an effective workaround to this problem. You could take a network trace and see if this is indeed your problem. Al -----Original Message----- From: Svetlana Kouznetsova [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Well...I thought that too at first... But the confusing thing - there are no problems with DC list, no problems with netlogon, no problems with domain controllers being available for the domain...and there are no such errors on W2K servers, including DC's. Puzzled. Maybe I can just ignore this message and promote DC? Could it be - that W2K3 security policy is higher in kerberos and I need to "downgrade" it to get rid of this error? Lana -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 17 May 2004 16:51 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Does it look something like this KB? http://support.microsoft.com/default.aspx?scid=kb;en-us;244474&sd=tech -----Original Message----- From: Svetlana Kouznetsova [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FATAL kerberos error on W2K3 server Hello , I wonder if anyone seen this before: W2K active directory, few W2K3 member servers. All of them display kerberos error message when running netdiag kerberos test: "[FATAL] Kerberos does not have a ticket for host/domain.com" I am not receiving any errors or warnings in event logs; replication in AD is fine and no W2K domain controllers show this problem. Run Kerbtray - all tickets seems to be there. DC list test and all the rest of netdiag tests - "passed". Also some of W2K3 servers are happily running applications with no problems. The intention is to make W2K3 domain controller, but with this kind of error seems a little risky, unless this is a "feature by design" in W2K3... Thanks in advance for any ideas shared Lana List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
