You right about
DC, Joe. Guess what happenned after dcpromo? - kerberos error in
netdiag...dissapeared! Now - imagine how I feel after wasting so much time
trying to fix it!
Wish Microsoft
could warn about such "little" things...
Lana
Domain controllers don't have the problem because the localsystem account of
a DC can write whatever the heck it wants to write in AD.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Hmmmm...I don't see any disjoint namespace...but don't know what do you mean
under "proper permissions are not set on the computer object "
But I've actually, took responsibility and done dcpromo now...so far
everything looks normal...
Maybe it was - a netdiag bug? [I hope it was!] Thanks for input.
Lana
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 17 May 2004 21:50
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Do you have a disjoint name space?
I have seen this when there is a disjoint namespace and the proper
permissions are not set on the computer object so that it can update its own
information properly.
The UDP/TCP thing Al mentioned is a good thought too but usually when that
is occurring you will see some hellacious slow downs. Like logons taking
30-40 minutes when they go fast. I have seen this occur when a Cisco CSM was
throwing away fragmented kerberos packets because of too many group
memberships and I have seen it when a NIC had bad configurations for (I
think) max frame size.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FATAL kerberos error on W2K3 server
Hello ,
I wonder if anyone seen this before:
W2K active directory, few W2K3 member servers. All of them display kerberos
error message when running netdiag kerberos test:
"[FATAL] Kerberos does not have a ticket for host/domain.com"
I am not receiving any errors or warnings in event logs; replication in AD
is fine and no W2K domain controllers show this problem. Run Kerbtray
- all tickets seems to be there. DC list test and all the rest of netdiag
tests - "passed".
Also some of W2K3 servers are happily running applications with no
problems.
The intention is to make W2K3 domain controller, but with this kind of error
seems a little risky, unless this is a "feature by design" in W2K3...
Thanks in advance for any ideas shared
Lana
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
