RE: [ActiveDir] FATAL kerberos error on W2K3 server

[Patrick - IT Department]

Privet Sveta, Vi gavarite pa ryskki? Pa tomyzhsto vasha English is perfect! Sorry I couldn’t resist asking.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Svetlana Kouznetsova Sent: Tuesday, May 18, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server   No, actually, we haven't disjointed namespace in the first place. This kerberos error was on every W2K3 member server only. I've promoted one of them to DC and  that made keberos happy - no more complains... No erorrs reported in dcpromo logs either...Although I do have an issue with replication to this new DC  -for some reason NTDS settings in ADSS are empty and the event log on the DC, from which it suppossed to replicate, mentions "there are no more endpoints available from an endpoints mapper", which I am currently trying to sort out, but no problems  in netdiag and dcdiag anymore...   Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 May 2004 14:39 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Oh, so did you have a disjoint on the namespace? And if so is this intentional? Is it on all machines or just this one? If not intentional and just on that one you should pop the NV DomainName attribute and bring it in line with the rest of the environment. If it is on all machines, you will most likely find you have the same kerberos errors on them unless this one computer object was set up incorrectly.      joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Tuesday, May 18, 2004 4:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server You right about DC, Joe. Guess what happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now - imagine how I feel after wasting so much time trying to fix it! Wish Microsoft could warn about such "little" things...   Lana Domain controllers don't have the problem because the localsystem account of a DC can write whatever the heck it wants to write in AD.  joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Hmmmm...I don't see any disjoint namespace...but don't know what do you mean under  "proper permissions are not set on the computer object " But I've actually, took responsibility and done dcpromo now...so far everything looks normal... Maybe it was - a netdiag bug? [I hope it was!] Thanks for input. Lana -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 May 2004 21:50 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Do you have a disjoint name space? I have seen this when there is a disjoint namespace and the proper permissions are not set on the computer object so that it can update its own information properly. The UDP/TCP thing Al mentioned is a good thought too but usually when that is occurring you will see some hellacious slow downs. Like logons taking 30-40 minutes when they go fast. I have seen this occur when a Cisco CSM was throwing away fragmented kerberos packets because of too many group memberships and I have seen it when a NIC had bad configurations for (I think) max frame size.  joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FATAL kerberos error on W2K3 server Hello , I wonder if anyone seen this before: W2K active directory,  few W2K3 member servers. All of them display kerberos error message when running netdiag kerberos test: "[FATAL] Kerberos does not have a ticket for host/domain.com" I am not receiving any errors or warnings in event logs; replication in AD is fine and no W2K domain controllers show this problem. Run Kerbtray - all tickets seems to be there. DC list test and all the rest of netdiag tests - "passed". Also some of W2K3 servers are  happily running applications with no problems.   The intention is to make W2K3 domain controller, but with this kind of error seems a little risky, unless this is a "feature by design" in W2K3... Thanks in advance for any ideas shared Lana List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/