RE: [ActiveDir] FATAL kerberos error on W2K3 server

[Lee, Wook]

Is it just me or does this sounds like a replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but they never get out.)   Wook From: Svetlana Kouznetsova Sent: Wed 5/19/2004 11:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Well, endpoint mapper error message is actually, in event log for the W2K domain controller, which started to complain only after W2K3 DC appeared in the domain... Interesting that I've run all tests possible in dcdiag separately, testing connectivity, replications, security discriptors, frsevent, etc, etc on both DC - w2k (old one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has been only discovered after replication to the new DC didn't take place and I went on checking old DCs.  On the new W2K3 DC - sysvol permissions, etc - everything, as it should be, but - all the data hangs in staging and staging area since first time replication (after dcpromo). Replmon shows that W2K3 server has up to date data replicated from other DCs, but on other DC replmon doesn't show that this new server is a replication partner...Also - no NTDS links shown for W2K3 in ADSS ... (hmmm..looks a bit a mess, huh?) netdiag on W2K3 server only shows frsevent as FAILED. To be honest, I don't know where else to look now...:-/   RE: The fact that you had machines not getting tickets before but are now is a wee bit scary as well.   no, there were tickets there - I've checked in kerbtray, that's when I've decided to go for dcpromo, regardless...   Lana.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, May 19, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Debugging lsass is highly underrated. That’s right, under. Sure it’s not for the faint of heart, but man the fun stuff you get in there. I say just attach and have fun just for the heck of it. That’s what I do on my weekends (sad yet true).   So the error below, is that from netdiag? Or another tool?     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 19, 2004 7:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server   I hate to say it but when I see endpoint mapper issues one of my first responses is a reboot of the offensive box. Hopefully ~Eric or others will come along and club me for that and say a good way to troubleshoot it that doesn't include debugging LSASS.   The fact that you had machines not getting tickets before but are now is a wee bit scary as well.     joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Tuesday, May 18, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server No, actually, we haven't disjointed namespace in the first place. This kerberos error was on every W2K3 member server only. I've promoted one of them to DC and  that made keberos happy - no more complains... No erorrs reported in dcpromo logs either...Although I do have an issue with replication to this new DC  -for some reason NTDS settings in ADSS are empty and the event log on the DC, from which it suppossed to replicate, mentions "there are no more endpoints available from an endpoints mapper", which I am currently trying to sort out, but no problems  in netdiag and dcdiag anymore...   Lana From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 May 2004 14:39 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Oh, so did you have a disjoint on the namespace? And if so is this intentional? Is it on all machines or just this one? If not intentional and just on that one you should pop the NV DomainName attribute and bring it in line with the rest of the environment. If it is on all machines, you will most likely find you have the same kerberos errors on them unless this one computer object was set up incorrectly.      joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Tuesday, May 18, 2004 4:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server You right about DC, Joe. Guess what happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now - imagine how I feel after wasting so much time trying to fix it! Wish Microsoft could warn about such "little" things...   Lana Domain controllers don't have the problem because the localsystem account of a DC can write whatever the heck it wants to write in AD.  joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Hmmmm...I don't see any disjoint namespace...but don't know what do you mean under  "proper permissions are not set on the computer object " But I've actually, took responsibility and done dcpromo now...so far everything looks normal... Maybe it was - a netdiag bug? [I hope it was!] Thanks for input. Lana -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 17 May 2004 21:50 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server Do you have a disjoint name space? I have seen this when there is a disjoint namespace and the proper permissions are not set on the computer object so that it can update its own information properly. The UDP/TCP thing Al mentioned is a good thought too but usually when that is occurring you will see some hellacious slow downs. Like logons taking 30-40 minutes when they go fast. I have seen this occur when a Cisco CSM was throwing away fragmented kerberos packets because of too many group memberships and I have seen it when a NIC had bad configurations for (I think) max frame size.  joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova Sent: Monday, May 17, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FATAL kerberos error on W2K3 server Hello , I wonder if anyone seen this before: W2K active directory,  few W2K3 member servers. All of them display kerberos error message when running netdiag kerberos test: "[FATAL] Kerberos does not have a ticket for host/domain.com" I am not receiving any errors or warnings in event logs; replication in AD is fine and no W2K domain controllers show this problem. Run Kerbtray - all tickets seems to be there. DC list test and all the rest of netdiag tests - "passed". Also some of W2K3 servers are  happily running applications with no problems.   The intention is to make W2K3 domain controller, but with this kind of error seems a little risky, unless this is a "feature by design" in W2K3... Thanks in advance for any ideas shared Lana List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/