| View previous topic :: View next topic
|
| Author |
Message |
E-Double
Guest
|
 Posted: Tue May 19, 2009 6:59 pm Post subject: Steps to take to demote a former PDC ... |
 |
|
|
What steps should be taken to demote a current DC and former PDC to a member
server ? Also, how can we verify that the current PDC contains the Global
Catalog, FSMO, etc... ? Are there any other AD components that should be
offloaded from the DC and former PDC before demoting ? TIA ...
e.
|
|
| Back to top |
|
 |
E-Double
Guest
|
| Posted: Tue May 19, 2009 7:08 pm Post subject: RE: Steps to take to demote a former PDC ... |
|
|
p.s. What logon information will we use when this machine gets demoted ? We
do not remember the original Admin account and password when this was
originally set-up, and there does not appear to be a Computer
Management/Local Users & Groups applet on here since it is a DC. TIA ...
"E-Double" wrote:
| Quote: | What steps should be taken to demote a current DC and former PDC to a member
server ? Also, how can we verify that the current PDC contains the Global
Catalog, FSMO, etc... ? Are there any other AD components that should be
offloaded from the DC and former PDC before demoting ? TIA ...
e. |
|
|
| Back to top |
|
|
E-Double
Guest
|
| Posted: Tue May 19, 2009 8:11 pm Post subject: Re: Steps to take to demote a former PDC ... |
|
|
|
Cool, thanks. Ran all of the steps you mentioned, then during the DCPromo
downgrade we received the following error: "The Operation Failed. Managing
The Network Session to somedomain.cc Failed. Logon Failure: The Target
Account Name Is Incorrect." The following is the results from DCDiag on the
machine that is being downgraded (DCDiag from PDC looked okay):
_____________________________________________________
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine Server1, is a DC.
* Connecting to directory service on server Server1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\Server1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... Server1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\Server1
Starting test: Replications
* Replications Check
[Replications Check,Server1B] Inbound replication is disabled.
To correct, run "repadmin /options Server1B -DISABLE_INBOUND_REPL"
[Replications Check,Server1B] Outbound replication is disabled.
To correct, run "repadmin /options Server1B -DISABLE_OUTBOUND_REPL"
......................... Server1B failed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC Server1B.
* Security Permissions Check for
DC=ForestDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=somedomain,DC=cc
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=somedomain,DC=cc
(Configuration,Version 2)
* Security Permissions Check for
DC=somedomain,DC=cc
(Domain,Version 2)
......................... Server1B passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\Server1B\netlogon
Verified share \\Server1B\sysvol
......................... Server1B passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\server2.somedomain.cc, when we were trying to reach Server1B.
Server is not responding or is not considered suitable.
The DC Server1B is advertising itself as a DC and having a DS.
The DC Server1B is advertising as an LDAP server
The DC Server1B is advertising as having a writeable directory
The DC Server1B is advertising as a Key Distribution Center
The DC Server1B is advertising as a time server
......................... Server1B failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
[server2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: server2 is the Schema Owner, but is not responding to DS
RPC Bind.
[server2] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: server2 is the Schema Owner, but is not responding to LDAP
Bind.
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: server2 is the Domain Owner, but is not responding to LDAP
Bind.
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the PDC Owner, but is not responding to LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the Rid Owner, but is not responding to LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: server2 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... Server1B failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4108 to 1073741823
* server2.somedomain.cc is the RID Master
......................... Server1B failed test RidManager
Starting test: MachineAccount
Checking machine account for DC Server1B on DC Server1B.
* SPN found :LDAP/Server1b.somedomain.cc/somedomain.cc
* SPN found :LDAP/Server1b.somedomain.cc
* SPN found :LDAP/Server1B
* SPN found :LDAP/Server1b.somedomain.cc/Server1
* SPN found
:LDAP/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656._msdcs.somedomain.cc
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc
* SPN found :HOST/Server1B
* SPN found :HOST/Server1b.somedomain.cc/Server1
* SPN found :GC/Server1b.somedomain.cc/somedomain.cc
......................... Server1B passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [Server1B]
* Checking Service: NETLOGON
NETLOGON Service is paused on [Server1B]
......................... Server1B failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
Server1B is in domain DC=somedomain,DC=cc
Checking for CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc
in domain DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
in domain CN=Configuration,DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
......................... Server1B passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... Server1B passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... Server1B passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... Server1B passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:49:30
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc/somedomain.cc. This
indicates that the password used to encrypt the
kerberos service ticket is different than that on
the target server. Commonly, this is due to
identically named machine accounts in the target
realm (somedomain.CC), and the client realm.
Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:52:11
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was Server1\server2$. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:53:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:54:55
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/Server1a.somedomain.cc. The target name used
was cifs/Server1a. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:55:41
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was DNS/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 16:55:41
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.252
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:57:32
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was ldap/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:23:48
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was DNS/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 17:23:48
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.252
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:05
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:18
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:22
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/Server1a.somedomain.cc. The target name used
was cifs/Server1a. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:25:07
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
ldap/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 17:28:50
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.230
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:33:05
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was ldap/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:35:28
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/67d3c601-fc54-4360-9a4d-823a33197223._msdcs.somedomain.cc.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:35:28
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
ldap/67d3c601-fc54-4360-9a4d-823a33197223._msdcs.somedomain.cc.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0xC25A002E
Time Generated: 05/19/2009 17:47:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B6F
Time Generated: 05/19/2009 17:47:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:48:37
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
......................... Server1B failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc and backlink on
CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
are correct.
The system object reference (frsComputerReferenceBL)
CN=Server1B,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=somedomain,DC=cc
and backlink on CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc
are correct.
The system object reference (serverReferenceBL)
CN=Server1B,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=somedomain,DC=cc
and backlink on
CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
are correct.
......................... Server1B passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : somedomain
Starting test: CrossRefValidation
......................... somedomain passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... somedomain passed test CheckSDRefDom
Running enterprise tests on : somedomain.cc
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... somedomain.cc passed test Intersite
Starting test: FsmoCheck
Warning: Couldn't verify this server as a GC in this servers AD.
GC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
PDC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
Time Server Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
KDC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
......................... somedomain.cc passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
|
|
| Back to top |
|
|
Guest
|
| Posted: Tue May 19, 2009 9:12 pm Post subject: Re: Steps to take to demote a former PDC ... |
|
|
Hello E-Double,
If you have the need to demote a DC:
- run replmon from the run line or repadmin /showrepl (only if more then
one DC exist), dcdiag /v and netdiag v/ from the command prompt on all DC's
to check for errors, if you have some post the complete output from the command
here or solve them first. For this tools you have to install the support\tools\suptools.msi
from the 2000 or 2003 installation disk.
- if no errors exist, transfer the 5 FSMO roles to the other DC (http://support.microsoft.com/kb/324801)
- "netdom query fsmo" in a command prompt will show you the FSMO role holder
- make the other DC Global catalog server if not done (http://support.microsoft.com/?id=313994)
- check that you are running Active directory integrated zone's (easier for
replication, if you have more then one DNS server) have aslo DNS server role
installed on the DC you keep
- if you have installed DNS server role on the other DC do not forget to
reconfigure the clients to use it as preferred DNS
- on the DC with now transferred PDCEmulator role configure it a s a time
server:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
With "peers" you can set the time source, either DNS name (time.windows.com)
or an ip address from a reliable time source.
Here you can find some of them:
http://www.pool.ntp.org/
- on the old DC run to remove time server role:
w32tm /config /syncfromflags:domhier /update
After that run:
net stop w32time
net start w32time
- export and import of DHCP database (if needed) (http://support.microsoft.com/kb/325473)
- backup WINS (if needed) (http://technet.microsoft.com/en-us/library/cc727901.aspx)
- restore WINS (if needed) (http://technet.microsoft.com/en-us/library/cc727960.aspx)
Now i think all steps should be done to start demoting:
- reconfigure your clients/servers that they not longer point to the old
DC/DNS server on the NIC
- to be sure that everything runs fine, disconnect the old DC from the network
and check with clients and servers the connectivity, logon and also with
one client a restart to see that everything is ok
- then run dcpromo to demote the old DC, if it works fine the machine will
move from the DC's OU to the computers container, where you can delete it
by hand. Can be that you got an error during demoting at the beginning, then
uncheck the Global catalog on that DC and try again
- check the DNS management console, that all entries from the machine are
disappeared or delete them by hand if the machine is off the network for ever
- also you have to start AD sites and services and delete the old servername
under the site, this will not be done during demotion
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
| Quote: | What steps should be taken to demote a current DC and former PDC to a
member server ? Also, how can we verify that the current PDC contains
the Global Catalog, FSMO, etc... ? Are there any other AD components
that should be offloaded from the DC and former PDC before demoting ?
TIA ...
e.
|
|
|
| Back to top |
|
|
Guest
Guest
Posts
Location
|
| Posted: Tue May 19, 2009 9:12 pm Post subject: Google Ads |
|
|
|
|
|
| Back to top |
|
|
Meinolf Weber [MVP-DS]
Guest
|
| Posted: Tue May 19, 2009 9:16 pm Post subject: RE: Steps to take to demote a former PDC ... |
|
|
Hello E-Double,
On a DC you do not have Local users and groups, that is stored in AD now.
During demoting you are prompted to configure a new password for the administrator
account. That new password you can use to logon local to the server when
it is demoted. Or you can ofcourse use the domain administrator account.
Before setting the member server in a workgroup i suggest to reconfigure
the LOCAL administrator with a blank password. The last time i set a domain
member server to workgroup i had to reset the password with a bootdisk. the
previous configured local admin password was not accepted.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
| Quote: | p.s. What logon information will we use when this machine gets demoted
? We do not remember the original Admin account and password when
this was originally set-up, and there does not appear to be a Computer
Management/Local Users & Groups applet on here since it is a DC. TIA
...
"E-Double" wrote:
What steps should be taken to demote a current DC and former PDC to a
member server ? Also, how can we verify that the current PDC
contains the Global Catalog, FSMO, etc... ? Are there any other AD
components that should be offloaded from the DC and former PDC before
demoting ? TIA ...
e.
|
|
|
| Back to top |
|
|
Paul Bergson [MVP-DS]
Guest
|
| Posted: Wed May 20, 2009 10:21 am Post subject: Re: Steps to take to demote a former PDC ... |
|
|
Why do you have replication disabled and how long has it been that way? If
beyond the tombstone lifetime then you are going to just have to flatten
this dc (/forcedemote).
http://support.microsoft.com/kb/332199
You also have service naming issues (dns). It is as if the two names refer
to one. What is going on with dns on the two? Do an ipconfig /all on both
dc's and post them. If you want to change part of the octets, that is fine
just use consistentcy.
You may want to run the following as well:
dnslint /ad /s "ip address of your dc"
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"E-Double" <EDouble@discussions.microsoft.com> wrote in message
news:24B9325A-D668-422C-8493-48933AB000A0@microsoft.com...
| Quote: | Cool, thanks. Ran all of the steps you mentioned, then during the DCPromo
downgrade we received the following error: "The Operation Failed. Managing
The Network Session to somedomain.cc Failed. Logon Failure: The Target
Account Name Is Incorrect." The following is the results from DCDiag on
the
machine that is being downgraded (DCDiag from PDC looked okay):
_____________________________________________________
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine Server1, is a DC.
* Connecting to directory service on server Server1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\Server1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... Server1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\Server1
Starting test: Replications
* Replications Check
[Replications Check,Server1B] Inbound replication is disabled.
To correct, run "repadmin /options Server1B -DISABLE_INBOUND_REPL"
[Replications Check,Server1B] Outbound replication is disabled.
To correct, run "repadmin /options
Server1B -DISABLE_OUTBOUND_REPL"
......................... Server1B failed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC Server1B.
* Security Permissions Check for
DC=ForestDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=somedomain,DC=cc
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=somedomain,DC=cc
(Configuration,Version 2)
* Security Permissions Check for
DC=somedomain,DC=cc
(Domain,Version 2)
......................... Server1B passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\Server1B\netlogon
Verified share \\Server1B\sysvol
......................... Server1B passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\server2.somedomain.cc, when we were trying to reach Server1B.
Server is not responding or is not considered suitable.
The DC Server1B is advertising itself as a DC and having a DS.
The DC Server1B is advertising as an LDAP server
The DC Server1B is advertising as having a writeable directory
The DC Server1B is advertising as a Key Distribution Center
The DC Server1B is advertising as a time server
......................... Server1B failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
[server2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: server2 is the Schema Owner, but is not responding to DS
RPC Bind.
[server2] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: server2 is the Schema Owner, but is not responding to
LDAP
Bind.
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: server2 is the Domain Owner, but is not responding to
LDAP
Bind.
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the PDC Owner, but is not responding to LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the Rid Owner, but is not responding to LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: server2 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... Server1B failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4108 to 1073741823
* server2.somedomain.cc is the RID Master
......................... Server1B failed test RidManager
Starting test: MachineAccount
Checking machine account for DC Server1B on DC Server1B.
* SPN found :LDAP/Server1b.somedomain.cc/somedomain.cc
* SPN found :LDAP/Server1b.somedomain.cc
* SPN found :LDAP/Server1B
* SPN found :LDAP/Server1b.somedomain.cc/Server1
* SPN found
:LDAP/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656._msdcs.somedomain.cc
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc
* SPN found :HOST/Server1B
* SPN found :HOST/Server1b.somedomain.cc/Server1
* SPN found :GC/Server1b.somedomain.cc/somedomain.cc
......................... Server1B passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [Server1B]
* Checking Service: NETLOGON
NETLOGON Service is paused on [Server1B]
......................... Server1B failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
Server1B is in domain DC=somedomain,DC=cc
Checking for CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc
in domain DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
in domain CN=Configuration,DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
......................... Server1B passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... Server1B passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... Server1B passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... Server1B passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:49:30
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc/somedomain.cc. This
indicates that the password used to encrypt the
kerberos service ticket is different than that on
the target server. Commonly, this is due to
identically named machine accounts in the target
realm (somedomain.CC), and the client realm.
Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:52:11
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was Server1\server2$. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:53:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:54:55
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/Server1a.somedomain.cc. The target name used
was cifs/Server1a. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:55:41
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was DNS/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 16:55:41
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.252
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:57:32
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was ldap/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:23:48
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was DNS/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 17:23:48
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.252
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:05
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:18
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:24:22
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/Server1a.somedomain.cc. The target name used
was cifs/Server1a. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:25:07
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
ldap/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x0000168E
Time Generated: 05/19/2009 17:28:50
Event String: The dynamic registration of the DNS record
'somedomain.cc. 600 IN A 123.45.67.240' failed
on the following DNS server:
DNS server IP address: 123.45.67.230
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain
controller, this record must be registered in
DNS.
USER ACTION
Determine what might have caused this failure,
resolve the problem, and initiate registration of
the DNS records by the domain controller. To
determine what might have caused this failure,
run DCDiag.exe. You can find this program on the
Windows Server 2003 installation CD in
Support\Tools\support.cab. To learn more about
DCDiag.exe, see Help and Support Center. To
initiate registration of the DNS records by this
domain controller, run 'nltest.exe /dsregdns'
from the command prompt on the domain controller
or restart Net Logon service. Nltest.exe is
available in the Microsoft Windows Server
Resource Kit CD.
Or, you can manually add this record to DNS,
but it is not recommended.
ADDITIONAL DATA
Error Value: %%9017
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:33:05
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was ldap/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:35:28
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/67d3c601-fc54-4360-9a4d-823a33197223._msdcs.somedomain.cc.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:35:28
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
ldap/67d3c601-fc54-4360-9a4d-823a33197223._msdcs.somedomain.cc.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0xC25A002E
Time Generated: 05/19/2009 17:47:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0001B6F
Time Generated: 05/19/2009 17:47:25
(Event String could not be retrieved)
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 17:48:37
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
......................... Server1B failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc and backlink
on
CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
are correct.
The system object reference (frsComputerReferenceBL)
CN=Server1B,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=somedomain,DC=cc
and backlink on CN=Server1B,OU=Domain
Controllers,DC=somedomain,DC=cc
are correct.
The system object reference (serverReferenceBL)
CN=Server1B,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=somedomain,DC=cc
and backlink on
CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
are correct.
......................... Server1B passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : somedomain
Starting test: CrossRefValidation
......................... somedomain passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... somedomain passed test CheckSDRefDom
Running enterprise tests on : somedomain.cc
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the
scope
provided by the command line arguments provided.
......................... somedomain.cc passed test Intersite
Starting test: FsmoCheck
Warning: Couldn't verify this server as a GC in this servers AD.
GC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
PDC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
Time Server Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
KDC Name: \\server2.somedomain.cc
Locator Flags: 0xe00003fd
......................... somedomain.cc passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
|
|
|
| Back to top |
|
|
E-Double
Guest
|
| Posted: Wed May 20, 2009 10:34 am Post subject: Re: Steps to take to demote a former PDC ... |
|
|
Hi Paul, thanks for the reply. We did not actually disable replication - but
it appears that that process starting having errors about two months ago for
some reason. I am not sure what caused the DNS errors either, but we did the
/forceremove option and also ran the Ntdsutil utility to remove this DC and
then just made it a member server and everything seems fine now. We will
wait a day or two and run the dcdiag util again as well as the dns diags you
mentioned, but hopefully we are good.
I am not sure what happened to this one machine, but it could not even
connect to remote hosts outside of the domain that it had been connecting to
for years. Weird ...
Anyways, thanks again everybody for all your help - much appreciated !
e.
"Paul Bergson [MVP-DS]" wrote:
| Quote: | Why do you have replication disabled and how long has it been that way? If
beyond the tombstone lifetime then you are going to just have to flatten
this dc (/forcedemote).
http://support.microsoft.com/kb/332199
You also have service naming issues (dns). It is as if the two names refer
to one. What is going on with dns on the two? Do an ipconfig /all on both
dc's and post them. If you want to change part of the octets, that is fine
just use consistentcy.
You may want to run the following as well:
dnslint /ad /s "ip address of your dc"
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"E-Double" <EDouble@discussions.microsoft.com> wrote in message
news:24B9325A-D668-422C-8493-48933AB000A0@microsoft.com...
Cool, thanks. Ran all of the steps you mentioned, then during the DCPromo
downgrade we received the following error: "The Operation Failed. Managing
The Network Session to somedomain.cc Failed. Logon Failure: The Target
Account Name Is Incorrect." The following is the results from DCDiag on
the
machine that is being downgraded (DCDiag from PDC looked okay):
_____________________________________________________
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine Server1, is a DC.
* Connecting to directory service on server Server1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\Server1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... Server1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\Server1
Starting test: Replications
* Replications Check
[Replications Check,Server1B] Inbound replication is disabled.
To correct, run "repadmin /options Server1B -DISABLE_INBOUND_REPL"
[Replications Check,Server1B] Outbound replication is disabled.
To correct, run "repadmin /options
Server1B -DISABLE_OUTBOUND_REPL"
......................... Server1B failed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC Server1B.
* Security Permissions Check for
DC=ForestDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=somedomain,DC=cc
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=somedomain,DC=cc
(Configuration,Version 2)
* Security Permissions Check for
DC=somedomain,DC=cc
(Domain,Version 2)
......................... Server1B passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\Server1B\netlogon
Verified share \\Server1B\sysvol
......................... Server1B passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\server2.somedomain.cc, when we were trying to reach Server1B.
Server is not responding or is not considered suitable.
The DC Server1B is advertising itself as a DC and having a DS.
The DC Server1B is advertising as an LDAP server
The DC Server1B is advertising as having a writeable directory
The DC Server1B is advertising as a Key Distribution Center
The DC Server1B is advertising as a time server
......................... Server1B failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
[server2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: server2 is the Schema Owner, but is not responding to DS
RPC Bind.
[server2] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: server2 is the Schema Owner, but is not responding to
LDAP
Bind.
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Domain Owner, but is not responding to DS
RPC Bind.
Warning: server2 is the Domain Owner, but is not responding to
LDAP
Bind.
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the PDC Owner, but is not responding to LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: server2 is the Rid Owner, but is not responding to LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: server2 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... Server1B failed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4108 to 1073741823
* server2.somedomain.cc is the RID Master
......................... Server1B failed test RidManager
Starting test: MachineAccount
Checking machine account for DC Server1B on DC Server1B.
* SPN found :LDAP/Server1b.somedomain.cc/somedomain.cc
* SPN found :LDAP/Server1b.somedomain.cc
* SPN found :LDAP/Server1B
* SPN found :LDAP/Server1b.somedomain.cc/Server1
* SPN found
:LDAP/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656._msdcs.somedomain.cc
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc
* SPN found :HOST/Server1B
* SPN found :HOST/Server1b.somedomain.cc/Server1
* SPN found :GC/Server1b.somedomain.cc/somedomain.cc
......................... Server1B passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [Server1B]
* Checking Service: NETLOGON
NETLOGON Service is paused on [Server1B]
......................... Server1B failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
Server1B is in domain DC=somedomain,DC=cc
Checking for CN=Server1B,OU=Domain Controllers,DC=somedomain,DC=cc
in domain DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
in domain CN=Configuration,DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
......................... Server1B passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... Server1B passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... Server1B passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... Server1B passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:49:30
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc/somedomain.cc. This
indicates that the password used to encrypt the
kerberos service ticket is different than that on
the target server. Commonly, this is due to
identically named machine accounts in the target
realm (somedomain.CC), and the client realm.
Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:52:11
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was Server1\server2$. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:53:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
|
|
|
| Back to top |
|
|
Paul Bergson [MVP-DS]
Guest
|
| Posted: Wed May 20, 2009 4:14 pm Post subject: Re: Steps to take to demote a former PDC ... |
|
|
glad you got things worked out
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"E-Double" <EDouble@discussions.microsoft.com> wrote in message
news:77C1AC7A-DBD8-40BF-93DF-0D773A5B8FFC@microsoft.com...
| Quote: | Hi Paul, thanks for the reply. We did not actually disable replication -
but
it appears that that process starting having errors about two months ago
for
some reason. I am not sure what caused the DNS errors either, but we did
the
/forceremove option and also ran the Ntdsutil utility to remove this DC
and
then just made it a member server and everything seems fine now. We will
wait a day or two and run the dcdiag util again as well as the dns diags
you
mentioned, but hopefully we are good.
I am not sure what happened to this one machine, but it could not even
connect to remote hosts outside of the domain that it had been connecting
to
for years. Weird ...
Anyways, thanks again everybody for all your help - much appreciated !
e.
"Paul Bergson [MVP-DS]" wrote:
Why do you have replication disabled and how long has it been that way?
If
beyond the tombstone lifetime then you are going to just have to flatten
this dc (/forcedemote).
http://support.microsoft.com/kb/332199
You also have service naming issues (dns). It is as if the two names
refer
to one. What is going on with dns on the two? Do an ipconfig /all on
both
dc's and post them. If you want to change part of the octets, that is
fine
just use consistentcy.
You may want to run the following as well:
dnslint /ad /s "ip address of your dc"
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"E-Double" <EDouble@discussions.microsoft.com> wrote in message
news:24B9325A-D668-422C-8493-48933AB000A0@microsoft.com...
Cool, thanks. Ran all of the steps you mentioned, then during the
DCPromo
downgrade we received the following error: "The Operation Failed.
Managing
The Network Session to somedomain.cc Failed. Logon Failure: The Target
Account Name Is Incorrect." The following is the results from DCDiag
on
the
machine that is being downgraded (DCDiag from PDC looked okay):
_____________________________________________________
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine Server1, is a DC.
* Connecting to directory service on server Server1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\Server1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... Server1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\Server1
Starting test: Replications
* Replications Check
[Replications Check,Server1B] Inbound replication is disabled.
To correct, run "repadmin /options
Server1B -DISABLE_INBOUND_REPL"
[Replications Check,Server1B] Outbound replication is disabled.
To correct, run "repadmin /options
Server1B -DISABLE_OUTBOUND_REPL"
......................... Server1B failed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC Server1B.
* Security Permissions Check for
DC=ForestDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=somedomain,DC=cc
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=somedomain,DC=cc
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=somedomain,DC=cc
(Configuration,Version 2)
* Security Permissions Check for
DC=somedomain,DC=cc
(Domain,Version 2)
......................... Server1B passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\Server1B\netlogon
Verified share \\Server1B\sysvol
......................... Server1B passed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for
\\server2.somedomain.cc, when we were trying to reach Server1B.
Server is not responding or is not considered suitable.
The DC Server1B is advertising itself as a DC and having a DS.
The DC Server1B is advertising as an LDAP server
The DC Server1B is advertising as having a writeable directory
The DC Server1B is advertising as a Key Distribution Center
The DC Server1B is advertising as a time server
......................... Server1B failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
[server2] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: server2 is the Schema Owner, but is not responding to
DS
RPC Bind.
[server2] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: server2 is the Schema Owner, but is not responding to
LDAP
Bind.
Role Domain Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Domain Owner, but is not responding to
DS
RPC Bind.
Warning: server2 is the Domain Owner, but is not responding to
LDAP
Bind.
Role PDC Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the PDC Owner, but is not responding to DS
RPC
Bind.
Warning: server2 is the PDC Owner, but is not responding to
LDAP
Bind.
Role Rid Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Rid Owner, but is not responding to DS
RPC
Bind.
Warning: server2 is the Rid Owner, but is not responding to
LDAP
Bind.
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
Warning: server2 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: server2 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... Server1B failed test
KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 4108 to 1073741823
* server2.somedomain.cc is the RID Master
......................... Server1B failed test RidManager
Starting test: MachineAccount
Checking machine account for DC Server1B on DC Server1B.
* SPN found :LDAP/Server1b.somedomain.cc/somedomain.cc
* SPN found :LDAP/Server1b.somedomain.cc
* SPN found :LDAP/Server1B
* SPN found :LDAP/Server1b.somedomain.cc/Server1
* SPN found
:LDAP/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656._msdcs.somedomain.cc
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/2635e1bc-00c2-4d22-8f71-3ea2b8e2f656/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc/somedomain.cc
* SPN found :HOST/Server1b.somedomain.cc
* SPN found :HOST/Server1B
* SPN found :HOST/Server1b.somedomain.cc/Server1
* SPN found :GC/Server1b.somedomain.cc/somedomain.cc
......................... Server1B passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
w32time Service is stopped on [Server1B]
* Checking Service: NETLOGON
NETLOGON Service is paused on [Server1B]
......................... Server1B failed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
Server1B is in domain DC=somedomain,DC=cc
Checking for CN=Server1B,OU=Domain
Controllers,DC=somedomain,DC=cc
in domain DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=Server1B,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=somedomain,DC=cc
in domain CN=Configuration,DC=somedomain,DC=cc on 1 servers
Object is up-to-date on all servers.
......................... Server1B passed test
ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... Server1B passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... Server1B passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last
15
minutes.
......................... Server1B passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:49:30
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was . This indicates that the password used to
encrypt the kerberos service ticket is different
than that on the target server. Commonly, this is
due to identically named machine accounts in the
target realm (somedomain.CC), and the client
realm. Please contact your system
administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was cifs/server2.somedomain.cc. This indicates that
the password used to encrypt the kerberos service
ticket is different than that on the target
server. Commonly, this is due to identically
named machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:51:47
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was LDAP/server2.somedomain.cc/somedomain.cc. This
indicates that the password used to encrypt the
kerberos service ticket is different than that on
the target server. Commonly, this is due to
identically named machine accounts in the target
realm (somedomain.CC), and the client realm.
Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:52:11
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was Server1\server2$. This indicates that the password
used to encrypt the kerberos service ticket is
different than that on the target server.
Commonly, this is due to identically named
machine accounts in the target realm
(somedomain.CC), and the client realm. Please
contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/19/2009 16:53:04
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/server2.somedomain.cc. The target name used
was
LDAP/server2.somedomain.cc/somedomain.cc@somedomain.CC.
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Topic Links: syslog
Powered by phpBB © 2001, 2005 phpBB Group
|
Windows-Expert.com Forum Index
•
FAQ
•
Search
