Win2k kerberos problems

From: Al Blake (al@blakes.net)
Date: 04/11/03 

From: al@blakes.net (Al Blake)
Date: 10 Apr 2003 22:30:46 -0700

Every couple of minutes we are seeing the following messages in the
event log of a MEMBER server (not a DC) on our domain:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 11/04/2003
Time: 3:22:21 PM
User: N/A
Computer: CHIMERA
Description:
The function InitializeSecurityContext received a Kerberos Error
Message:
         on logon session
 Client Time:
 Server Time: 5:22:21.0000 4/11/2003 (null)
 Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
 Client Realm:
 Client Name:
 Server Realm: CGGS.ACT.EDU.AU
 Server Name: krbtgt/CGGS.ACT.EDU.AU
 Target Name: HOST/172.16.0.30@CGGS.ACT.EDU.AU
 Error Text:
 File:
 Line:
 Error Data is in record data.

We see thousands of these messages a day and they refer to three IP
numbers:
172.16.0.30 - our ISA firewall which is in its own AD domain
192.168.31.22 - the secondary IP of our Exchange server
192.168.32.32 - a utility win2k workstation.

Now each of these ips has the correct reverse lookup that resolves to
a hostname when you run nslookup. But kerberos still logs the error
using the IP number.

Also,
why is a win2k member server (it's our intranet IIS box) logging these
errors rather than a dc?
Is one of the problems due to the fact that the exchange server has
two IPs so we can run two seperate web sites on it. The primary IP
will resolve as the same name as the machine object in AD but the
secondary resolves to a different name, that exists in the dns but NOT
in AD.

Any suggestions as to how we can fix this as these thousands of errors
mean we dont tend to notice other errors.
Al Blake, Australia