Re: Security Event 676 - Kerberos Failure Code 6

From: Jeff Smyrski (jsmyrski_at_bankofutica.com)
Date: 10/06/03 

Date: Mon, 6 Oct 2003 12:06:31 -0400

Okay, here is what I tried this morning (10/6) The Admin was left signed in
over the weekend, and the machine went to standby...so after waking it up,
and rebooting, the event log showed the usual Userenv 1030/1058 errors.
BUT, after logging back in and rebooting several times, the error has not
surfaced again.

Here is my theory...I was having a heck of time with DNS errors between two
of my domain controllers, which included getting my forwarders to work
properly from the Internal DNS server to the ISP DNS servers...my other DC
was a Proxy Server who had the Internal DNS server, as well as the ISP DNS
entries configured. Last Thursday or Wednesday, I think I got this
resolved. My theory is this? Could it have taken several days for the two
servers to get sync'ed up? Because this morning everything worked
fine...note I did do two other things...but don't think they have an impact
on this...it was after these two steps that I noticed the error was gone.

#1) In active directory, for the group that my Admin account is in there
were group policies, one was standard web urls for all users on the network.
Under the domain admins, and Enterprise Admins, the apply group policy was
NOT checked for applying HOWEVER, it was checked to DENY the policy for the
admins in both cases...I removed the deny check mark. So now the admins,
have the same URLS in that group.

#2) Here is the interesting part...I went to the Domain Controller as you
requested and ran the NETDIAG.EXE and made the output to text file, and also
the DCDIAG.EXE and made the output to a text file...I did not note any thing
that was an error (only the gateway of the Domain Controller was configed to
the firewall which only allows for 53 out for this particular machine.) SO
I expected this.

    So I proceeded to go to this client machine, and run the Netdiag tool,
but it was not a recognized program...(no tools installed) so I installed
the Windows 2000 Support tools. But in attempting to run the netdiag
command, I get the following error:

    The procedure entry point DnsGetPrimaryDomainName_UTF8 Could not be
located in the dynamic link library DNSAPI.dll.

I suspect, and will test this, that because this is XP I have to install the
Windows 2003 support tools...in order for this to work.

The only other thing I can think of in regards to this, was that Friday
afternoon I synchronized the time to the Time Server, and may be as you said
something was out of sync there? Although after I did the net time /set it
was the same, but I still had errors? When a machine is out of sync like
this, does the server block access for a specified amount of time, kind of
like a black list until a later time? (stretching huh?)

Let me know what you think.

Thanks
Jeff Smyrski

"Steven L Umbach" <n9rou@comcast.net> wrote in message
news:tRmfb.210510$mp.130220@rwcrnsc51.ops.asp.att.net...
> Hi Jeff. Run netdiag and dcdiag on the domain controller to check its
health looking
> for any failed tests. Then run netdiag on the problem machine looking for
failed
> tests, using the debug switch for more info and be sure NO isp dns server
are ever
> listed in tcp/ip properties of a domain member. I don't know the problem
offhand but
> a couple things, first make sure that theses computers are in time synch
with the
> domain because kerberos only has a 5 minute skew tolerance by default,
make sure ICF
> firewall is disabled on XP machines, there are issues with smb signing in
a W2K
> network so in the Domain Controller Security Policy try disabling all four
settings
> in security options for "digitally sign communications", and also there
may be an
> issue with kerberos using udp - see KB link below. --- Steve
>
> http://support.microsoft.com/?kbid=244474
> http://www.jsiinc.com/SUBL/tip5800/rh5874.htm
>
> "Jeff Smyrski" <jsmyrski@bankofutica.com> wrote in message
> news:0d2401c389f3$06945af0$a001280a@phx.gbl...
> > Failure Code 0x6 - KB 326985
> > "Client Not Found in Kerberos Database"
> >
> > I am getting about 50 of these errors at my Domain
> > Controller, in the security log. Event Id 676.
> >
> > The machine that is being reported is a Brand New Hp d530
> > with windows xp pro installed, OEM. I have only
> > performed the following steps on that machine. I
> > configured the IP, and then Joined the domain...(where
> > the same IP machine was a member of at one point in time
> > and was not previously removed, but rather deleted in
> > Active Directory/DNS/WINS)
> >
> > After joining the domain, rebooting a couple of times,
> > and logging in as the administrator, I get these errors
> > at the Domain Controller, it seems to take policies for
> > the first time logging in, Domain Policy and
> > Organizational Unit policy for the group the
> > Administrators are in (ie Windows 2000 Admin Tools
> > publish).
> >
> > At the same time, I am getting errors on the client
> > workstation, Userenv Event ID 1053 "Windows can not
> > determine the user or computer name. (Access Denied)"
> >
> > Even though - I sign into the domain...
> >
> > The next error on the client after that one, is Userenv
> > Event ID 1058, which points to the inability to connect
> > to the domain SYSVOL where policies are stored.
> >
> > And finally after that error, there is another Userenv
> > Event ID 1030, which basically says "Windows can not
> > query for the list of Group Policy objects"
> >
> > I went to technet chat for support, they found all sorts
> > of KBs talking our Kerberos, but nothing on how to
> > resolve this issue.
> >
> > Please let me know.
> >
> > Jeff Smyrski
> >
>
>

Relevant Pages

  • Re: Adding 2cond DC -- Meinolf Weber -- Continue....
    ... Could not find the domain controller for this domain. ... Server is not responding or is not considered suitable. ... Starting test: CrossRefValidation ... PASS - All the DNS entries for DC are registered on DNS server ...
    (microsoft.public.windows.server.general)
  • Re: How to restrict DC privileges for Site Admins?
    ... By allowing those admins to log on into to the DCs you're granting them the necessary rights so that they can do whatever they want, even if they're members of backup operators or any other lowlevel group. ... You said that they need to perform maintenance tasks on the DCs, Like Backups and shutdown/restart the server, create user accounts, well to perform these tasks these admins don't need to logon the server, they can do that remotely with mmc console, etc... ... My problem, however, is the domain controller: ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to restrict DC privileges for Site Admins?
    ... By allowing those admins to log on into to the DCs you're granting them the ... members of backup operators or any other lowlevel group. ... Backups and shutdown/restart the server, create user accounts, well to ... his/her "own" domain controller in order to perform relatively simple ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security Event 676 - Kerberos Failure Code 6
    ... > was a Proxy Server who had the Internal DNS server, as well as the ISP DNS ... > Under the domain admins, and Enterprise Admins, the apply group policy was ... Run netdiag and dcdiag on the domain controller to check its ...
    (microsoft.public.win2000.security)
  • Re: Adding 2cond DC -- Meinolf Weber -- Continue....
    ... I can See NETLOGON and SYSVOL on the New DC with Win 2003. ... Could not find the domain controller for this domain. ... Server is not responding or is not considered suitable. ... PASS - All the DNS entries for DC are registered on DNS server ...
    (microsoft.public.windows.server.general)