Re: Security Event 676 - Kerberos Failure Code 6
From: Steven L Umbach (n9rou_at_comcast.net)
Date: 10/08/03
- Next message: Steven L Umbach: "Re: The Local Policy of This System Does Not Permit You to Logon Interactively"
- Previous message: Oli Restorick [MVP]: "Re: 2 redundant 2000 servers"
- In reply to: Jeff Smyrski: "Re: Security Event 676 - Kerberos Failure Code 6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 07 Oct 2003 23:19:42 GMT
Hi Jeff. You have a somewhat unusual configuration with the domain
controller also being the proxy server. My top choice for there being a
problem would be dns configuration. DNS issues can cause a lot of problems
in an Active Directory Domain. Make sure your domain controllers only have
each other listed as dns servers by tcp/ip address in the zone properties
and that the ip address on the proxy dc is is the internal lan address. I
would also check the SOA record for the zone to see if the serial numbers
match. If problems persist you may want to look at the proxy dc in network
and dial up connections advanced/advanced to see if internal lan adapter is
listed at the top. Also check the Event Viewer for dns errors. Since you
have an unusual setup, you may want to post in the win2000.active_directory
group if your errors do not stop. See the link below for some good info on
dns.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
I would not think that it would take that long for a dns problem to clear up
unless you changed options in the dhcp scope in which case it possibly could
take a while. I doubt the URL setting had anything to do with the problem
and yes the error you saw using netdiag was result of using the wrong
version gor the operating system. Netdiag is also available for XP on the
install disk under the support/tools folder where you have to install the
support tools and is a great tool to use on a domain member when problems
like this come up. The time sync would only matter if the time skew between
the domain controller and a domain member was off by more than five minute
which could occur if a computer had not been connected to the network for a
long time or it had a really bad clock in it - netdiag would show a failed
kerberos test. I don't know how often kerberos would try, but until the skew
was corrected there could not be authentication with kerberos. Anyhow glad
problem was corrected and hope it stays that way. --- Steve
"Jeff Smyrski" <jsmyrski@bankofutica.com> wrote in message
news:#x#7PPCjDHA.2232@TK2MSFTNGP09.phx.gbl...
> Okay, here is what I tried this morning (10/6) The Admin was left signed
in
> over the weekend, and the machine went to standby...so after waking it up,
> and rebooting, the event log showed the usual Userenv 1030/1058 errors.
> BUT, after logging back in and rebooting several times, the error has not
> surfaced again.
>
> Here is my theory...I was having a heck of time with DNS errors between
two
> of my domain controllers, which included getting my forwarders to work
> properly from the Internal DNS server to the ISP DNS servers...my other DC
> was a Proxy Server who had the Internal DNS server, as well as the ISP DNS
> entries configured. Last Thursday or Wednesday, I think I got this
> resolved. My theory is this? Could it have taken several days for the
two
> servers to get sync'ed up? Because this morning everything worked
> fine...note I did do two other things...but don't think they have an
impact
> on this...it was after these two steps that I noticed the error was gone.
>
> #1) In active directory, for the group that my Admin account is in there
> were group policies, one was standard web urls for all users on the
network.
> Under the domain admins, and Enterprise Admins, the apply group policy was
> NOT checked for applying HOWEVER, it was checked to DENY the policy for
the
> admins in both cases...I removed the deny check mark. So now the admins,
> have the same URLS in that group.
>
> #2) Here is the interesting part...I went to the Domain Controller as you
> requested and ran the NETDIAG.EXE and made the output to text file, and
also
> the DCDIAG.EXE and made the output to a text file...I did not note any
thing
> that was an error (only the gateway of the Domain Controller was configed
to
> the firewall which only allows for 53 out for this particular machine.)
SO
> I expected this.
>
> So I proceeded to go to this client machine, and run the Netdiag tool,
> but it was not a recognized program...(no tools installed) so I installed
> the Windows 2000 Support tools. But in attempting to run the netdiag
> command, I get the following error:
>
> The procedure entry point DnsGetPrimaryDomainName_UTF8 Could not be
> located in the dynamic link library DNSAPI.dll.
>
> I suspect, and will test this, that because this is XP I have to install
the
> Windows 2003 support tools...in order for this to work.
>
> The only other thing I can think of in regards to this, was that Friday
> afternoon I synchronized the time to the Time Server, and may be as you
said
> something was out of sync there? Although after I did the net time /set
it
> was the same, but I still had errors? When a machine is out of sync like
> this, does the server block access for a specified amount of time, kind of
> like a black list until a later time? (stretching huh?)
>
> Let me know what you think.
>
> Thanks
> Jeff Smyrski
>
>
> "Steven L Umbach" <n9rou@comcast.net> wrote in message
> news:tRmfb.210510$mp.130220@rwcrnsc51.ops.asp.att.net...
> > Hi Jeff. Run netdiag and dcdiag on the domain controller to check its
> health looking
> > for any failed tests. Then run netdiag on the problem machine looking
for
> failed
> > tests, using the debug switch for more info and be sure NO isp dns
server
> are ever
> > listed in tcp/ip properties of a domain member. I don't know the problem
> offhand but
> > a couple things, first make sure that theses computers are in time synch
> with the
> > domain because kerberos only has a 5 minute skew tolerance by default,
> make sure ICF
> > firewall is disabled on XP machines, there are issues with smb signing
in
> a W2K
> > network so in the Domain Controller Security Policy try disabling all
four
> settings
> > in security options for "digitally sign communications", and also there
> may be an
> > issue with kerberos using udp - see KB link below. --- Steve
> >
> > http://support.microsoft.com/?kbid=244474
> > http://www.jsiinc.com/SUBL/tip5800/rh5874.htm
> >
> > "Jeff Smyrski" <jsmyrski@bankofutica.com> wrote in message
> > news:0d2401c389f3$06945af0$a001280a@phx.gbl...
> > > Failure Code 0x6 - KB 326985
> > > "Client Not Found in Kerberos Database"
> > >
> > > I am getting about 50 of these errors at my Domain
> > > Controller, in the security log. Event Id 676.
> > >
> > > The machine that is being reported is a Brand New Hp d530
> > > with windows xp pro installed, OEM. I have only
> > > performed the following steps on that machine. I
> > > configured the IP, and then Joined the domain...(where
> > > the same IP machine was a member of at one point in time
> > > and was not previously removed, but rather deleted in
> > > Active Directory/DNS/WINS)
> > >
> > > After joining the domain, rebooting a couple of times,
> > > and logging in as the administrator, I get these errors
> > > at the Domain Controller, it seems to take policies for
> > > the first time logging in, Domain Policy and
> > > Organizational Unit policy for the group the
> > > Administrators are in (ie Windows 2000 Admin Tools
> > > publish).
> > >
> > > At the same time, I am getting errors on the client
> > > workstation, Userenv Event ID 1053 "Windows can not
> > > determine the user or computer name. (Access Denied)"
> > >
> > > Even though - I sign into the domain...
> > >
> > > The next error on the client after that one, is Userenv
> > > Event ID 1058, which points to the inability to connect
> > > to the domain SYSVOL where policies are stored.
> > >
> > > And finally after that error, there is another Userenv
> > > Event ID 1030, which basically says "Windows can not
> > > query for the list of Group Policy objects"
> > >
> > > I went to technet chat for support, they found all sorts
> > > of KBs talking our Kerberos, but nothing on how to
> > > resolve this issue.
> > >
> > > Please let me know.
> > >
> > > Jeff Smyrski
> > >
> >
> >
>
>
- Next message: Steven L Umbach: "Re: The Local Policy of This System Does Not Permit You to Logon Interactively"
- Previous message: Oli Restorick [MVP]: "Re: 2 redundant 2000 servers"
- In reply to: Jeff Smyrski: "Re: Security Event 676 - Kerberos Failure Code 6"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
