From: kbergros on
Hi Ace!

And thanks for your replays!
Here comes an ipconfig /all from one of the memberservers with the 40960
logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC and is also
acting as our DNS servers (i'm not pointing to any ISP DNS).
I had one missing PTR record that I discovered and added, but the error
is still being logged...


Windows IP Configuration

Host Name . . . . . . . . . . . . : gimli
Primary Dns Suffix . . . . . . . : test.timber.se
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.timber.se


Ethernet adapter Teamadapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-14-5E-36-11-82
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.3.202
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
DNS Servers . . . . . . . . . . . : 192.168.3.3
192.168.3.4



Ace Fekay [MVP] skrev:
> In news:uA%23E6ZKgGHA.5088(a)TK2MSFTNGP02.phx.gbl,
> kbergros <kbergros(a)hotmail.com> stated, which I commented on below:
>
>>Hi!
>>
>>Thanxs for your answer.
>>I have checked my Dns zones (several times) and all my machines has
>>the correct ptr entry... I have checked with Nslookup both my forward
>>and recursive zones and get the correct answer every time...
>>Any other suggestions on how to solve this?
>>
>>regards
>>
>>Kbergros
>
>
> Looking again at your original post, the description part of the error says:
>
> Description:
> The Security System detected an authentication error for the server
> ldap/gollum.test.timber.se/test.timber.se(a)test.timber.se. The failure
> code from authentication protocol Kerberos was "The attempted logon is
> invalid. This is either due to a bad username or authentication information.
> (0xc000006d)".
>
> This indicates to me that you are possibly pointing to your ISP's DNS in IP
> properties. Now if AD is trying to coorespond it's SPNEGO by contacting them
> for a PTR for the internal IP range, then I can understand why this is
> happening.
>
> The cardinal rule is in any AD infrastructure, no matter how small or large,
> NEVER use the ISP's DNS in IP properties of ANY machine that is part of AD
> (DCs servers and clients). If not sure what I'm talking about, please post
> an unedited ipconfig /all to better assist you and we can point out any
> problems in your config.
>
> Ace
>
>
From: Ace Fekay [MVP] on
In news:ujA1ylugGHA.4080(a)TK2MSFTNGP03.phx.gbl,
kbergros <kbergros(a)hotmail.com> stated, which I commented on below:
> Hi Ace!
>
> And thanks for your replays!
> Here comes an ipconfig /all from one of the memberservers with the
> 40960 logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC
> and is also acting as our DNS servers (i'm not pointing to any ISP
> DNS). I had one missing PTR record that I discovered and added, but the
> error is still being logged...
>
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : gimli
> Primary Dns Suffix . . . . . . . : test.timber.se
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : test.timber.se
>
>
> Ethernet adapter Teamadapter:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : BASP Virtual Adapter
> Physical Address. . . . . . . . . : 00-14-5E-36-11-82
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.3.202
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.3.1
> DNS Servers . . . . . . . . . . . : 192.168.3.3
> 192.168.3.4

Well that looks fine. Mixed 2000 and 2003 DCs? Which holds the Schema and
DNM roles? Is the 2003 a GC (which should also hold the DNM)?

The reverse zone thing usually takes care of this issue for 2003, but if
2000 is involved, I haven't see that yet because 2000 doesn't use the SPN
Ego for self-identification (Kerberos authentication). Take a look at these
articles to see if they better help out:
http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1
http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1

Ace


From: kbergros on
Hi!

Thanks for your replay!
The windows 2003 server holds all of the FSMO roles and both the 2003 DC
and The 2000 DC holds the global catalog.

Regards

Kbergros

Ace Fekay [MVP] skrev:
> In news:ujA1ylugGHA.4080(a)TK2MSFTNGP03.phx.gbl,
> kbergros <kbergros(a)hotmail.com> stated, which I commented on below:
>
>>Hi Ace!
>>
>>And thanks for your replays!
>>Here comes an ipconfig /all from one of the memberservers with the
>>40960 logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC
>>and is also acting as our DNS servers (i'm not pointing to any ISP
>>DNS). I had one missing PTR record that I discovered and added, but the
>>error is still being logged...
>>
>>
>>Windows IP Configuration
>>
>> Host Name . . . . . . . . . . . . : gimli
>> Primary Dns Suffix . . . . . . . : test.timber.se
>> Node Type . . . . . . . . . . . . : Unknown
>> IP Routing Enabled. . . . . . . . : No
>> WINS Proxy Enabled. . . . . . . . : No
>> DNS Suffix Search List. . . . . . : test.timber.se
>>
>>
>>Ethernet adapter Teamadapter:
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : BASP Virtual Adapter
>> Physical Address. . . . . . . . . : 00-14-5E-36-11-82
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 192.168.3.202
>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>> Default Gateway . . . . . . . . . : 192.168.3.1
>> DNS Servers . . . . . . . . . . . : 192.168.3.3
>> 192.168.3.4
>
>
> Well that looks fine. Mixed 2000 and 2003 DCs? Which holds the Schema and
> DNM roles? Is the 2003 a GC (which should also hold the DNM)?
>
> The reverse zone thing usually takes care of this issue for 2003, but if
> 2000 is involved, I haven't see that yet because 2000 doesn't use the SPN
> Ego for self-identification (Kerberos authentication). Take a look at these
> articles to see if they better help out:
> http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1
> http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1
>
> Ace
>
>
From: Ace Fekay [MVP] on
In news:%23cEaMF$gGHA.1264(a)TK2MSFTNGP05.phx.gbl,
kbergros <kbergros(a)hotmail.com> stated, which I commented on below:
> Hi!
>
> Thanks for your replay!
> The windows 2003 server holds all of the FSMO roles and both the 2003
> DC and The 2000 DC holds the global catalog.
>
> Regards
>
> Kbergros

No problem for the reply, and thank you for yours. But did you check out
those links? Did those links help you out? Did they apply to your scenario?

Can I assume the 2000 DC is SP4 and the 2003 is SP1? Any errors on the 2000
machine? How about the clients?

As I said, I haven't seen this before with a mixed situation. Maybe I can
suggest to get the GC off the 2000 machine.

Ace


From: kbergros on
Ace Fekay [MVP] skrev:
> In news:%23cEaMF$gGHA.1264(a)TK2MSFTNGP05.phx.gbl,
> kbergros <kbergros(a)hotmail.com> stated, which I commented on below:
>
>>Hi!
>>
>>Thanks for your replay!
>>The windows 2003 server holds all of the FSMO roles and both the 2003
>>DC and The 2000 DC holds the global catalog.
>>
>>Regards
>>
>>Kbergros
>
>
> No problem for the reply, and thank you for yours. But did you check out
> those links? Did those links help you out? Did they apply to your scenario?
>
> Can I assume the 2000 DC is SP4 and the 2003 is SP1? Any errors on the 2000
> machine? How about the clients?
>
> As I said, I haven't seen this before with a mixed situation. Maybe I can
> suggest to get the GC off the 2000 machine.
>
> Ace
>
>

Hi!

Yes. the 2000 dc has SP4 and the 2003 DC has SP1.
Have no other errors on any of the DC's and memberservers (both w2k and
win2003) (except some w32time errors)
I will check the links and come back with the result!

Regards

Kbergros
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: certsvc error 58 et 100
Next: ERROR_NO_SUCH_DOMAIN