Kerberos Tickets

[Guest]

I am looking for any information on a network event/anomaly that would help
explain why a Kerberos ticket would expire or go stale. Our understanding is
that if a domain controller is not avaialble for a period of time or
unavailable at the time of login it could create this scenario. The question
posed is what would create this behavior, being there was no indication that
the DC was unavailable?

 

[Steven L Umbach]

It is possible that the client computer can not find the domain controller
because of DNS problems with the client and/or domain controller. Read the
link below on Active Directory DNS FAQ to make sure your DNS is correctly
configured in the domain and NEVER use and ISP DNS server as a preferred DNS
server for any domain computer. Also use the support tools netdiag on any
domain computer and dcdiag on domain controllers only for further
troubleshooting of problems including DNS, dc discovery, secure channel, and
much more and look in the logs of the computers involved to see if any
pertinent errors/warnings are found. Domain computers also need to be kept
in synch time wise which should be done automatically. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and support tools