server to server connection

  • Thread starter Thread starter Mike
  • Start date Start date
M

Mike

Can anyone assist with the error shown below ?

One of the member servers connected to the domain for the
last 3 months but this weeks stopped connecting. I can
logon locally to the server but can't logon to it with as
a domain user nor can it create a trust relationship with
the DC.

As a last resort I removed the server from active
directory, rebooted the DC and added it back in again but
that didn't help. I also tried adding a new laptop to the
domain - it asked for the admin password & then failed to
find the DC !


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 24/01/2004
Time: 20:51:29
User: NT AUTHORITY\SYSTEM
Computer: ACSSBS1
Description:
Pre-authentication failed:
User Name: ACSCONCEPT$
User ID: ADVATECH-SBS\ACSCONCEPT$
Service Name: krbtgt/ADVATECH.CO.UK
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 200.100.10.6

Thanks.
 
I don't know the exact cause but first make sure the time is in synch with the
domain and in the correct time zone. Kerberos only allows a five minute time
skew. It may also be a dns issue. Make sure it is configured to use only AD
domain controllers as it's dns preferred dns server and use ping and nslookup to
verify connectivity to the dns server and that it can resolve dns names. I would
also run netdiag on the server looking for any failed tests that may help
pinpoint the problem. Also find out if anyone reconfigured any security options,
software firewall, or ipsec policies on that server which may be causing a
problem. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708
http://support.microsoft.com/default.aspx?scid=kb;en-us;216393
 
When you say 'make suer the time is in synch' what are you
referring to ? The main AD machine is set to synch to
itself, all other machine have this set as the clock. If i
look at the date/time/timezone on the two machines they
are exactly the same - is there anything else to look at ?

Also, what security options should i look at - I've looked
at most of them time but I might have missed something
obvious !

Thanks

Mike.
-----Original Message-----
I don't know the exact cause but first make sure the time is in synch with the
domain and in the correct time zone. Kerberos only allows a five minute time
skew. It may also be a dns issue. Make sure it is configured to use only AD
domain controllers as it's dns preferred dns server and use ping and nslookup to
verify connectivity to the dns server and that it can resolve dns names. I would
also run netdiag on the server looking for any failed tests that may help
pinpoint the problem. Also find out if anyone
Click to expand...
reconfigured any security options,
 
You checked the time correctly. Did netdiag run OK with no failed tests?? The
usual suspects in security options are digitally sign communications if it is
required for client/server always and the other computer is not configured to
comply by having the appropriate setting enabled such as when possible. You
mentioned a laptop could not join the domain. I still think it could be a dns
issue somewhere. If the clients appear to have dns configured properly, you may
also want to check the domain controller they are configured to use by looking
in it's Event Viewer for pertinent messages and running dcdiag on it looking for
failed tests. --- Steve
 
Thanks.

I took a chance with one of the test servers and removed
it from the domain by putting it in a workgroup, rebooting
it and then rejoining the domain followed by another
reboot. Thankfully this worked & the machine is now
visible to the domain again. I've tried this on one of the
SQL servers & it's fixed that as well.

For the moment the problem is sorted but I am still
concerned over how/why it occurred in the first place.

Mike.
 
Back
Top