Archived from groups: microsoft.public.win2000.active_directory (More info?)
We have been having an intermittent problem with a network monitoring
application running on a Windows 2003 server. This app runs as a system
logged in with a priveleged domain account. It logs into all the Windows
servers and checks various things. Recently we have started having incidents
where all Windows server monitoring fails and we see a lot of LsaSrv messages
in the system event log. It's pretty random - the first time it happened 5
times in one day, and then not again for another week. We have to restart the
monitoring application service, or sometimes even reboot the server to make
it stop.
I should also add that this problem has only appeared since all the DCs were
upgraded to Windows 2003 - though I can't prove a connection as it was a few
weeks later.
As part of my investigations I turned on Kerberos logging and we're getting
messages like this appearing constantly:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 10:42:6.0000 4/10/2005 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: OURDOMAIN
Server Name: cifs/SERVER
Target Name: cifs/SERVER@OURDOMAIN
Error Text:
File: 9
Line: ae0
Error Data is in record data.
The message appears for every Windows server we are monitoring (NT4, 2000
and 2003). I also managed to repliacte this error on a different server -
enabled kerberos logging, opened computer management, and managed another
server. I got this error for both the server in question and one of the DCs.
I was, however, able to manage the server, so it's not actually preventing me
from doing anything.
I don't know that this kerberos error is linked to the LsaSrv errors - but
it's the only thing I've got to go on at the moment. I've tried everything I
could find in the KBs (like forcing kerberos to use TCP) but it hasn't
stopped the messages. I've found some references to SPN and DNS problems, but
not a lot of practical steps as to what I should actually do. I have tried
running DCDiag and NetDiag, but it hasn't told me a lot. Also I can't find a
version of NetDiag that will work on my 2003 servers.
I will admit that the way we have the DNS is a bit of a fudge because we
don't want the microsoft DNS to be the authoritative DNS in the network.
Hence all the Windows computers have names server.addomain.domain in the AD;
but they are also listed in the "real" (ie Unix) DNS as just server.domain.
The Microsoft DNS is configured to refer all request straight up to the Unix
DNS. I don't know if this is causing problems with Windows 2003 that weren't
an issue with 2000.
TIA for any advice,
Carol
We have been having an intermittent problem with a network monitoring
application running on a Windows 2003 server. This app runs as a system
logged in with a priveleged domain account. It logs into all the Windows
servers and checks various things. Recently we have started having incidents
where all Windows server monitoring fails and we see a lot of LsaSrv messages
in the system event log. It's pretty random - the first time it happened 5
times in one day, and then not again for another week. We have to restart the
monitoring application service, or sometimes even reboot the server to make
it stop.
I should also add that this problem has only appeared since all the DCs were
upgraded to Windows 2003 - though I can't prove a connection as it was a few
weeks later.
As part of my investigations I turned on Kerberos logging and we're getting
messages like this appearing constantly:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 10:42:6.0000 4/10/2005 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: OURDOMAIN
Server Name: cifs/SERVER
Target Name: cifs/SERVER@OURDOMAIN
Error Text:
File: 9
Line: ae0
Error Data is in record data.
The message appears for every Windows server we are monitoring (NT4, 2000
and 2003). I also managed to repliacte this error on a different server -
enabled kerberos logging, opened computer management, and managed another
server. I got this error for both the server in question and one of the DCs.
I was, however, able to manage the server, so it's not actually preventing me
from doing anything.
I don't know that this kerberos error is linked to the LsaSrv errors - but
it's the only thing I've got to go on at the moment. I've tried everything I
could find in the KBs (like forcing kerberos to use TCP) but it hasn't
stopped the messages. I've found some references to SPN and DNS problems, but
not a lot of practical steps as to what I should actually do. I have tried
running DCDiag and NetDiag, but it hasn't told me a lot. Also I can't find a
version of NetDiag that will work on my 2003 servers.
I will admit that the way we have the DNS is a bit of a fudge because we
don't want the microsoft DNS to be the authoritative DNS in the network.
Hence all the Windows computers have names server.addomain.domain in the AD;
but they are also listed in the "real" (ie Unix) DNS as just server.domain.
The Microsoft DNS is configured to refer all request straight up to the Unix
DNS. I don't know if this is causing problems with Windows 2003 that weren't
an issue with 2000.
TIA for any advice,
Carol
Facebook
Twitter
Instagram