Hi all,
here my environment:
3 sites/locations :
Default-First-Site-Name (Data center) :
2 domain controllers : dc1 (Windows Server 2016 Standard) holds 5 FSMO roles , dc2 (Windows Server 2012 R2 Standard) , Forest/Domain function level : Windows Server 2008 R2.
South site : 1 domain controller dc-south (Windows Server 2016 Standard)
North site : 1 domain controller dc-north (Windows Server 2012 R2 Standard)
At the beginning , I made a basic mistake , my internal domain is same as an external domain which I don't own.
It causes some annoying errors , like , if I look into event log at 4 DC servers I can see many event id 4 errors :
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server workstation32$. The target name used was RPCSS/workstation32.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mydomain.COM) is different from the client domain (mydomain.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Sometime , my user's workstation got error about relationship with domain controller ... (I can live with that) , but the last time it caused a fatal error : dc2 kerberos ticket or computer account password mismatch.
At the same time:
I cannot UNC \dc2
I can UNC \dc1 , \dc-south , \dc-north and see NETLOGON , SYSVOL folder shared.
At Active Directory Sites and Services , when I try to manual replicate from dc1 --> dc2 I get error "The target principal name is incorrect" , testing with Repadmin or dcdiag has similar result
I fixed it by reset dc2 account password by this command on dc2:
netdom resetpwd /server:dc1 /userd:mydomain\administrator /passwordd:*
The machine account password for the local machine has been successfully reset.
The command completed successfully.
I want to stop that from happening again, change internet domain is not an option, can I fix it by adding into 4 DC servers host file A records of 4 DC servers ?
Please give me some advice, thank you very much.