Netdiag Kerberos Fail

[Guest]

Upgraded our windows nt domain to windows server 2003 active directory. Our
windows 2000 prof workstations were getting event id 5788 5789 errors
constantly. Ran netdiag on workstation with a failure on kerberos and ldap.
It was suggested that I disjoint the workstation from the domain and rejoin,
which I did. This has solved our event id errors and the ldap failure in
netdiag. I am however still getting a failure in netdiag on kerberos. The
error states [FATAL] Kerberos does not have a ticket for computername$. I
don't seem to be having any trouble login in to the network or accessing
servers, etc. Can I ignore this error or is there something wrong here.
Thanks.

 

[Herb Martin]

Upgraded our windows nt domain to windows server 2003 active directory. Our
windows 2000 prof workstations were getting event id 5788 5789 errors
constantly. Ran netdiag on workstation with a failure on kerberos and ldap.
It was suggested that I disjoint the workstation from the domain and rejoin,
which I did. This has solved our event id errors and the ldap failure in
netdiag. I am however still getting a failure in netdiag on kerberos. The
error states [FATAL] Kerberos does not have a ticket for computername$. I
don't seem to be having any trouble login in to the network or accessing
servers, etc. Can I ignore this error or is there something wrong here.
Thanks.

It's usually a DNS problem -- run DCDiag on each DC and
then check the following in your DNS setups:


--
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.


--
Herb Martin

Upgraded our windows nt domain to windows server 2003 active directory. Our
windows 2000 prof workstations were getting event id 5788 5789 errors
constantly. Ran netdiag on workstation with a failure on kerberos and ldap.
It was suggested that I disjoint the workstation from the domain and rejoin,
which I did. This has solved our event id errors and the ldap failure in
netdiag. I am however still getting a failure in netdiag on kerberos. The
error states [FATAL] Kerberos does not have a ticket for computername$. I
don't seem to be having any trouble login in to the network or accessing
servers, etc. Can I ignore this error or is there something wrong here.
Thanks.

 

[Jimmy Andersson [MVP]]

Have you seen the MS Product Support's Reporting Tools?
http://www.microsoft.com/downloads/...08F-88B7-F9C79B7306C0&displaylang=en#filelist

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

Can I run dcdiag and netdiag on a windows server 2003? Do I run the same
dcdiag/netdiag that I run on my windows 2000 machines?

Upgraded our windows nt domain to windows server 2003 active

directory.
Our

windows 2000 prof workstations were getting event id 5788 5789 errors
constantly. Ran netdiag on workstation with a failure on kerberos and ldap.
It was suggested that I disjoint the workstation from the domain and rejoin,
which I did. This has solved our event id errors and the ldap failure in
netdiag. I am however still getting a failure in netdiag on kerberos. The
error states [FATAL] Kerberos does not have a ticket for computername$. I
don't seem to be having any trouble login in to the network or accessing
servers, etc. Can I ignore this error or is there something wrong here.
Thanks.

It's usually a DNS problem -- run DCDiag on each DC and
then check the following in your DNS setups:


--
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.


--
Herb Martin

Upgraded our windows nt domain to windows server 2003 active

directory.
Our

windows 2000 prof workstations were getting event id 5788 5789 errors
constantly. Ran netdiag on workstation with a failure on kerberos and ldap.
It was suggested that I disjoint the workstation from the domain and rejoin,
which I did. This has solved our event id errors and the ldap failure in
netdiag. I am however still getting a failure in netdiag on kerberos. The
error states [FATAL] Kerberos does not have a ticket for computername$. I
don't seem to be having any trouble login in to the network or accessing
servers, etc. Can I ignore this error or is there something wrong here.
Thanks.

 

[Herb Martin]

Yes, DCDiag gives much more useful information in relation
to the role of DC.

I would try to find the latest version (download from MS)
because I believe it was improved but the Win2000 ResKit
one should work too even if it is 4 years old.


--
Herb Martin

Can I run dcdiag and netdiag on a windows server 2003? Do I run the same
dcdiag/netdiag that I run on my windows 2000 machines?

Upgraded our windows nt domain to windows server 2003 active

directory.
Our

windows 2000 prof workstations were getting event id 5788 5789 errors
constantly. Ran netdiag on workstation with a failure on kerberos and ldap.
It was suggested that I disjoint the workstation from the domain and rejoin,
which I did. This has solved our event id errors and the ldap failure in
netdiag. I am however still getting a failure in netdiag on kerberos. The
error states [FATAL] Kerberos does not have a ticket for computername$. I
don't seem to be having any trouble login in to the network or accessing
servers, etc. Can I ignore this error or is there something wrong here.
Thanks.

It's usually a DNS problem -- run DCDiag on each DC and
then check the following in your DNS setups:


--
DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.


--
Herb Martin

Upgraded our windows nt domain to windows server 2003 active

directory.
Our

windows 2000 prof workstations were getting event id 5788 5789 errors
constantly. Ran netdiag on workstation with a failure on kerberos and ldap.
It was suggested that I disjoint the workstation from the domain and rejoin,
which I did. This has solved our event id errors and the ldap failure in
netdiag. I am however still getting a failure in netdiag on kerberos. The
error states [FATAL] Kerberos does not have a ticket for computername$. I
don't seem to be having any trouble login in to the network or accessing
servers, etc. Can I ignore this error or is there something wrong here.
Thanks.

 

[lseelbac]

Have seen the same problem and found KB870692

http://support.microsoft.com/?kbid=870692

Basically, it looks like it is an acknowledged problem with the curren
verison of netdiag. You could try digging with klist as referenced i
the article if you want to make sure everything is above board


-
lseelba

 

[Tim Springston [MS]]

A Kerberos failure in NETDIAG is most commonly a false positive. If there is
a concern about authentication on a machine I would simply start at the
membership test in a NETDIAG /V and see if that passes or fails. In my
experience it is rare for the NETDIAG Kerberos test to actually be
indicating a problem with Kerberos simply because of how it test it.

However, if there is a specific concern regarding Kerberos authentication as
a result of a problem you are seeing you can check the system event log,
examine the cached tickets for user and or computer using KLIST.EXE, or do a
capture while reproducing the event and use the Kerberos parser to identify
Keberos failures (if present) and match them to RFC specific failures
outlined in the troubleshooting Kerberos whitepaper.

Troubleshooting Kerberos Errors
http://www.microsoft.com/downloads/...15-6043-47db-8238-dc7af89c93f1&displaylang=en

Please repost if we can help out further.