+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Kerberos error - All policies disappeared in Technical; Last week I was installing a new 2003 server and 30 odd PCs. I had set up a new domain ...
  1. #1
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Kerberos error - All policies disappeared

    Last week I was installing a new 2003 server and 30 odd PCs. I had set up a new domain (in an existing forest), created RIS builds and assigned my usual policies to hook it all up. Everything seemed to be working fine, but when I came in this morning, one by one, the PCs lost their group policy settings (firewall, security, software, you name it - it went). The only thing that I could find that might explain it is a Kerberos error in the PCs' system logs. Something to do with the computer account, authentication verification and a PAC ?!? I have rebuilt a few PCs and these appear to be OK so far.

    Has anyone had anything like this before?

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Kerberos error - All policies disappeared

    Exact error and eventid number please.

    Random stab in the dark suggests clock skew. Is the time set correctly on the server/clients?

  3. #3

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

    Re: Kerberos error - All policies disappeared

    try running netdiag and dcdiag - these give very detailed output about problems.

  4. #4
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Kerberos error - All policies disappeared

    I've rebuilt all the affected PCs, and they now seem to be OK.

    The exact error was:
    Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 7
    User: N/A
    Description: The Kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client ICTSUITE-01$ in realm HB-CURRIC.INT had a PAC which failed to verify or was modified. Contact your system administrator.
    Data: 0000: c0000192

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Kerberos error - All policies disappeared

    Workstation, Netlogon and/or Computer Browser failed to start or started before the DNS client service was running.

    http://support.microsoft.com/kb/883268/

  6. #6
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Kerberos error - All policies disappeared

    @Geoff: Yup, tried the fix mentioned in the MS article. All the processes mentioned (that were present on the PCs) were already running as shared processes. Until the problem happens again though I can't check the event logs to look for service startup order. Thanks for the suggestions though.

  7. #7

    Join Date
    Jun 2005
    Location
    Elgin, Scotland
    Posts
    387
    Thank Post
    1
    Thanked 4 Times in 4 Posts
    Rep Power
    23

    Re: Kerberos error - All policies disappeared

    I would be inclined to agree with Geoff that the system time may have something to do with it, as Kerberos tends to throw a fit if the workstation's clock doesn't match it's time record.

  8. #8
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    29

    Re: Kerberos error - All policies disappeared

    Dunno how my domain keeps going then lol

    Dont have a time source to speak of, although i think i followed some MS article to use the server's clock as the time source or something

    Cheers
    N.

  9. #9

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Kerberos error - All policies disappeared

    everything syncs to the Domain controller(s) usually. You just have to setup the domain controllers to use an external NTP server. Best done in the Domain Controller GPO.

    If you have any non-Windows boxes on the network (eg, Linux, Mac's etc) you might want to enable the NTP server on your DC's too. Thats in the same GPO as above.

  10. #10
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    29

    Re: Kerberos error - All policies disappeared

    true - but cant seem to find one lol

    or access one - the [linux] one in powys doesnt seem to like the 2k3 server trying to sync its time with it. It matters not though

    Cheers
    N.

  11. #11
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Kerberos error - All policies disappeared

    The LEA have a time server for us to sinc to Nath

  12. #12
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 44 Times in 34 Posts
    Rep Power
    29

    Re: Kerberos error - All policies disappeared

    i cud swear that I just wrote that my 2003 server doesnt sync with powys' time server lol

    :P

    N.

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Kerberos error - All policies disappeared

    Are your settings correct? By default 2k3 domain controllers will attempt to sync to 'time.windows.com' once per week. Make sure you set the protocol to NTP not SNTP.

    If the GPO settings don't work you can set it manually from the command line thus:

    Code:
    net time /setsntp:ntp.whereever.com
    You can verify it works by issuing:

    Code:
    net time

  14. #14
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Kerberos error - All policies disappeared

    Do you not use the s/w they sent us then Nath? - mine syncs.

SHARE:
+ Post New Thread

Similar Threads

  1. OSX server ,AD & kerberos
    By pooley in forum Mac
    Replies: 3
    Last Post: 7th September 2007, 12:05 PM
  2. Replies: 19
    Last Post: 6th April 2007, 12:22 PM
  3. More policies
    By GrumbleDook in forum School ICT Policies
    Replies: 7
    Last Post: 13th March 2007, 09:04 AM
  4. Group Policy / Kerberos problem
    By ajbritton in forum Windows
    Replies: 2
    Last Post: 25th March 2006, 06:18 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •