Wednesday, 9 November 2016

Active Directory Domain and Trust Issue-1

                                                         



Issue: I got this issue once i tried to access Root DC from Child DC. Attached screen shot here to get more clearance.
Solution: To overcome from this problem, first i viewed the log on problem server (which is 2012 R2) and i found multiple error related to time sync, replication failure, LDAP authentication error and KDC error.
 Basically this problem comes most often when your other DC's are not able to communicate with Root DC.
To fix the issue i Stop the KDC service on problem server.

The KDC is a process that provides two services in AD Environment:
 1. Ticket-Granting Service : This service issues tickets for connection to computers in domain. if clients want access to a computer, then  it first connect the ticket-granting service in the target computer's domain, and ask for a ticket to the computer(as authentication ). it can be reused. The same happen for all computer at firt time once it being accessed by any other device or service or client

2.Authentication Service: This service give raise ticket as authentication in domain as well as if this is in trusted domain.Before accessing a computer this ticket should be come as authentication permission.Once this is permitted , the computer can be accessed until this not expire.

 In this issue, most of event are related to KDC service error, So i tried with KDC service start and stop.

This KDC service can be stopped in 2003 server by support tools but in 2012 its upgraded version and inbuilt with AD services so i run Klist help first to see more option.

 Here lots of option so before proceeding with any thing i stopped KDC on problem server
net stop KDC as administrative privilege and then 
Reset computer account from Root DC.


Run the command to purge the database, as in the event its was KDC error with computer account.
Then finally i run sync command to replicate all on Root DC.
and i got Domain and Trust Console fine.
There are couple other solution which work in different cases like
1. Restart Netlogon
2. In TCP/IP settings allow all conenction from Filterring options
3. See if port 80 is connected

Its depend on infra to infra. So better to check settings and configuration before proceeding to any solution.


No comments:

Post a Comment