I recently decommissioned a Windows 2000 DC that was still in production but had the beginnings of death throes, a power failure had made it an unhappy little camper and it was retro-vintage at best, plus it was a loud tower perched on a phone book in the server room (stupid short KVM) so its days were numbered. It got to the point where it was no longer accessible through an interactive console session so I turned the thing off without running dcpromo. Turns out that even though it was a clunker, everyone in the office had been using Office templates that had hardcoded servername links within them pointing to this server for the graphic for the letterhead. To get around this I redirected all the shares and updated the login scripts, and entered a CNAME entry for local DNS redirection for the missing server to solve the template issue and badda-bing, badda-boom off went the server (and the phone book went back on the shelf).
However, a little while later I noticed a rather inelegant problem:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/servername.domain.local. The target name used was DOMAIN\SERVERNAME$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.LOCAL), and the client realm. Please contact your system administrator.
Whoops, Kerberos is trying to use my DNS redirection and getting rather confused. Luckily our AD infrastructure is only a three server affair so removing it from the command line with a manual metadata edit wasn’t too big a deal but the command line is rather counter-intuitive for we linux types so here is the procedure I used:
I did a hunt on Google but didn’t really come up with much so I figured I would put the solution out there in case someone else needed it.
Tags: kerberos