Fail to access one of windows 2008 DC

[guest]

We have two windows 2008 Domaon controllers. One of them has this problems:

1. Some users can`t login their computer with username or password incorrect message.

2. Some of servers receive fail to access the 2088dc2~ message.

3. We can`t logon the DC from the console.

4. We can ping the dc.

5. We have rebooted the dc for mny times.

6. Some computers can`t map network drive.

7. We can loginanother dc, 2008dc1.

How can we fix it?


--------------------------------------------------------------------------------

[guest]

Another working dc, 2008dc1 also receive this message;

Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 3/20/2012 4:33:52 PM
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: 2008DC1
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server 2008dc2$. The target name used was ldap/2008dc2. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (is different from the client domain check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

[guest]

First of all, just based on the Event 4, we know that the Kerberos authentication run into trouble between 2008dc1 and 2008dc2.

Then, to start with troubleshooting, we should reset the security channel between two DCs:

1.Stop the Kerberos Key Distribution Center service and set its startup type to Manual on problematic DC 2008dc2
2.Remove the Kerberos ticket cache on the domain controller where you receive the errors. You can do this by restarting the computer or by using the KLIST, Kerbtest, or KerbTray tools. KLIST is included in Windows Server 2008 R2 and in Windows Server 2008. For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools. To obtain the tools, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/deta ... 4ae7-96ee- b18c4790cffd&displaylang=en

3. run command: Netdom resetpwd /server:2008dc1 /userd:ms\admin /passwordd:*

4. Restart this problematic DC 2008dc2, the set the KDC service to automatically

You can refer to the following article to get more info:

How to use Netdom.exe to reset machine account passwords of a Windows Server domain controller

http://support.microsoft.com/kb/325850/en-us