제2의 비엔지니어 인생관을 꿈꾸며

Posted
Filed under Study

Recently I have had problems connecting to the console on a number of 2008 R2 Hyper-v guest virtual machines.  The error was “An Authentication Error Has Occurred.  The Encryption Type Requested Is not supported by the KDC” while I have also had a single Exchange 2010 server fail with the following event IDs: 2102, 2103, 2114, 9106 all reporting LDAP problems, non-responding domain controllers and global catalogs:

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1696). Topology discovery failed, error 0×80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

Process STORE.EXE (PID=4084). All Global Catalog Servers in forest DC=xxx,DC=xx,DC=xx are not responding:

Process STORE.EXE (PID=4084). All Domain Controller Servers in use are not responding:

Attempting to open the Exchange management console on the local server console ended with a  HTTP server error status 500 and “Kerberos” authentication failed.

The Exchange server was able to ping and resolve all DNS names correctly and the problem went away on restarting only to re-occur in 24 hours or so.

The rather simple resolution in the end turned out to be restarting the “KERBEROS DISTRIBUTION KEY (KDC) service” on all Domain controllers.  While Restarting all Domain controllers in their entirety is also a good idea it isn’t always possible (or desirable) on a live production environment.

위 내용과 비슷하게 필자 역시도 최근에 도메인 수준을 올렸었습니다. 암호 세분화 정책을 쓰기위해 올렸었는데 이 작업을 진행한 후에 12시간이 지나고 Exchange CAS 쪽만 도메인 콘트롤러 연결이 안되는 현상이 발생했습니다. OS영역에서는 문제가 없지만 유난히 AD 토폴로지 서비스쪽만 문제가 발생했던 하루였습니다. 서비스를 재시작 하면 12시간 지나면 또 같은 증상이 반복되다 보니 AD서버에서 KDC 서비스를 재시작 해줘야만 이러한 문제가 해결이 되었습니다.
필자는 AD 서버를 순차적으로 리부팅 하다보니 문제가 해결된 케이스였습니다.

2013/10/07 13:36 2013/10/07 13:36