Hi all
By one ouf oure customer we migrated a 2003 domain to 2012 R2 (3 DCs, 2 AD Sites), now native all 2012 R2 Dc in 2008 AD and Forest Mode. All was ok until a view weeks after depromoting the last 2003 DC. Randomly all 4 weeks Member Server 2012 R2 in the Domain are logged the KRB_AP_ERR_MODIFIED EventID 4 in the Eventvwr.
This AM I get a call and users cannot log into the management server. I then try to log onto the Member Server. I get a login error, the Member Server doesn't recognize administrator or the regular domain admin account I typically use. I then log on with the local Administrator Account successfully. I'm forced to do a restart. After restart I can log in and everything appears to be good.
A review of the event logs show that @ 21.20h the system logs event 5823 (NETLOGON The system successfully changed its password on the domain controller . This event is logged when the password for the computer account is changed by the system. It is logged on the computer that changed the password. ).
The nothing until ~ 2 1/2 hours later I start getting a bunch of event 4 (kerberos KRB_AP_ERR_MODIFIED) and 1006 (Group Policy processing failed) errors every couple minutes until I reboot. We check the AD / DNS and the SPNs for the Servers. Can anyone shed some light on what possibly happened? Did the automatic change of the system password break AD?
Regards Steven