I'll resurrect this thread to mention that I was another user caught in this trap.
Your instructions were vital, but I had some other hoops to jump through on my Server 2008 R2.
I'll detail them here in case it helps someone else out.
I had originally created a FreeNAS entry in the Active Directory Computers and in WINS.
I deleted them both.
I was getting the following errors in the Event Logs
Active Directory Web Services was unable to determine if the computer is a global catalog server.
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server servername$. The target name used was LDAP/SERVERNAME.domainname.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account.
That certainly sounds like a corrupted SCK.
Unfortunately, I wasn't able to use Netdom to reset the Secure Channel Key.
The Command:
Code:
netdom resetpwd /s:server /ud:domainname\username /pd:*
Gave me:
Code:
The machine account password for the local machine could not be reset.
Logon Failure: The target account name is incorrect.
The command failed to complete successfully.
After trying a whole lot of other stuff, I came across a post where someone had substituted their 2008 server's IP for the servername.
DoH! said I. Why didn't I think of that?
This time, the command:
Code:
netdom resetpwd /s:192.168.100.1 /ud:domainname\username /pd:*
gave me:
Code:
The machine account password for the local machine has been successfully reset.
The command completed successfully.
Ah HA!
I was certain before that DNS wasn't an issue - Looks like that wasn't the case
I checked out my DNS zones and discovered that the _msdcs record was corrupted in my DNS server's forward lookup zone.
The icon was grey and had a single text record as an entry. It wasn't a folder icon and had no subfolders under it.
I've run into that problem before. The solution is to right-click the _msdcs entry and delete it.
Next - restart the
Netlogon service. After that restart the DNS Server (or
DNS Server Service) and _msdcs is recreated properly (subfolders and all).
By this time the event log errors had ceased; likely when I was finally able to recreate the Secure Channel Key.
I wiped and reloaded FreeNAS as well. Time to see if I can finally get a list of usernames from the AD controller.
Thanks much for pointing me in the right direction.
(Any hope of the Devs assigning a better descriptor to that field?)
