Saturday, November 3, 2012

Kerberos event ID 4 - KRB_AP_ERR_MODIFIED

A SBS 2008 server has been throwing this message recently, caused by one of the workstations on the network. This error was accompanied by numerous instances of DCOM event ID 10009 caused by the same PC.

After reviewing several articles on this, we realized this PC was removed and rejoined to the SBS domain on a previous occasion. When the machine was rejoined to the domain, it received a different IP address from the DHCP server on the SBS box.

All workstations are assigned a DNS "A" record when they are initially joined to the SBS domain. When a workstation is removed, the "A" record remains on the DNS server. After rejoining the workstation, a new IP address was assigned which did not match the existing "A" record.

Once we updated the DNS record on the server to reflect the new IP address assignment, both errors stopped.