active directory problems
we are having issues with users not being able to log in.
Server logs say:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2012$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2email@example.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (OCA.LOCAL) is different from the client domain (OCA.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
This is the replication status for the following directory partition on this directory server.
This directory server has not recently received replication information from a number of directory servers. The count of directory servers is shown, divided into the following intervals.
More than 24 hours:
More than a week:
More than one month:
More than two months:
More than a tombstone lifetime:
Tombstone lifetime (days):
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
To identify the directory servers by name, use the dcdiag.exe tool.
You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
The session setup from the computer HSGUIDANCE failed to authenticate. The name(s) of the account(s) referenced in the security database is HSGUIDANCE$. The following error occurred:
Access is denied.