"KRB_AP_Modified"... Not again. ..

  • Last Post 09 July 2018
Mat.Collins posted this 07 July 2018

hello folks

walkied in to office yesterday morning, and saw the replication between domain controllers (there are total of 2 domain controllers) is broken in one of the child domains. 'repadmin /syncall /e' throws 'access denied' from parent domain. 'repadmin /syncall' between DC in child domain does generate errors from DC2 on DC1. from DC1 on DC2 is Ok. (will update tommorow, maybe i forgot the orders)

since i do not rely on repadmin output, i created test user to see replication. it copies from dc2 to dc1 but not from dc1 to dc2. so I went to dig about kerberos and there was 'KRB_AP_Modified'. actually hundreds of this error on DC2 which says cant accept request from DC1. apparently UNS path to domain does not work too. 

went through troubleshooting. stopedd KDC, netdom reset pwd, klist purge, start kdc.. issue is not fixed. 'pwdlastset' shows the password is set on corrupted dc but issue is not fixed. But here is the fun thing, I stop KDC on problematic DC, klist purge, reauthenticate myself, eveyrhing works find even repadmin in child domain. (issue still exist within parent)..once I start KDC, the story begins which is expected behaviour of broken kerberos.

I wanted to do the force demote but since there are errors from parent domain about replication, i guess i will end up in more mess because force 'replicate now'  from parent domain via site & services shows error for "Replicate from..." but "Replicate to..." is OK.

any ideas?




one question apart from the story:

every type of troubleshooting of replication i did so far was based on articles and step by steps of other poeple. I can't tolerate this anymore. what should i do in order to learn the whole thing and understands perfectly, and then start using my own steps to overcome replication problems? rather than following articles blindfolded.

I think I am missing something like a deep book of troubleshooting, an online course of troubleshooting to understands things deeply. I have read brian desmon book back in 3 years but that was when I was so so newbie. I think i have to brush up on that. any other ideas towards this?


Order By: Standard | Newest | Votes
Mat.Collins posted this 08 July 2018

Update: problem got fixed by 'Allow divergent.." reg key. however:

  • What is the relation of this error with kerberoes error mentioned about 'AP-Modified'? any ideas?
  • feel free to guide me about my last queston :)

thank you

Rajeev Chauhan posted this 09 July 2018

KRBAPERRMODIFIED  indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. 
This should not have been done  "Allow divergent"  would cause lingering objects. 


Mat.Collins posted this 09 July 2018

thankx for reply.

ye i saw that broken secure channel in the begining of tshoot. i changed pw of the computer account but the problem was again there. also after enabling 'allow divergetnt' and initiating the replication, i removed the key. 

no log indicating lingering object in event viewer.

GuyTe posted this 09 July 2018

allowDivergent allows replication of DCs that have not replicated beyond TSL.

Any chance the DC in question was not replicating for more than TSL?

Computer account pwd change is every 30days

è 2 consecutive non-replicated pwd changes of DC’s computer accounts are ~60 days (secure channel breaks after 2nd pwd change is not replicated)

If your TSL is 60 days, that could be the explanation.