Kerberos preauth failures between DCs

active-directory

I'm getting kerberos preauth failures - event 4771 - between my DCs. I think it's normal behavior (it's happened for years, since I enabled the additional logging), but I can't find any explanation as to why it is happening.

A couple notes:

  • happening from domain controller WENDEL to domain controller STEVE
  • never occurs STEVE to WENDEL.
  • STEVE does hold the FSMO roles.
  • DCs are still on 2012r2, including operational level

All of the events have the same ticket details. 

Ticket Options:     0x40810010
Failure Code:       0x18
Pre-Authentication Type:    2

I've done the usual dcdiag as a sanity check and nothing looked out of the ordinary.


Solution 1:

This is actually normal behaviour, what you are seeing is domain credential validation steps to the FSMO PDC emulator role holder. All DC servers that fail authentication for a certain AD account (user or computer) do an extra verification step of trying to auth agains the PDC emulator DC to verify credentials haven't changed in the mean time. The PDC emulator holds the responsibilty to administer password updates, so always knows the most up-to-date password.

Related

What is the origin of the term 'Au pair'
Origin of the idiom "wear the pants"
Origin of phrase "rinky dink"?
How does 'to partake of' mean 'be characterized by'?
Origin of "happy camper"
Is it "invisible coat" or "invisibility coat"?
What is the source of the expression "nothing at all"?
Staff vs. staffs [duplicate]
"suffocatingly narrow" or "narrow to the point of suffocating"?
Is there a name for a word or term that is persistently re-coined?
Where exactly did the phrase "hell on legs" come from?
What's the difference between "subject to" and "subjected to" in contracts? [duplicate]