Kerberos preauth failures between DCs

I'm getting kerberos preauth failures - event 4771 - between my DCs. I think it's normal behavior (it's happened for years, since I enabled the additional logging), but I can't find any explanation as to why it is happening.

A couple notes:

  • happening from domain controller WENDEL to domain controller STEVE
  • never occurs STEVE to WENDEL.
  • STEVE does hold the FSMO roles.
  • DCs are still on 2012r2, including operational level

All of the events have the same ticket details.

Ticket Options:     0x40810010
Failure Code:       0x18
Pre-Authentication Type:    2

I've done the usual dcdiag as a sanity check and nothing looked out of the ordinary.


Solution 1:

This is actually normal behaviour, what you are seeing is domain credential validation steps to the FSMO PDC emulator role holder. All DC servers that fail authentication for a certain AD account (user or computer) do an extra verification step of trying to auth agains the PDC emulator DC to verify credentials haven't changed in the mean time. The PDC emulator holds the responsibilty to administer password updates, so always knows the most up-to-date password.