I've got a Windows Server 2008 R2 SP1 Active Directory with Full 2008 R2 Level Domain and a Windows XP SP3 Client which needs to join this domain.
Unfortunately the client is not able to join the domain and if I take a look at the Server's logs I saw the following error:
EVENT ID: 4776 error N° 0xc000006a
Following my search on Google, I've reset all my GPO's with the dcgpofix command according to the MS knowledge base, but once again my Windows client is still unable to join the domain and thrown up the same error.
Ok, so, I've made some progress with this issue.
I've notice two things:
First of all: - It seems to be a Kerberos Issue, because every logs are talking about Kerberos.
From server:
EVENT ID: 4776 error N° 0xc000006a
This mean, correct username, bad password (I'm sure of the password 'cause I'm using it to log me in the DC). And the first FAIL on my list is:
EVENT ID: 4768 -> A Kerberos Ticket has been requested.
Secondly:
On the client side I've a single error:
EVENT ID: 4 -> Error Kerberos, Source: Kerberos -> The client received a KRB_AP_ERR_MODIFIED error from the server prdldap01$. This indicates that the password used to encrypt the kerberos ticket is different than that on the target server.
Then, I've try to check the ticket on the client with the Klist tickets command, BUT there is no one on the client.
The klist command report:
Cached tickets: (0)
Finally:
All my Windows 7 clients are correctly joining the domain. My Server send the following ticket encryption:
KerbTicket Encryption: AES-256-CTS-HMAC-SHA1-96
My LSA Notification packages are the followings
SCECLI RASSFM SHA1HEXFLTR
My LSA Security packages are the following:
kerberos msv1_0 schannel wdigest tspkg pku2u
I really start to suspect the Domain Security GPO or Kerberos settings. If anyone have an idea, I'm listening :D
Your error is related to miscommunication between the client and the DC. Make sure that there are no kind of packet filtering in place between - even disable the built in firewall to make sure.
Also - check that time/date is aligned between them, silly yes but it's reason #1 for AD problems.
Well, I finally find out what's going on with my domain. the problem came from a Google's authentication module added to bind our AD to Google's infrastructures.
This module is quite usefull, but very buggy and insecure, so, if anyone of you use the SHA1HEXFilter module from Google, be advise of some password hash leak over your network.
Thanks to all who try to troubleshoot my issue :D
In case this was a Kerberos encryption-type problem: The Kerberos implementation in Windows XP SP3 did not support the newer encryption types AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96. These were added only in Windows Vista. The fix has long been to phase out Windows XP. Previously, the solution was to make sure the boxes “This account supports AES 128/256-bit encryption” in the Active Directory Users and Computers GUI under the “Account” tab are unticked for any pre-Vista users and computers involved.