AD Replication fails after Restoring system state on domanin controller

Posted on 2005-05-09
Last Modified: 2008-02-27
Today I had some problems with a Certificate Authourity housed on a 2003 domain controller so I restored the System State using Veritas backup Exec 10 after rebooting in Directory Services Restore Mode. Everything went fine, no errors. However after I rebooted and tried to replicate I get a pop up window that says "an error occured during the attemp to contact Domain controller YOSEMITE: The target principal name is incorrect"
I also see this error in the event log.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            5/9/2005
Time:            1:01:28 PM
User:            N/A
Computer:      YOSEMITE
The Security System detected an authentication error for the server cifs/YOSEMITE.  The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information.

For more information, see Help and Support Center at
0000: 6d 00 00 c0               m..À    

And this one.
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            5/9/2005
Time:            1:06:25 PM
User:            N/A
Computer:      YOSEMITE
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/  The target name used was ldap/ This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (FPDOMAIN.COM), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at

When I run Repadmin /showreps the error I see is Acces Denied (5) Any Help would be most appreciated..

Question by:fpodmain
    LVL 10

    Accepted Solution

    Sounds like you need to reset the Computer accounts, so that a new Kerberos ticket is created for the machine account.

    This can also occur if the File Replication Service (Ntfrs.exe) tries to authenticate before the directory service has started. See Q824217 to troubleshoot this problem

    You could make NETLOGON depend on DNS.
    This can be done in the registry easily, go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer).

    Make a backup of your registry first.
    LVL 1

    Author Comment

    Your first assumtion was correct. I searched Microsoft's site for "reset computer account on Domain Controller" and found this article Q325850

    Use Netdom.exe to Reset a Machine Account Password
    1. Install the Windows Server 2003 Support Tools on the domain controller whose password you want to reset. These tools are located in the Support\Tools folder on the Windows Server 2003 CD-ROM. To install these tools, right-click the Suptools.msi file in the Support\Tools folder, and then click Install.
    2. If you want to reset the password for a Windows domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type to Manual.

    NOTE: After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center service and set its startup type back to Automatic. This forces the domain controller with the incorrect computer account password to contact another domain controller for a Kerberos ticket.
    3. At a command prompt, type the following command:
    netdom resetpwd /s:server /ud:domain\User /pd:*
    A description of this command is: • /s:server is the name of the domain controller to use for setting the machine account password.  
    • /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
    • /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.  
    For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
    netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*
    4. Restart the server whose password was changed. In this example, this is Server1.

    Thanks for pointing me in the right direction!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now