Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


AD Replication fails after Restoring system state on domanin controller

Posted on 2005-05-09
Medium Priority
Last Modified: 2008-02-27
Today I had some problems with a Certificate Authourity housed on a 2003 domain controller so I restored the System State using Veritas backup Exec 10 after rebooting in Directory Services Restore Mode. Everything went fine, no errors. However after I rebooted and tried to replicate I get a pop up window that says "an error occured during the attemp to contact Domain controller YOSEMITE: The target principal name is incorrect"
I also see this error in the event log.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            5/9/2005
Time:            1:01:28 PM
User:            N/A
Computer:      YOSEMITE
The Security System detected an authentication error for the server cifs/YOSEMITE.  The failure code from authentication protocol Kerberos was "The attempted logon is invalid. This is either due to a bad username or authentication information.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0000: 6d 00 00 c0               m..À    

And this one.
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      4
Date:            5/9/2005
Time:            1:06:25 PM
User:            N/A
Computer:      YOSEMITE
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/yosemite.fpdomain.com.  The target name used was ldap/yosemite.fpdomain.com/fpdomain.com@fpdomain.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (FPDOMAIN.COM), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

When I run Repadmin /showreps the error I see is Acces Denied (5) Any Help would be most appreciated..

Question by:fpodmain
LVL 10

Accepted Solution

Seelan Naidoo earned 2000 total points
ID: 13966150
Sounds like you need to reset the Computer accounts, so that a new Kerberos ticket is created for the machine account.

This can also occur if the File Replication Service (Ntfrs.exe) tries to authenticate before the directory service has started. See Q824217 to troubleshoot this problem

You could make NETLOGON depend on DNS.
This can be done in the registry easily, go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer).

Make a backup of your registry first.

Author Comment

ID: 13971179
Your first assumtion was correct. I searched Microsoft's site for "reset computer account on Domain Controller" and found this article Q325850

Use Netdom.exe to Reset a Machine Account Password
1. Install the Windows Server 2003 Support Tools on the domain controller whose password you want to reset. These tools are located in the Support\Tools folder on the Windows Server 2003 CD-ROM. To install these tools, right-click the Suptools.msi file in the Support\Tools folder, and then click Install.
2. If you want to reset the password for a Windows domain controller, you must stop the Kerberos Key Distribution Center service and set its startup type to Manual.

NOTE: After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center service and set its startup type back to Automatic. This forces the domain controller with the incorrect computer account password to contact another domain controller for a Kerberos ticket.
3. At a command prompt, type the following command:
netdom resetpwd /s:server /ud:domain\User /pd:*
A description of this command is: • /s:server is the name of the domain controller to use for setting the machine account password.  
• /ud:domain\User is the user account that makes the connection with the domain you specified in the /s parameter. This must be in domain\User format. If this parameter is omitted, the current user account is used.
• /pd:* specifies the password of the user account that is specified in the /ud parameter. Use an asterisk (*) to be prompted for the password.  
For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*
4. Restart the server whose password was changed. In this example, this is Server1.

Thanks for pointing me in the right direction!

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Loops Section Overview

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question