[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

Replication Issue

Client reports that AD replication between PDC and another DC always fails
with error "Access Denied". When forcing replication using ADSS on the DC, error
"The target principal name is incorrect"; secondly when forcing replication from
PDC console, error is "access is denied"
What needs to be check in this case & should be done to resolve?
A. Reset secure channel with the PDC may fix this issue
B. Check SPN related errors using dcdiag
C. Check DNS related errors using dcdiag
D. Check time difference between 2 domain controllers

/////////////////////////////////

I do not agree with the above to be very clear I do not know SPN related errors, also dns errors canot cause it. I believe that it is d) reason the time difference because if the time difference is not agreeing then the replication cannot be done.
0
kunalclk
Asked:
kunalclk
  • 5
  • 3
  • 2
  • +1
2 Solutions
 
woolnoirCommented:
http://support.microsoft.com/kb/288167

followed this one ? specifically the netdom resetpwd part ?
0
 
woolnoirCommented:
Ive seen the situation as you describe above exactly on EE before, and in my environment and the link above fixed it, so its worth a look.
0
 
Sikhumbuzo NtsadaSenior IT TechnicianCommented:
I would say D - when you point a PC\Client to authenticate to the BDC while it has a wrong time you will not be able to log in, thus the time difference is the culprit. After you change the time it will then allow authentication because it is now able to communicate with the PDC.


0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
Krzysztof PytkoActive Directory EngineerCommented:
I would say A, reset secure channel to PDC :) Access Denied would suggest that there is problem with secure channel

Regards,
Krzysztof
0
 
woolnoirCommented:
Yep, A is the option which my link above fixes - give it a try and let us know.
0
 
kunalclkAuthor Commented:
Then why The target principal name is incorrect is the error and what is SPN error. Why the time difference cannot cause it. I have tried it on client server the same error comes acces denied.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
@woolnoir: it's difficult to check because it's a test question from 290 exam :)
0
 
woolnoirCommented:
In that case, i'd pick A :) 100%
0
 
woolnoirCommented:
check the link above, its from a MS knowledge-base article and those derive a lot of the Exam Q's :)
0
 
Krzysztof PytkoActive Directory EngineerCommented:
In domain environment all DCs are synchronizing time with forest root PDC, so if time difference is present there is problem with PDC. So, then you know that there is another issue. DNS error would reply with different error messages like cannot contact to <domain name> or something like that.

SPN is related with user rather than DC.

Krzysztof
0
 
kunalclkAuthor Commented:
tnx
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now