Replication Issue

Client reports that AD replication between PDC and another DC always fails
with error "Access Denied". When forcing replication using ADSS on the DC, error
"The target principal name is incorrect"; secondly when forcing replication from
PDC console, error is "access is denied"
What needs to be check in this case & should be done to resolve?
A. Reset secure channel with the PDC may fix this issue
B. Check SPN related errors using dcdiag
C. Check DNS related errors using dcdiag
D. Check time difference between 2 domain controllers

/////////////////////////////////

I do not agree with the above to be very clear I do not know SPN related errors, also dns errors canot cause it. I believe that it is d) reason the time difference because if the time difference is not agreeing then the replication cannot be done.
LVL 2
kunalclkAsked:
Who is Participating?
 
woolnoirConnect With a Mentor Commented:
http://support.microsoft.com/kb/288167

followed this one ? specifically the netdom resetpwd part ?
0
 
woolnoirCommented:
Ive seen the situation as you describe above exactly on EE before, and in my environment and the link above fixed it, so its worth a look.
0
 
Sikhumbuzo NtsadaSenior IT TechnicianCommented:
I would say D - when you point a PC\Client to authenticate to the BDC while it has a wrong time you will not be able to log in, thus the time difference is the culprit. After you change the time it will then allow authentication because it is now able to communicate with the PDC.


0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I would say A, reset secure channel to PDC :) Access Denied would suggest that there is problem with secure channel

Regards,
Krzysztof
0
 
woolnoirCommented:
Yep, A is the option which my link above fixes - give it a try and let us know.
0
 
kunalclkAuthor Commented:
Then why The target principal name is incorrect is the error and what is SPN error. Why the time difference cannot cause it. I have tried it on client server the same error comes acces denied.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
@woolnoir: it's difficult to check because it's a test question from 290 exam :)
0
 
woolnoirCommented:
In that case, i'd pick A :) 100%
0
 
woolnoirCommented:
check the link above, its from a MS knowledge-base article and those derive a lot of the Exam Q's :)
0
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
In domain environment all DCs are synchronizing time with forest root PDC, so if time difference is present there is problem with PDC. So, then you know that there is another issue. DNS error would reply with different error messages like cannot contact to <domain name> or something like that.

SPN is related with user rather than DC.

Krzysztof
0
 
kunalclkAuthor Commented:
tnx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.