CCLProTech
asked on
Replication Failure - The target Principal Name is Incorrect
Hello All,
An issue was recently brought to my attention when an onsite tech was not able to access resources on a remote server by UNC path when using the server name (\\DC1\share$). Substituting the server's IP address did allow access to the share.
This network has 5 buildings, each building housing it's own DC in it's own AD site. While troubleshooting I found the following to be true, I'll use DC1 to reference the server which seems to be the culprit.
- DC1 holds all FSMO roles.
- DC1 can be accessed by name only from it's local site, all other sites can not access DC1 by name, but can access it by IP. Pings work by name and IP between all sites.
- dcdaig on DC01 shows no failures, running dcdiag on one of the other DCs shows the following
An Warning Event occurred. EventID: 0x8000061E
Time Generated: 03/03/2011 11:17:29
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An Error Event occurred. EventID: 0xC000051F
Time Generated: 03/03/2011 11:17:29
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
An Warning Event occurred. EventID: 0x8000061E
Time Generated: 03/03/2011 11:17:29
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An Error Event occurred. EventID: 0xC000051F
Time Generated: 03/03/2011 11:17:29
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
An Warning Event occurred. EventID: 0x8000061E
Time Generated: 03/03/2011 11:17:29
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An Error Event occurred. EventID: 0xC000051F
Time Generated: 03/03/2011 11:17:29
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
An Warning Event occurred. EventID: 0x8000061E
Time Generated: 03/03/2011 11:17:29
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An Error Event occurred. EventID: 0xC000051F
Time Generated: 03/03/2011 11:17:29
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
......................... DC2 failed test KccEvent
[DC1] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: DC1 is the Schema Owner, but is not responding to DS RPC
Bind.
[DC1] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: DC1 is the Schema Owner, but is not responding to LDAP
Bind.
Warning: DC1 is the Domain Owner, but is not responding to DS RPC
Bind.
Warning: DC1 is the Domain Owner, but is not responding to LDAP
Bind.
Warning: DC1 is the PDC Owner, but is not responding to DS RPC
Bind.
Warning: DC1 is the PDC Owner, but is not responding to LDAP
Bind.
Warning: DC1 is the Rid Owner, but is not responding to DS RPC
Bind.
Warning: DC1 is the Rid Owner, but is not responding to LDAP
Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... DC2 failed test KnowsOfRoleHolders
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=DOMAI
......................... DC2 failed test NCSecDesc
[Replications Check,DC2] A recent replication attempt failed:
From DC1 to DC2
Naming Context: DC=ForestDnsZones,DC=DOMAI
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
- repadmin shows replication failure to DC1 with the following error
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No. Most of the KB out there has inherit the text based on NT4's PDC/BDC where the machine account password was held by the PDC. This is not the case on post Win2000.
If DC1 has problems you set a health DC in the server switch, like;
netdom resetpwd /server:DC2....
You do all the work on DC1. The PAQ I posted was just like here. The PDCe had a faulty password. See the last post in that PAQ.
If DC1 has problems you set a health DC in the server switch, like;
netdom resetpwd /server:DC2....
You do all the work on DC1. The PAQ I posted was just like here. The PDCe had a faulty password. See the last post in that PAQ.
ASKER
@mkline71
I plan on trying the password reset you referenced, but I have to wait for a window of availability which most likely won't come until end of business hours EST.
Below is the output from repadmin /showreps on DC1.
DC1-Site\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 71e46f2c-0441-4291-9fe6-fc bc4484e082
DSA invocationID: c61d9ce2-4f57-4da5-a25b-48 b144b8282f
==== INBOUND NEIGHBORS ========================== ========== ==
DC=DOMAIN,DC=local
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66 1a4fe179c5
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc 22f53cf2ac
Last attempt @ 2011-03-03 12:06:35 was successful.
CN=Configuration,DC=DOMAIN ,DC=local
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66 1a4fe179c5
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc 22f53cf2ac
Last attempt @ 2011-03-03 12:06:35 was successful.
CN=Schema,CN=Configuration ,DC=DOMAIN ,DC=local
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66 1a4fe179c5
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc 22f53cf2ac
Last attempt @ 2011-03-03 12:06:35 was successful.
DC=DomainDnsZones,DC=DOMAI N,DC=local
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66 1a4fe179c5
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc 22f53cf2ac
Last attempt @ 2011-03-03 12:06:35 was successful.
DC=ForestDnsZones,DC=DOMAI N,DC=local
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66 1a4fe179c5
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc 22f53cf2ac
Last attempt @ 2011-03-03 12:06:35 was successful.
I plan on trying the password reset you referenced, but I have to wait for a window of availability which most likely won't come until end of business hours EST.
Below is the output from repadmin /showreps on DC1.
DC1-Site\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 71e46f2c-0441-4291-9fe6-fc
DSA invocationID: c61d9ce2-4f57-4da5-a25b-48
==== INBOUND NEIGHBORS ==========================
DC=DOMAIN,DC=local
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc
Last attempt @ 2011-03-03 12:06:35 was successful.
CN=Configuration,DC=DOMAIN
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc
Last attempt @ 2011-03-03 12:06:35 was successful.
CN=Schema,CN=Configuration
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc
Last attempt @ 2011-03-03 12:06:35 was successful.
DC=DomainDnsZones,DC=DOMAI
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc
Last attempt @ 2011-03-03 12:06:35 was successful.
DC=ForestDnsZones,DC=DOMAI
DC3-Site\DC3 via RPC
DSA object GUID: 2e298ac9-600d-4e45-b0ee-66
Last attempt @ 2011-03-03 11:36:35 was successful.
DC2-Site\DC2 via RPC
DSA object GUID: fd36dce5-c6f5-403e-9de7-dc
Last attempt @ 2011-03-03 12:06:35 was successful.
ASKER
@snusgubben
My fault, I should have read that more thoroughly. Thank you. Like I said above, I'll be attempting this as soon as I get a green light to bounce DC1.
My fault, I should have read that more thoroughly. Thank you. Like I said above, I'll be attempting this as soon as I get a green light to bounce DC1.
ok let us know how the reboot/reset goes. The good news is that your AD replication is working fine (repadmin output)
ASKER
Following the instructions to reset the secure channel seems to have done the trick. After resetting the pwd and restarting the KDC service, issues that I have been seeing began clearing up. Replication is now successful between all domain controllers, dcdiag is clean, and all resources on DC1 (including LDAP bind) are now reachable by server name.
Thank you both for your help in resolving this issue.
Thank you both for your help in resolving this issue.
ASKER
Thanks for that information. The technet blog post referenced in the thread you provided suggests the following:
"If you encounter the above behavior or error messages, suggest first reset secure channel. On the computer that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC) and then restart the computer. After the computer restarts, use the Netdom utility to reset the secure channels between the computer and the PDC Emulator operations master role holder. To do so, run the following command from the computer other than the PDC Emulator operations master role holder:
netdom resetpwd /server:server_name /userd:domain_name\adminis
Where server_name is the name of the server that is the PDC Emulator operations master role holder."
So just to clarify - In my case since the problem DC (DC1) is also the PDC owner, I would need to
1. disable the KDC service
2. reboot
3. run the following command from DC1, where 'administrator' is a domain admin account and 'administrator_password' is the password for that domain admin account?
netdom resetpwd /server:DC1 /userd:domain_name\adminis
4. set the KDC service to automatic and start it.