Solved

Replication Failure - The target Principal Name is Incorrect

Posted on 2011-03-03
8
5,481 Views
Last Modified: 2012-05-11

Hello All,

An issue was recently brought to my attention when an onsite tech was not able to access resources on a remote server by UNC path when using the server name (\\DC1\share$). Substituting the server's IP address did allow access to the share.
This network has 5 buildings, each building housing it's own DC in it's own AD site. While troubleshooting I found the following to be true, I'll use DC1 to reference the server which seems to be the culprit.

- DC1 holds all FSMO roles.

- DC1 can be accessed by name only from it's local site, all other sites can not access DC1 by name, but can access it by IP. Pings work by name and IP between all sites.

- dcdaig on DC01 shows no failures, running dcdiag on one of the other DCs shows the following
           An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         ......................... DC2 failed test KccEvent
         [DC1] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         Warning: DC1 is the Schema Owner, but is not responding to DS RPC
         Bind.
         [DC1] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: DC1 is the Schema Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the Domain Owner, but is not responding to DS RPC
         Bind.
         Warning: DC1 is the Domain Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the PDC Owner, but is not responding to DS RPC
         Bind.
         Warning: DC1 is the PDC Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the Rid Owner, but is not responding to DS RPC
         Bind.
         Warning: DC1 is the Rid Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the Infrastructure Update Owner, but is not
         responding to DS RPC Bind.
         Warning: DC1 is the Infrastructure Update Owner, but is not
         responding to LDAP Bind.
         ......................... DC2 failed test KnowsOfRoleHolders
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=DOMAIN,DC=local
         ......................... DC2 failed test NCSecDesc
         [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: DC=ForestDnsZones,DC=DOMAIN,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.

- repadmin shows replication failure to DC1 with the following error
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.
0
Comment
Question by:CCLProTech
  • 4
  • 2
  • 2
8 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 250 total points
ID: 35028971
Sounds like it's a problem with the Secure Channel on DC1.

I participated in a similar thread: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26810356.html
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 35029013
What does repadmin /showreps show on DC1? (want to see how long since last replication cycle)

Have you seen this article about resetting the password http://support.microsoft.com/default.aspx?scid=kb;EN-US;288167

Thanks

mike
0
 

Author Comment

by:CCLProTech
ID: 35029142
@snusgubben

Thanks for that information. The technet blog post referenced in the thread you provided suggests the following:

"If you encounter the above behavior or error messages, suggest first reset secure channel. On the computer that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC) and then restart the computer. After the computer restarts, use the Netdom utility to reset the secure channels between the computer and the PDC Emulator operations master role holder. To do so, run the following command from the computer other than the PDC Emulator operations master role holder:
 
netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
 
Where server_name is the name of the server that is the PDC Emulator operations master role holder."


So just to clarify - In my case since the problem DC (DC1) is also the PDC owner, I would need to
1. disable the KDC service
2. reboot
3. run the following command from DC1, where 'administrator' is a domain admin account and 'administrator_password' is the password for that domain admin account?

netdom resetpwd /server:DC1 /userd:domain_name\administrator /passwordd:administrator_password

4. set the KDC service to automatic and start it.


0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35029202
No. Most of the KB out there has inherit the text based on NT4's PDC/BDC where the machine account password was held by the PDC. This is not the case on post Win2000.

If DC1 has problems you set a health DC in the server switch, like;

netdom resetpwd /server:DC2....

You do all the work on DC1. The PAQ I posted was just like here. The PDCe had a faulty password. See the last post in that PAQ.

0
 

Author Comment

by:CCLProTech
ID: 35029221
@mkline71

I plan on trying the password reset you referenced, but I have to wait for a window of availability which most likely won't come until end of business hours EST.  

Below is the output from repadmin /showreps on DC1.

DC1-Site\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 71e46f2c-0441-4291-9fe6-fcbc4484e082
DSA invocationID: c61d9ce2-4f57-4da5-a25b-48b144b8282f

==== INBOUND NEIGHBORS ======================================

DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

CN=Configuration,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

DC=DomainDnsZones,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

DC=ForestDnsZones,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.
0
 

Author Comment

by:CCLProTech
ID: 35029263
@snusgubben

My fault, I should have read that more thoroughly. Thank you. Like I said above, I'll be attempting this as soon as I get a green light to bounce DC1.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35030143
ok let us know how the reboot/reset goes.  The good news is that your AD replication is working fine (repadmin output)
0
 

Author Comment

by:CCLProTech
ID: 35036426
Following the instructions to reset the secure channel seems to have done the trick. After resetting the pwd and restarting the KDC service, issues that I have been seeing began clearing up. Replication is now successful between all domain controllers, dcdiag is clean, and all resources on DC1 (including LDAP bind) are now reachable by server name.

Thank you both for your help in resolving this issue.
0

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now