[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5661
  • Last Modified:

Replication Failure - The target Principal Name is Incorrect


Hello All,

An issue was recently brought to my attention when an onsite tech was not able to access resources on a remote server by UNC path when using the server name (\\DC1\share$). Substituting the server's IP address did allow access to the share.
This network has 5 buildings, each building housing it's own DC in it's own AD site. While troubleshooting I found the following to be true, I'll use DC1 to reference the server which seems to be the culprit.

- DC1 holds all FSMO roles.

- DC1 can be accessed by name only from it's local site, all other sites can not access DC1 by name, but can access it by IP. Pings work by name and IP between all sites.

- dcdaig on DC01 shows no failures, running dcdiag on one of the other DCs shows the following
           An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 03/03/2011   11:17:29
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 03/03/2011   11:17:29
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
         ......................... DC2 failed test KccEvent
         [DC1] DsBindWithSpnEx() failed with error -2146893022,
         The target principal name is incorrect..
         Warning: DC1 is the Schema Owner, but is not responding to DS RPC
         Bind.
         [DC1] LDAP bind failed with error 8341,
         A directory service error has occurred..
         Warning: DC1 is the Schema Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the Domain Owner, but is not responding to DS RPC
         Bind.
         Warning: DC1 is the Domain Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the PDC Owner, but is not responding to DS RPC
         Bind.
         Warning: DC1 is the PDC Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the Rid Owner, but is not responding to DS RPC
         Bind.
         Warning: DC1 is the Rid Owner, but is not responding to LDAP
         Bind.
         Warning: DC1 is the Infrastructure Update Owner, but is not
         responding to DS RPC Bind.
         Warning: DC1 is the Infrastructure Update Owner, but is not
         responding to LDAP Bind.
         ......................... DC2 failed test KnowsOfRoleHolders
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=DOMAIN,DC=local
         ......................... DC2 failed test NCSecDesc
         [Replications Check,DC2] A recent replication attempt failed:
            From DC1 to DC2
            Naming Context: DC=ForestDnsZones,DC=DOMAIN,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.

- repadmin shows replication failure to DC1 with the following error
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.
0
CCLProTech
Asked:
CCLProTech
  • 4
  • 2
  • 2
2 Solutions
 
snusgubbenCommented:
Sounds like it's a problem with the Secure Channel on DC1.

I participated in a similar thread: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26810356.html
0
 
Mike KlineCommented:
What does repadmin /showreps show on DC1? (want to see how long since last replication cycle)

Have you seen this article about resetting the password http://support.microsoft.com/default.aspx?scid=kb;EN-US;288167

Thanks

mike
0
 
CCLProTechAuthor Commented:
@snusgubben

Thanks for that information. The technet blog post referenced in the thread you provided suggests the following:

"If you encounter the above behavior or error messages, suggest first reset secure channel. On the computer that are experiencing this issue, disable the Kerberos Key Distribution Center service (KDC) and then restart the computer. After the computer restarts, use the Netdom utility to reset the secure channels between the computer and the PDC Emulator operations master role holder. To do so, run the following command from the computer other than the PDC Emulator operations master role holder:
 
netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
 
Where server_name is the name of the server that is the PDC Emulator operations master role holder."


So just to clarify - In my case since the problem DC (DC1) is also the PDC owner, I would need to
1. disable the KDC service
2. reboot
3. run the following command from DC1, where 'administrator' is a domain admin account and 'administrator_password' is the password for that domain admin account?

netdom resetpwd /server:DC1 /userd:domain_name\administrator /passwordd:administrator_password

4. set the KDC service to automatic and start it.


0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
snusgubbenCommented:
No. Most of the KB out there has inherit the text based on NT4's PDC/BDC where the machine account password was held by the PDC. This is not the case on post Win2000.

If DC1 has problems you set a health DC in the server switch, like;

netdom resetpwd /server:DC2....

You do all the work on DC1. The PAQ I posted was just like here. The PDCe had a faulty password. See the last post in that PAQ.

0
 
CCLProTechAuthor Commented:
@mkline71

I plan on trying the password reset you referenced, but I have to wait for a window of availability which most likely won't come until end of business hours EST.  

Below is the output from repadmin /showreps on DC1.

DC1-Site\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 71e46f2c-0441-4291-9fe6-fcbc4484e082
DSA invocationID: c61d9ce2-4f57-4da5-a25b-48b144b8282f

==== INBOUND NEIGHBORS ======================================

DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

CN=Configuration,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

DC=DomainDnsZones,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.

DC=ForestDnsZones,DC=DOMAIN,DC=local
    DC3-Site\DC3 via RPC
        DSA object GUID: 2e298ac9-600d-4e45-b0ee-661a4fe179c5
        Last attempt @ 2011-03-03 11:36:35 was successful.
    DC2-Site\DC2 via RPC
        DSA object GUID: fd36dce5-c6f5-403e-9de7-dc22f53cf2ac
        Last attempt @ 2011-03-03 12:06:35 was successful.
0
 
CCLProTechAuthor Commented:
@snusgubben

My fault, I should have read that more thoroughly. Thank you. Like I said above, I'll be attempting this as soon as I get a green light to bounce DC1.
0
 
Mike KlineCommented:
ok let us know how the reboot/reset goes.  The good news is that your AD replication is working fine (repadmin output)
0
 
CCLProTechAuthor Commented:
Following the instructions to reset the secure channel seems to have done the trick. After resetting the pwd and restarting the KDC service, issues that I have been seeing began clearing up. Replication is now successful between all domain controllers, dcdiag is clean, and all resources on DC1 (including LDAP bind) are now reachable by server name.

Thank you both for your help in resolving this issue.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now