Active Directory Replication woes
Hello--
I have a Server 2008 R2 Active Directory Domain with a hub-spoke VPN design across 18 locations. 16 of the servers connect and replicate with Serv1 with no issue. Serv17 will not, and the culprits are good ol' Event IDs #4 and #1311.
There are no firewalls stopping this connection.
On S1, I can reach \\S17 without issue. The reverse is not true (I get "The Target account name is incorrect.), but I can access \\S1_IPAddress without issue. S17 was configured onsite with S1 (along with the other servers), and it has only been 45 days, so things haven't tombstoned.
I have entered the DNS configuration manually using a functioning server as a guide (doing this actually brought the DNS resolution to work from S1 to S17), and I have done everything in the KB and in Technet related to these error messages-- but none of the resolutions work.
Demoting the server fails with the same "Target account name is incorrect." message.
I feel I am missing something simple, and need some direction here. What information do I need to post, keeping in mind that there are 16 servers that work?
Thanks in advance.
I have a Server 2008 R2 Active Directory Domain with a hub-spoke VPN design across 18 locations. 16 of the servers connect and replicate with Serv1 with no issue. Serv17 will not, and the culprits are good ol' Event IDs #4 and #1311.
There are no firewalls stopping this connection.
On S1, I can reach \\S17 without issue. The reverse is not true (I get "The Target account name is incorrect.), but I can access \\S1_IPAddress without issue. S17 was configured onsite with S1 (along with the other servers), and it has only been 45 days, so things haven't tombstoned.
I have entered the DNS configuration manually using a functioning server as a guide (doing this actually brought the DNS resolution to work from S1 to S17), and I have done everything in the KB and in Technet related to these error messages-- but none of the resolutions work.
Demoting the server fails with the same "Target account name is incorrect." message.
I feel I am missing something simple, and need some direction here. What information do I need to post, keeping in mind that there are 16 servers that work?
Thanks in advance.
Amit
Download portquery GUI tool and run domain trust test. Check the result.
ASKER
From which server?
From Sever 17 to Server1
ASKER
Do you want the output posted here, or attached?
This is might be due to secure channel On S1 is broken kindly perform below steps on S1 DC
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
Secure channel between the DC’s broken:
Follow these steps to reset KDC password :-
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
a Command Prompt, type net stop KDC, and press Enter.
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
You should see a little green ticket icon in your system tray in the lower
right corner of your desktop.
3. Purge the ticket cache on Server2, right-click the green ticket icon in
your system tray, and then click Purge Tickets. You should receive a
confirmation that your ticket cache was purged. Click OK.
4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administ
5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.
6. Start the KDC service on Server2. To do so, open a command prompt, type
net start KDC, and press Enter. This completes the process, and the domain
controllers should be replicating success-fully now
http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
Secure channel between the DC’s broken:
Follow these steps to reset KDC password :-
1. Stop the Key Distribution Center (KDC) service on Server2. To do so, open
a Command Prompt, type net stop KDC, and press Enter.
2. Load Kerbtray.exe. You can do so by clicking Start, clicking Run, and
then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.
You should see a little green ticket icon in your system tray in the lower
right corner of your desktop.
3. Purge the ticket cache on Server2, right-click the green ticket icon in
your system tray, and then click Purge Tickets. You should receive a
confirmation that your ticket cache was purged. Click OK.
4. Reset the Server domain controller account password on Server1 (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.com\administ
5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.
6. Start the KDC service on Server2. To do so, open a command prompt, type
net start KDC, and press Enter. This completes the process, and the domain
controllers should be replicating success-fully now
ASKER
Won't resetting the password on S1 break the 15 other connections that are currently working?
You are getting error "Logon Failure: target account name is incorrect" this indicates that the secure channel between the DC's are broken.As sarang suggested you need to reset the same to fix the issue.
See this similar thread
Kerberos Event ID 4 (KRB_AP_ERR_Modified)
http://social.technet.microsoft.com/Forums/windowsserver/en-US/f8a93cde-f1de-47b6-b85a-781c795825f7/kerberos-event-id-4-krbaperrmodified
See this similar thread
Kerberos Event ID 4 (KRB_AP_ERR_Modified)
http://social.technet.microsoft.com/Forums/windowsserver/en-US/f8a93cde-f1de-47b6-b85a-781c795825f7/kerberos-event-id-4-krbaperrmodified
ASKER
Thank you for the reference. I've been reticent to take that step on S1.
Here's an odd question: Is there a way to stop the KDC on the 15 other servers without having to remote into each of them?
Here's an odd question: Is there a way to stop the KDC on the 15 other servers without having to remote into each of them?
You dont need to stop KDC on all other server ....Stopping KDC on just S1 will do
1.Stop the Key Distribution Center (KDC) service on S1(faulty server).
2.Purge the ticket cache on S1 run kerbtray.
3.Login to PDC server and execute
open a command prompt and type: netdom /resetpwd /server:s1
/userd:domain.com\administ
2.Purge the ticket cache on S1 run kerbtray.
3.Login to PDC server and execute
open a command prompt and type: netdom /resetpwd /server:s1
/userd:domain.com\administ
ASKER
I was going by this on that thread you posted.
"You need to purge ticket on problametic DC and stop kdc of all DC except the PDC role holder server and run the netdom command on PDC role holder server.
Once the command is executed sucessfully run repadmin /syncall /AdeP on problematic DC and PDC role holder server.Start the KDC on all DC and the try to access the share if the sysvol share is available this indicates that secure channel is reset correctly.Also force the replication between DC's and check if you are facing any issue.Run dcdiag /q and repadmin /replsum to check for any errors on problematic DC."
Thanks for clarifying. I'll try that when the business is closed for the day.
"You need to purge ticket on problametic DC and stop kdc of all DC except the PDC role holder server and run the netdom command on PDC role holder server.
Once the command is executed sucessfully run repadmin /syncall /AdeP on problematic DC and PDC role holder server.Start the KDC on all DC and the try to access the share if the sysvol share is available this indicates that secure channel is reset correctly.Also force the replication between DC's and check if you are facing any issue.Run dcdiag /q and repadmin /replsum to check for any errors on problematic DC."
Thanks for clarifying. I'll try that when the business is closed for the day.
What is the primary dns configured in the S17 server. Please make sure it configured to any other server S1(if it reaches by ping) or any other server which is able to reach. also to ipconfig /flushdns /registerdns on S17 wait for sometime. and check name resolution working fine on S17 to S1 by nslookup
As you have hub and spoke topology and all sites are only communicating with hub site server there is no need to stop KDC on all DC.Just stop on problematic DC and execute the reset command on PDC server(assuming it is in hub site)
ASKER
On S1 (hub server and PDC emulator)
Net stop kdc
Run kerbtray and purge the one ticket
Reset password
On S17
Net stop kdc
Run kerbtray and purge the three tickets
Reset password
Restarted server
Still cannot connect to S1 "The target account name is incorrect."
Re-ran kerbtray
Same tickets there as before.
Thoughts?
Net stop kdc
Run kerbtray and purge the one ticket
Reset password
On S17
Net stop kdc
Run kerbtray and purge the three tickets
Reset password
Restarted server
Still cannot connect to S1 "The target account name is incorrect."
Re-ran kerbtray
Same tickets there as before.
Thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue has been resolved. Thank you for clarifying things-- most solutions do not.