Solved

How do I recover from "The principal target name not found" error?

Posted on 2014-12-15
3
75 Views
Last Modified: 2015-06-29
A little bit of preface:

This DC has been down for approximately 6 months.  Our domain/forest Tombstone Lifetime is set to 365 days.  Upon attempting to replicate, I get the:

Last attempt @ 12/14/2014 14:53:29 failed, result -2146893022 (0x80090322):
            The target principal name is incorrect.


I have followed the steps outline in the following Microsoft KB:

http://support.microsoft.com/kb/2090913

1) A bad name to IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in the same Kerberos realm.

I checked all DNS, hostfiles, etc. there are no instances of bad name to IP mapping.  Using the nslookup and nbtstat I verified that the FQDN and GUID resolve to the proper source/destination DC's from all DC's in my domain.

2) A bad name to IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in a different Kerberos realm.

See above answer.

3) The Kerberos target computer (source DC) was unable to decrypt Kerberos authentication data sent by the Kerberos client (destination DC) because the KDC and source DC have different versions of the source DCs computer account password.

I attempted to purge the klist and reset the machine password at least 10 times, with no changes to the situation.  I attempted all the steps with the required reboots and without reboots, no changes.

4) The KDC could not find a domain to look for the source DCs SPN

The machine was able to resolve a KDC for the domain using both the DNS and DS get commands.

5) Authentication data in Kerberos encrypted frames were modified by hardware (including network devices), software or an attacker.

Unlikely as our system is a closed one, no connection to the internet, and firewall/vpn encryption between sites containing DCs.

I've reached the end of my rope, and am considering demoting the DC and re-promoting.  Is this necessary, or is there an easier way to fix this?
0
Comment
Question by:khibrahim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 10

Accepted Solution

by:
Walter Padrón earned 500 total points
ID: 40501235
Troubleshooting AD Replication error -2146893022: The target principal name is incorrect.  https://support.microsoft.com/kb/2090913

Most of the time the DC account cannot  authenticate, from this KB

The "netdom resetpwd /server:<DC to direct password change to> /userd:<user name> /passwordd:<password> command executed from an admin-privileged CMD prompt on the console of the DC needing a password reset can be used to reset DC machine account passwords.

In my experience, sometimes, no matter what you try you never recover from this error and a demotion/promotion is the only way.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40856623
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question