A little bit of preface:
This DC has been down for approximately 6 months. Our domain/forest Tombstone Lifetime is set to 365 days. Upon attempting to replicate, I get the:
Last attempt @ 12/14/2014 14:53:29 failed, result -2146893022 (0x80090322):
The target principal name is incorrect.
I have followed the steps outline in the following Microsoft KB:
1) A bad name to IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in the same Kerberos realm.
I checked all DNS, hostfiles, etc. there are no instances of bad name to IP mapping. Using the nslookup and nbtstat I verified that the FQDN and GUID resolve to the proper source/destination DC's from all DC's in my domain.
2) A bad name to IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in a different Kerberos realm.
See above answer.
3) The Kerberos target computer (source DC) was unable to decrypt Kerberos authentication data sent by the Kerberos client (destination DC) because the KDC and source DC have different versions of the source DCs computer account password.
I attempted to purge the klist and reset the machine password at least 10 times, with no changes to the situation. I attempted all the steps with the required reboots and without reboots, no changes.
4) The KDC could not find a domain to look for the source DCs SPN
The machine was able to resolve a KDC for the domain using both the DNS and DS get commands.
5) Authentication data in Kerberos encrypted frames were modified by hardware (including network devices), software or an attacker.
Unlikely as our system is a closed one, no connection to the internet, and firewall/vpn encryption between sites containing DCs.
I've reached the end of my rope, and am considering demoting the DC and re-promoting. Is this necessary, or is there an easier way to fix this?