Solved

The target principal name is incorrect when replicating from one DC to another

Posted on 2015-01-22
10
110 Views
Last Modified: 2015-02-02
Using SItes and Service in an effort to resolve replication issues between two DC, I get the error:

The following error occured during the attempt to syncronize naming context XXX.net from Domain Controller NETOPS to Domaing Controller FILES: The target principal is incorrect. The operation will not continue.

How can I address this?
0
Comment
Question by:pstiffsae
  • 6
  • 4
10 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40564526
I would also suggest running the following commands as well.

DCDIAG /v
repadmin /replsum
repadmin /showrepl

Microsoft has an KB article to correct the above error you are experiencing.
http://support.microsoft.com/kb/2090913

Will.
0
 

Author Comment

by:pstiffsae
ID: 40564534
objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=FILES,CN=Servers,CN=De
fault-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\FILES
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... FILES passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\FILES
      Starting test: Advertising
         The DC FILES is advertising itself as a DC and having a DS.
         The DC FILES is advertising as an LDAP server
         The DC FILES is advertising as having a writeable directory
         The DC FILES is advertising as a Key Distribution Center
         Warning: FILES is not advertising as a time server.
         The DS FILES is advertising as a GC.
         ......................... FILES failed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occurred.  EventID: 0x800034C5
            Time Generated: 01/22/2015   10:53:32
            Event String:
            The File Replication Service has enabled replication from NETOPS to
FILES for c:\windows\sysvol\domain after repeated retries.
         ......................... FILES passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... FILES passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... FILES passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 min
utes.
         ......................... FILES passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-Fi
rst-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Domain Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-Fi
rst-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role PDC Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Rid Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=NETOPS,CN=Server
s,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
         ......................... FILES passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC FILES on DC FILES.
         * SPN found :LDAP/FILES.XXX.net/XXX.net
         * SPN found :LDAP/FILES.XXX.net
         * SPN found :LDAP/FILES
         * SPN found :LDAP/FILES.XXX.net/SIGMA
         * SPN found :LDAP/e9329d5b-3169-4818-84aa-3f6f089e2f32._msdcs.XXX.net
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/e9329d5b-3169-4818-84
aa-3f6f089e2f32/XXX.net
         * SPN found :HOST/FILES.XXX.net/XXX.net
         * SPN found :HOST/FILES.XXX.net
         * SPN found :HOST/FILES
         * SPN found :HOST/FILES.XXX.net/SIGMA
         * SPN found :GC/FILES.XXX.net/XXX.net
         ......................... FILES passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC FILES.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=XXX,DC=net
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=XXX,DC=net
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=XXX,DC=net
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=XXX,DC=net
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=XXX,DC=net
            (Domain,Version 3)
         ......................... FILES passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\FILES\netlogon
         Verified share \\FILES\sysvol
         ......................... FILES passed test NetLogons
      Starting test: ObjectsReplicated
         FILES is in domain DC=XXX,DC=net
         Checking for CN=FILES,OU=Domain Controllers,DC=XXX,DC=net in domain DC=
XXX,DC=net on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=FILES,CN=Servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net in domain CN=Configuration,DC=XXX,
DC=net on 1 servers
            Object is up-to-date on all servers.
         ......................... FILES passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=XXX,DC=net
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=DomainDnsZones,DC=XXX,DC=net
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Schema,CN=Configuration,DC=XXX,DC=net
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Configuration,DC=XXX,DC=net
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=XXX,DC=net
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
         ......................... FILES passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 6103 to 1073741823
         * NetOps.XXX.net is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 5603 to 6102
         * rIDPreviousAllocationPool is 5603 to 6102
         * rIDNextRID: 5644
         ......................... FILES passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... FILES passed test Services
      Starting test: SystemLog
         * The System Event log test
         An Error Event occurred.  EventID: 0x40000004
            Time Generated: 01/22/2015   10:45:27
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver netops$. The target name used was SIGMA\NETOPS$. This indicates that the ta
rget server failed to decrypt the ticket provided by the client. This can occur
when the target server principal name (SPN) is registered on an account other th
an the account the target service is using. Please ensure that the target SPN is
 registered on, and only registered on, the account used by the server. This err
or can also happen when the target service is using a different password for the
 target service account than what the Kerberos Key Distribution Center (KDC) has
 for the target service account. Please ensure that the service on the server an
d the KDC are both updated to use the current password. If the server name is no
t fully qualified, and the target domain (XXX.NET) is different from the client
domain (XXX.NET), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
         An Error Event occurred.  EventID: 0x40000004
            Time Generated: 01/22/2015   10:46:56
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver netops$. The target name used was LDAP/FAEEDD75-072F-46ED-9693-0A112389D002
._msdcs.XXX.net. This indicates that the target server failed to decrypt the tic
ket provided by the client. This can occur when the target server principal name
 (SPN) is registered on an account other than the account the target service is
using. Please ensure that the target SPN is registered on, and only registered o
n, the account used by the server. This error can also happen when the target se
rvice is using a different password for the target service account than what the
 Kerberos Key Distribution Center (KDC) has for the target service account. Plea
se ensure that the service on the server and the KDC are both updated to use the
 current password. If the server name is not fully qualified, and the target dom
ain (XXX.NET) is different from the client domain (XXX.NET), check if there are
identically named server accounts in these two domains, or use the fully-qualifi
ed name to identify the server.
         An Warning Event occurred.  EventID: 0x8000001D
            Time Generated: 01/22/2015   10:47:24
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         An Warning Event occurred.  EventID: 0x8000001D
            Time Generated: 01/22/2015   10:52:19
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate
 to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
 or enroll for a new KDC certificate.
         ......................... FILES failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=FILES,OU=Domain Controllers,DC=XXX,DC=net and backlink on
         CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=XXX,DC=net
         are correct.
         The system object reference (serverReferenceBL)
         CN=FILES,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=XXX,DC=net
         and backlink on
         CN=NTDS Settings,CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=XXX,DC=net
         are correct.
         ......................... FILES passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : XXX
      Starting test: CheckSDRefDom
         ......................... XXX passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... XXX passed test CrossRefValidation

   Running enterprise tests on : XXX.net
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\FILES.XXX.net
         Locator Flags: 0xe00011bc
         PDC Name: \\NetOps.XXX.net
         Locator Flags: 0xe00033fd
         Time Server Name: \\NetOps.XXX.net
         Locator Flags: 0xe00033fd
         Preferred Time Server Name: \\NetOps.XXX.net
         Locator Flags: 0xe00033fd
         KDC Name: \\FILES.XXX.net
         Locator Flags: 0xe00011bc
         ......................... XXX.net passed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... XXX.net passed test Intersite

C:\Users\Administrator.SIGMA>
0
 

Author Comment

by:pstiffsae
ID: 40564535
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.SIGMA>repadmin /replsum
Replication Summary Start Time: 2015-01-22 10:56:57

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 FILES                     02m:06s    0 /   5    0
 NETOPS                    02m:23s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 FILES                     02m:24s    0 /   5    0
 NETOPS                    02m:08s    0 /   5    0



C:\Users\Administrator.SIGMA>
0
 

Author Comment

by:pstiffsae
ID: 40564538
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator.SIGMA>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\FILES
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: e9329d5b-3169-4818-84aa-3f6f089e2f32
DSA invocationID: 0a9abbfa-51e4-41b0-b161-afd1f960cf1b

==== INBOUND NEIGHBORS ======================================

DC=SAE,DC=net
    Default-First-Site-Name\NETOPS via RPC
        DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
        Last attempt @ 2015-01-22 10:56:20 was successful.

CN=Configuration,DC=SAE,DC=net
    Default-First-Site-Name\NETOPS via RPC
        DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
        Last attempt @ 2015-01-22 10:55:04 was successful.

CN=Schema,CN=Configuration,DC=SAE,DC=net
    Default-First-Site-Name\NETOPS via RPC
        DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
        Last attempt @ 2015-01-22 10:54:34 was successful.

DC=DomainDnsZones,DC=SAE,DC=net
    Default-First-Site-Name\NETOPS via RPC
        DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
        Last attempt @ 2015-01-22 10:55:07 was successful.

DC=ForestDnsZones,DC=SAE,DC=net
    Default-First-Site-Name\NETOPS via RPC
        DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
        Last attempt @ 2015-01-22 10:54:34 was successful.

Source: Default-First-Site-Name\NETOPS
******* 7113 CONSECUTIVE FAILURES since 2015-01-12 23:20:50
Last error: -2146893022 (0x80090322):
            The target principal name is incorrect.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40564564
Ok so based on the out-put are are still getting the same error message. Follow link KB in my first post to correct this issue.

Will.
0
 

Author Comment

by:pstiffsae
ID: 40564577
Doing so and will report back - appreciate the help
0
 

Author Comment

by:pstiffsae
ID: 40564587
Done. On backup server, I can force the replication. Any where to check on the event viewer?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40564606
If you have done the changes in the KB article i would run the following commands again make sure that they are clean with no issues. Also looking in the event viewer as well for errors/warnings would be beneficial.

Will.
0
 

Author Comment

by:pstiffsae
ID: 40564611
I ran DCDIAG after and it came up with zero fails. I'll keep monitoring this today. Thanks!
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40564623
Perfect, glad it worked for you.

Will.
0

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now