Solved: The target principal name is incorrect when replicating from one DC to another

ASKER

objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=FILES,CN=Servers,CN=De
fault-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\FILES
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... FILES passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\FILES
Starting test: Advertising
The DC FILES is advertising itself as a DC and having a DS.
The DC FILES is advertising as an LDAP server
The DC FILES is advertising as having a writeable directory
The DC FILES is advertising as a Key Distribution Center
Warning: FILES is not advertising as a time server.
The DS FILES is advertising as a GC.
......................... FILES failed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occurred. EventID: 0x800034C5
Time Generated: 01/22/2015 10:53:32
Event String:
The File Replication Service has enabled replication from NETOPS to
FILES for c:\windows\sysvol\domain after repeated retries.
......................... FILES passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... FILES passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... FILES passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 min
utes.
......................... FILES passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-Fi
rst-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
Role Domain Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-Fi
rst-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
Role PDC Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
Role Rid Owner = CN=NTDS Settings,CN=NETOPS,CN=Servers,CN=Default-First
-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
Role Infrastructure Update Owner = CN=NTDS Settings,CN=NETOPS,CN=Server
s,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net
......................... FILES passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC FILES on DC FILES.
* SPN found :LDAP/FILES.XXX.net/XXX.net
* SPN found :LDAP/FILES.XXX.net
* SPN found :LDAP/FILES
* SPN found :LDAP/FILES.XXX.net/SIGMA
* SPN found :LDAP/e9329d5b-3169-4818-84aa-3f6f089e2f32._msdcs.XXX.net
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/e9329d5b-3169-4818-84
aa-3f6f089e2f32/XXX.net
* SPN found :HOST/FILES.XXX.net/XXX.net
* SPN found :HOST/FILES.XXX.net
* SPN found :HOST/FILES
* SPN found :HOST/FILES.XXX.net/SIGMA
* SPN found :GC/FILES.XXX.net/XXX.net
......................... FILES passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC FILES.
* Security Permissions Check for
DC=ForestDnsZones,DC=XXX,DC=net
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=XXX,DC=net
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=XXX,DC=net
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=XXX,DC=net
(Configuration,Version 3)
* Security Permissions Check for
DC=XXX,DC=net
(Domain,Version 3)
......................... FILES passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\FILES\netlogon
Verified share \\FILES\sysvol
......................... FILES passed test NetLogons
Starting test: ObjectsReplicated
FILES is in domain DC=XXX,DC=net
Checking for CN=FILES,OU=Domain Controllers,DC=XXX,DC=net in domain DC=
XXX,DC=net on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=FILES,CN=Servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=XXX,DC=net in domain CN=Configuration,DC=XXX,
DC=net on 1 servers
Object is up-to-date on all servers.
......................... FILES passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=XXX,DC=net
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
DC=DomainDnsZones,DC=XXX,DC=net
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=XXX,DC=net
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
CN=Configuration,DC=XXX,DC=net
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
DC=XXX,DC=net
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0 had no
latency information (Win2K DC).
......................... FILES passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 6103 to 1073741823
* NetOps.XXX.net is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 5603 to 6102
* rIDPreviousAllocationPool is 5603 to 6102
* rIDNextRID: 5644
......................... FILES passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... FILES passed test Services
Starting test: SystemLog
* The System Event log test
An Error Event occurred. EventID: 0x40000004
Time Generated: 01/22/2015 10:45:27
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver netops$. The target name used was SIGMA\NETOPS$. This indicates that the ta
rget server failed to decrypt the ticket provided by the client. This can occur
when the target server principal name (SPN) is registered on an account other th
an the account the target service is using. Please ensure that the target SPN is
registered on, and only registered on, the account used by the server. This err
or can also happen when the target service is using a different password for the
target service account than what the Kerberos Key Distribution Center (KDC) has
for the target service account. Please ensure that the service on the server an
d the KDC are both updated to use the current password. If the server name is no
t fully qualified, and the target domain (XXX.NET) is different from the client
domain (XXX.NET), check if there are identically named server accounts in these
two domains, or use the fully-qualified name to identify the server.
An Error Event occurred. EventID: 0x40000004
Time Generated: 01/22/2015 10:46:56
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver netops$. The target name used was LDAP/FAEEDD75-072F-46ED-9693-0A112389D002
._msdcs.XXX.net. This indicates that the target server failed to decrypt the tic
ket provided by the client. This can occur when the target server principal name
(SPN) is registered on an account other than the account the target service is
using. Please ensure that the target SPN is registered on, and only registered o
n, the account used by the server. This error can also happen when the target se
rvice is using a different password for the target service account than what the
Kerberos Key Distribution Center (KDC) has for the target service account. Plea
se ensure that the service on the server and the KDC are both updated to use the
current password. If the server name is not fully qualified, and the target dom
ain (XXX.NET) is different from the client domain (XXX.NET), check if there are
identically named server accounts in these two domains, or use the fully-qualifi
ed name to identify the server.
An Warning Event occurred. EventID: 0x8000001D
Time Generated: 01/22/2015 10:47:24
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
An Warning Event occurred. EventID: 0x8000001D
Time Generated: 01/22/2015 10:52:19
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate
to use for smart card logons, or the KDC certificate could not be verified. Sma
rt card logon may not function correctly if this problem is not resolved. To cor
rect this problem, either verify the existing KDC certificate using certutil.exe
or enroll for a new KDC certificate.
......................... FILES failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=FILES,OU=Domain Controllers,DC=XXX,DC=net and backlink on
CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=XXX,DC=net
are correct.
The system object reference (serverReferenceBL)
CN=FILES,CN=Domain System Volume (SYSVOL share),CN=File Replication Ser
vice,CN=System,DC=XXX,DC=net
and backlink on
CN=NTDS Settings,CN=FILES,CN=Servers,CN=Default-First-Site-Name,CN=Site
s,CN=Configuration,DC=XXX,DC=net
are correct.
......................... FILES passed test VerifyReferences
Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS
Test omitted by user request: DNS

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : XXX
Starting test: CheckSDRefDom
......................... XXX passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... XXX passed test CrossRefValidation

Running enterprise tests on : XXX.net
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\FILES.XXX.net
Locator Flags: 0xe00011bc
PDC Name: \\NetOps.XXX.net
Locator Flags: 0xe00033fd
Time Server Name: \\NetOps.XXX.net
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\NetOps.XXX.net
Locator Flags: 0xe00033fd
KDC Name: \\FILES.XXX.net
Locator Flags: 0xe00011bc
......................... XXX.net passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... XXX.net passed test Intersite

C:\Users\Administrator.SIGMA>

Patrick

ASKER

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.SIGMA>repadmin /replsum
Replication Summary Start Time: 2015-01-22 10:56:57

Beginning data collection for replication summary, this may take awhile:
.....

Source DSA largest delta fails/total %% error
FILES 02m:06s 0 / 5 0
NETOPS 02m:23s 0 / 5 0

Destination DSA largest delta fails/total %% error
FILES 02m:24s 0 / 5 0
NETOPS 02m:08s 0 / 5 0

C:\Users\Administrator.SIGMA>

Patrick

ASKER

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Administrator.SIGMA>repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\FILES
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: e9329d5b-3169-4818-84aa-3f6f089e2f32
DSA invocationID: 0a9abbfa-51e4-41b0-b161-afd1f960cf1b

==== INBOUND NEIGHBORS ======================================

DC=SAE,DC=net
Default-First-Site-Name\NETOPS via RPC
DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
Last attempt @ 2015-01-22 10:56:20 was successful.

CN=Configuration,DC=SAE,DC=net
Default-First-Site-Name\NETOPS via RPC
DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
Last attempt @ 2015-01-22 10:55:04 was successful.

CN=Schema,CN=Configuration,DC=SAE,DC=net
Default-First-Site-Name\NETOPS via RPC
DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
Last attempt @ 2015-01-22 10:54:34 was successful.

DC=DomainDnsZones,DC=SAE,DC=net
Default-First-Site-Name\NETOPS via RPC
DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
Last attempt @ 2015-01-22 10:55:07 was successful.

DC=ForestDnsZones,DC=SAE,DC=net
Default-First-Site-Name\NETOPS via RPC
DSA object GUID: faeedd75-072f-46ed-9693-0a112389d002
Last attempt @ 2015-01-22 10:54:34 was successful.

Source: Default-First-Site-Name\NETOPS
******* 7113 CONSECUTIVE FAILURES since 2015-01-12 23:20:50
Last error: -2146893022 (0x80090322):
The target principal name is incorrect.

Will Szymkowski

Ok so based on the out-put are are still getting the same error message. Follow link KB in my first post to correct this issue.

Will.

Patrick

ASKER

Doing so and will report back - appreciate the help

Patrick

ASKER

Done. On backup server, I can force the replication. Any where to check on the event viewer?

Will Szymkowski

If you have done the changes in the KB article i would run the following commands again make sure that they are clean with no issues. Also looking in the event viewer as well for errors/warnings would be beneficial.

Will.

Patrick

ASKER

I ran DCDIAG after and it came up with zero fails. I'll keep monitoring this today. Thanks!

Will Szymkowski

Perfect, glad it worked for you.

Will.