Solved

DsBindWithSpnEx() failed with error -2146893022,

Posted on 2016-07-25
12
57 Views
Last Modified: 2016-08-18
Hi Can anyone help with my issue thank you inadvance


C01] DsBindWithSpnEx() failed with error -2146893022,
       The target principal name is incorrect..
       Warning: C01 is the Schema Owner, but is not responding to DS
       RPC Bind.
       [01] LDAP bind failed with error 8341,
       A directory service error has occurred..
       Warning: HCML-CDC01 is the Schema Owner, but is not responding to LDAP
       Bind.
       Warning: 01 is the Domain Owner, but is not responding to DS
       RPC Bind.
       Warning: 01 is the Domain Owner, but is not responding to LDAP
       Bind.
       Warning: 01 is the PDC Owner, but is not responding to DS RPC
       Bind.
       Warning: 01 is the PDC Owner, but is not responding to LDAP
       Bind.
       Warning: 01 is the Rid Owner, but is not responding to DS RPC
       Bind.
       Warning: 01 is the Rid Owner, but is not responding to LDAP
       Bind.
       Warning: 01 is the Infrastructure Update Owner, but is not
       responding to DS RPC Bind.
       Warning: 1 is the Infrastructure Update Owner, but is not
       responding to LDAP Bind.
       ......................... 02 failed test KnowsOfRoleHolders
    Starting test: MachineAccount
       ......................... 02 passed test MachineAccount
    Starting test: NCSecDesc
0
Comment
Question by:MarK PercY
  • 6
  • 6
12 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
You haven't said otherwise, so I have to start with the really simple question:

Is HCML-CDC01 online?

Chris
0
 

Author Comment

by:MarK PercY
Comment Utility
Hi Chris,
Sorry No it isn't however we have three other domain controllers which have their own DNS what I would like to know is how this may of happened & will a  reboot fix it
Many thanks in advance
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
If it's not online then you'll need to move the FSMO roles to a new domain controller. That is, unless you plan to bring it back online?

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
Oh and reboot will not fix, those roles are not dynamically placed. They live on the first DC you introduced into the forest / domain unless you moved them around afterwards. Should that DC need to go you must manually relocate those roles.

Chris
0
 

Author Comment

by:MarK PercY
Comment Utility
Hi Chris,
& thank you for you're response I can ping the server in question via IP & DNS however I cant logon via the domain admin password however the domain password works on the other dcs
Many thanks
Mark
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
That's not a good sign. Anything else in the dcdiag log? Can you run this from a working DC?

repadmin /showrepl

Chris
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:MarK PercY
Comment Utility
Hi Chris this is the information from the repadmin /showrepl

epadmin: running command /showrepl against full DC localhost
roydon\HCML-CDC02
SA Options: IS_GC
ite Options: (none)
SA object GUID: f65ed79f-6c21-4ae1-aa10-0c470c2c152d
SA invocationID: a171e066-88d8-4e84-99c1-afa5801ca682

=== INBOUND NEIGHBORS ======================================

C=HCML,DC=local
   Manchester\HCML-MDC01 via RPC
       DSA object GUID: 5242a0b3-8d85-4d5a-b2c8-d5f668530855
       Last attempt @ 2016-07-26 11:30:37 was successful.
   Croydon\HCML-CDC01 via RPC
       DSA object GUID: 80123f74-23ed-4830-b563-4232c22db1f5
       Last attempt @ 2016-07-26 11:45:03 failed, result -2146893022 (0x8009032
):
           The target principal name is incorrect.
       16029 consecutive failure(s).
       Last success @ 2016-07-23 10:25:26.
   Croydon\RESSRV01 via RPC
       DSA object GUID: 585c4906-f817-463a-817b-9780046a5384
       Last attempt @ 2016-07-26 11:45:05 was successful.

N=Configuration,DC=HCML,DC=local
   Croydon\RESSRV01 via RPC
       DSA object GUID: 585c4906-f817-463a-817b-9780046a5384
       Last attempt @ 2016-07-26 11:30:37 was successful.
   Croydon\HCML-CDC01 via RPC
       DSA object GUID: 80123f74-23ed-4830-b563-4232c22db1f5
       Last attempt @ 2016-07-26 11:30:37 failed, result -2146893022 (0x8009032
):
           The target principal name is incorrect.
       311 consecutive failure(s).
       Last success @ 2016-07-23 10:16:57.
   Manchester\HCML-MDC01 via RPC
       DSA object GUID: 5242a0b3-8d85-4d5a-b2c8-d5f668530855
       Last attempt @ 2016-07-26 11:30:37 was successful.

N=Schema,CN=Configuration,DC=HCML,DC=local
   Croydon\RESSRV01 via RPC
       DSA object GUID: 585c4906-f817-463a-817b-9780046a5384
       Last attempt @ 2016-07-26 11:30:37 was successful.
   Croydon\HCML-CDC01 via RPC
       DSA object GUID: 80123f74-23ed-4830-b563-4232c22db1f5
       Last attempt @ 2016-07-26 11:30:37 failed, result -2146893022 (0x8009032
):
           The target principal name is incorrect.
       296 consecutive failure(s).
       Last success @ 2016-07-23 10:16:57.
   Manchester\HCML-MDC01 via RPC
       DSA object GUID: 5242a0b3-8d85-4d5a-b2c8-d5f668530855
       Last attempt @ 2016-07-26 11:30:37 was successful.

C=DomainDnsZones,DC=HCML,DC=local
   Croydon\HCML-CDC01 via RPC
       DSA object GUID: 80123f74-23ed-4830-b563-4232c22db1f5
       Last attempt @ 2016-07-26 11:30:37 failed, result 1256 (0x4e8):
           The remote system is not available. For information about network tr
ubleshooting, see Windows Help.
       335 consecutive failure(s).
       Last success @ 2016-07-23 10:16:57.
   Croydon\RESSRV01 via RPC
       DSA object GUID: 585c4906-f817-463a-817b-9780046a5384
       Last attempt @ 2016-07-26 11:30:37 was successful.
   Manchester\HCML-MDC01 via RPC
       DSA object GUID: 5242a0b3-8d85-4d5a-b2c8-d5f668530855
       Last attempt @ 2016-07-26 11:30:37 was successful.

C=ForestDnsZones,DC=HCML,DC=local
   Croydon\HCML-CDC01 via RPC
       DSA object GUID: 80123f74-23ed-4830-b563-4232c22db1f5
       Last attempt @ 2016-07-26 11:30:37 failed, result 1256 (0x4e8):
           The remote system is not available. For information about network tr
ubleshooting, see Windows Help.
       296 consecutive failure(s).
       Last success @ 2016-07-23 10:16:57.
   Croydon\RESSRV01 via RPC
       DSA object GUID: 585c4906-f817-463a-817b-9780046a5384
       Last attempt @ 2016-07-26 11:30:37 was successful.
   Manchester\HCML-MDC01 via RPC
       DSA object GUID: 5242a0b3-8d85-4d5a-b2c8-d5f668530855
       Last attempt @ 2016-07-26 11:30:37 was successful.

ource: Croydon\HCML-CDC01
****** 15993 CONSECUTIVE FAILURES since 2016-07-23 10:25:26
ast error: -2146893022 (0x80090322):
           The target principal name is incorrect.
0
 

Author Comment

by:MarK PercY
Comment Utility
Hi Chris
Do you think it was this laptop that caused the error?please see below
Many thanks
Mark

      An error event occurred.  EventID: 0x40000004
          Time Generated: 07/25/2016   12:24:14
          Event String:
          The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
er hcml-cdc01$. The target name used was ldap/HCML-CDC01.HCML.local. This indi
tes that the target server failed to decrypt the ticket provided by the client
This can occur when the target server principal name (SPN) is registered on an
ccount other than the account the target service is using. Ensure that the tar
t SPN is only registered on the account used by the server. This error can als
happen if the target service account password is different than what is config
ed on the Kerberos Key Distribution Center for that target service. Ensure tha
the service on the server and the KDC are both configured to use the same pass
rd. If the server name is not fully qualified, and the target domain (HCML.LOC
) is different from the client domain (HCML.LOCAL), check if there are identic
ly named server accounts in these two domains, or use the fully-qualified name
o identify the server.
       An error event occurred.  EventID: 0x40000004
          Time Generated: 07/25/2016   12:29:13
          Event String:
          The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
er hcml-cdc01$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/
123f74-23ed-4830-b563-4232c22db1f5/HCML.local@HCML.local. This indicates that
e target server failed to decrypt the ticket provided by the client. This can
cur when the target server principal name (SPN) is registered on an account ot
r than the account the target service is using. Ensure that the target SPN is
ly registered on the account used by the server. This error can also happen if
he target service account password is different than what is configured on the
erberos Key Distribution Center for that target service. Ensure that the servi
 on the server and the KDC are both configured to use the same password. If th
server name is not fully qualified, and the target domain (HCML.LOCAL) is diff
ent from the client domain (HCML.LOCAL), check if there are identically named
rver accounts in these two domains, or use the fully-qualified name to identif
the server.
       An error event occurred.  EventID: 0x0000165B
          Time Generated: 07/25/2016   13:02:04
          Event String:
          The session setup from computer 'HCML-LAPTOP17' failed because the s
urity database does not contain a trust account 'HCML-LAPTOP17$' referenced by
he specified computer.
       An error event occurred.  EventID: 0x000016AD
          Time Generated: 07/25/2016   13:18:51
          Event String:
          The session setup from the computer HCML-LAPTOP17 failed to authenti
te. The following error occurred:
       An error event occurred.  EventID: 0x40000004
          Time Generated: 07/25/2016   13:22:22
          Event String:
          The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
er hcml-cdc01$. The target name used was LDAP/80123f74-23ed-4830-b563-4232c22d
f5._msdcs.HCML.local. This indicates that the target server failed to decrypt
e ticket provided by the client. This can occur when the target server princip
 name (SPN) is registered on an account other than the account the target serv
e is using. Ensure that the target SPN is only registered on the account used
 the server. This error can also happen if the target service account password
s different than what is configured on the Kerberos Key Distribution Center fo
that target service. Ensure that the service on the server and the KDC are bot
configured to use the same password. If the server name is not fully qualified
and the target domain (HCML.LOCAL) is different from the client domain (HCML.L
AL), check if there are identically named server accounts in these two domains
or use the fully-qualified name to identify the server.
       An error event occurred.  EventID: 0x40000004
          Time Generated: 07/25/2016   13:22:22
          Event String:
          The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
er hcml-cdc01$. The target name used was ldap/hcml-cdc01.HCML.local. This indi
tes that the target server failed to decrypt the ticket provided by the client
This can occur when the target server principal name (SPN) is registered on an
ccount other than the account the target service is using. Ensure that the tar
t SPN is only registered on the account used by the server. This error can als
happen if the target service account password is different than what is config
ed on the Kerberos Key Distribution Center for that target service. Ensure tha
the service on the server and the KDC are both configured to use the same pass
rd. If the server name is not fully qualified, and the target domain (HCML.LOC
) is different from the client domain (HCML.LOCAL), check if there are identic
ly named server accounts in these two domains, or use the fully-qualified name
o identify the server.
       ......................... HCML-CDC02 failed test SystemLog
    Starting test: VerifyReferences
       ......................... HCML-CDC02 passed test VerifyReferences
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
No, network clients cannot cause this problem. The error above can be caused by a missing / incorrect service principal name registration, or a time difference greater than 5 minutes between the client and a domain controller.

The problems you're having suggest that hcml-cdc01 is no longer properly replicating with the your other domain controllers. There are a number of possible avenues to debug this, one of which involves getting onto that system. Whether or not this is the case must be confirmed, you need to review the output from the commands above, the output from repadmin and the Directory Service event logs.

If the domain admin password you're using has been changed recently, try an older password to log onto the troublesome Domain Controller.

Whether or not you can fix it at all, assuming it is indeed failing to replicate, will need you to establish how long this has been the case. If it's managed to exceed the tombstone lifetime perhaps the best course of action is to decommission it and start again. You should not do that if this is a Small Business Server (or whatever that's called these days) based domain.

I'm not suggesting you go ahead with this immediately, but I want to make you aware of the process for rebuilding the DC right away just in case I don't have the opportunity to share it later:

https://technet.microsoft.com/en-us/library/cc816620(v=ws.10).aspx

Chris
0
 

Author Comment

by:MarK PercY
Comment Utility
Really how can this be? We only commissioned this server in February? This so strange?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility
I don't know, that's why you need to review things :)

Alas at the moment all you have is a series of symptoms, you need to work towards root cause which is going to require a more detailed look at the health of each of the Domain Controllers.

Chris
0
 

Author Closing Comment

by:MarK PercY
Comment Utility
Very helpful
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now