Target principal Name Incorrect

Hi Everyone

yesterday my Domain controller that hold FSMO was shutdown unexpected. After start again some domains controllers started appear event id 4 and when i ran dcdiag and repadmin i get "the target principal name incorret". I tried execute de following steps:

1. Stop kdc in the domain controller affected (i.e DC2) and flag the service with manual status
2. Restart DC2
3. On DC1 (that hold FSMO) i ran the command:
    netdom resetpwd /server:DC2 /UserD:domain\administrator /PasswordD:**
4. After command execute with success i restarted the DC2
5. When DC2 started i start kdc service.

But the problem still in many domain controller from in my envioriment. I forgot execute anything???
Leonardo MendesNetwork AnalystAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Is your DC2 the domain controller that is holding the PDC FSMO?

Can you post the output of this command?

repadmin /showreps

Open in new window


I would venture to say, you reset the password on the wrong DC.

I would use the method in this Microsoft Support article:  https://support.microsoft.com/en-us/help/2090913/troubleshooting-ad-replication-error-2146893022-the-target-principal-n


Dan
0
Leonardo MendesNetwork AnalystAuthor Commented:
Hi Dan

Q:Is your DC2 the domain controller that is holding the PDC FSMO?
No. The Domain Controller holding PDC FSMO is DC1
repadmin_from_pdc.txt
0
Leonardo MendesNetwork AnalystAuthor Commented:
I put another file from a failed dc
repadmin_from_dc_fail.txt
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Dan McFaddenSystems EngineerCommented:
I recommend going thru the article I posted, step-by-step and verify the health of AD Replication and that DC Replication is running properly.  The article gives very specific actions to help you trouble shoot this issue.

All the recommended steps are in the article.

Dan
0
MaheshArchitectCommented:
netdom resetpwd /server:DC2 /UserD:domain\administrator /PasswordD:**

the above command actually u ran from dc1, so you reset dc1 password and that should be restarted
have you tried transfering fsmo on dc and then try resetting dc1 password from dc1 only
0
Leonardo MendesNetwork AnalystAuthor Commented:
Hi Mahesh,

  I did not try to transfer the FSMOs because there are DC's that are working. in my envirioment i have 14 DC's and 4 works fine. I don't know if transfer fsmo is the best choice for this case
0
Dan McFaddenSystems EngineerCommented:
Are your FSMOs distributed or held by a single DC?  If DC1 is functioning properly, I would not move any FSMOs.

Again, on ever DC that is getting the "Target principal Name Incorrect" error, run the recommended commands from the MS article.

Dan
0
MaheshArchitectCommented:
as per ms suggestions u need to reset dc1 account password
if you move fsmo to other dc, it would be easier to reset dc1 password
0
Leonardo MendesNetwork AnalystAuthor Commented:
Dan,

   All FSMO's are held only DC1 and DC1 works fine.  i would like to try resolve this problem in each dc. Yesterday i read the link that you posted above. I followed all steps on the article for troubleshooting and find the same problem described in the article. And finally i executed the solution proposed on the final article but i not had success. I put an image from DC that have a failure
0
Leonardo MendesNetwork AnalystAuthor Commented:
Sorry, i forgot the image
Event_From_DC_Fail.JPG
0
Dan McFaddenSystems EngineerCommented:
I disagree.  Unless I cannot read the repadmin report properly, replication is failing on the device named "PWI2270083."  Meaning that "PWI2270083" is the destination server.  Meaning that the password there has to be reset, not on the PDC Role Holder.

Reference Link:  https://support.microsoft.com/en-us/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows

Please note the example in step #4:


For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*

Applying the article's logic to this issue, the password needs to be reset on "PWI2270083," therefore the command should be:

netdom resetpwd /s:PWI2270083 /ud:mydomain\administrator /pd:*

Unless I've completely lost my mind (which is possible today), the issue is not the DC1 (where the FSMOs are), so moving the FSMOs do not make any sense, to me.

Dan
0
Leonardo MendesNetwork AnalystAuthor Commented:
Thanks Dan...

What makes me confused is where the command should be executed and how. Let's get real names to make understanding easier.

1. The PWI2270083 server is the domain controller that hosts all FSMOs. (Healthy DC)
2. The server where I got the print is the name pwi2020031 ( Failure DC)

Correct me if I'm wrong. I understand that the PWI2020031 server is where I have to stop the KDC and on the server pwi2270083 should I execute the command as follows:

netdom resetpwd / server: PWI2020031 / UserD: mydomain \ administrator / PasswordD: **

or

I can run the command from server PWI2020031 as follows

netdom resetpwd / server: PWI2270083 / UserD: mydomain \ administrator / PasswordD: **

I understand that the / server parameter should reference a DC that is running the KDC
0
Dan McFaddenSystems EngineerCommented:
Now that we have the real names, the command show be run on the server PWI2020031.

Dan
0
Leonardo MendesNetwork AnalystAuthor Commented:
Dan

please confirm the following steps:

1. Logon on DC pwi2020031 and stop KDC service
2. Execute the command from pwi2020031 netdom resetpwd /server:PWI2270083 / UserD: mydomain \ administrator / PasswordD: **
3. Start KDC

Correct me if I'm wrong
0
Dan McFaddenSystems EngineerCommented:
Looks right to me.

Dan
0
Leonardo MendesNetwork AnalystAuthor Commented:
Check the command
netdom_resetpwd.JPG
0
Dan McFaddenSystems EngineerCommented:
Do not run that command.

The command should be:

netdom resetpwd /server:pwi2020031 / UserD: mydomain \ administrator / PasswordD: **

Open in new window


The issue is the server "pwi2020031"

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Leonardo MendesNetwork AnalystAuthor Commented:
execute command from which server?
0
Dan McFaddenSystems EngineerCommented:
On server:  pwi2020031
0
Leonardo MendesNetwork AnalystAuthor Commented:
Dan

 Check the command and result. After ran command i tried replication. but don't worked. See the files
netdom_command_from_pwi2020031.JPG
showreps_from_PWI2020031.txt
0
Dan McFaddenSystems EngineerCommented:
You said that you have 14 DCs and only 4 are properly functioning, correct?

Before restarting replication, I would run the password reset command on all DCs that are reporting "Target principal Name Incorrect" error.  Then restart the KDC.

So on each commend, on each server with the password error, run the command and replace the server name, in the command, with the appropriate server name where you are running the command.

Also, if this fails to rectify the issue, following the steps in the article from MS is my recommendation.  You will need to go down into deep troubleshooting of AD.

Dan
0
Leonardo MendesNetwork AnalystAuthor Commented:
Dan
 
  This is very stranger... a few minutes ago i was check the replication in other domain controllers,  i don't know how, but in the anothers DC's replication they are ok.

  The only DC that has the failure in this moment is PWI2020031. More one DC show other error, but in another time i'll see the problem.
0
Leonardo MendesNetwork AnalystAuthor Commented:
Hi Dan

Today more early, i executed the following steps:

1. Stop KDC in DC Failure
2. Purge kerberos ticket
3. Force Replication from a good DC
4. Start KDC service

Works fine =)

Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.