Target principal Name Incorrect

Hi Everyone

yesterday my Domain controller that hold FSMO was shutdown unexpected. After start again some domains controllers started appear event id 4 and when i ran dcdiag and repadmin i get "the target principal name incorret". I tried execute de following steps:

1. Stop kdc in the domain controller affected (i.e DC2) and flag the service with manual status
2. Restart DC2
3. On DC1 (that hold FSMO) i ran the command:
    netdom resetpwd /server:DC2 /UserD:domain\administrator /PasswordD:**
4. After command execute with success i restarted the DC2
5. When DC2 started i start kdc service.

But the problem still in many domain controller from in my envioriment. I forgot execute anything???
Leonardo MendesNetwork AnalystAsked:
Who is Participating?
 
Dan McFaddenSystems EngineerCommented:
Do not run that command.

The command should be:

netdom resetpwd /server:pwi2020031 / UserD: mydomain \ administrator / PasswordD: **

Open in new window


The issue is the server "pwi2020031"

Dan
0
 
Dan McFaddenSystems EngineerCommented:
Is your DC2 the domain controller that is holding the PDC FSMO?

Can you post the output of this command?

repadmin /showreps

Open in new window


I would venture to say, you reset the password on the wrong DC.

I would use the method in this Microsoft Support article:  https://support.microsoft.com/en-us/help/2090913/troubleshooting-ad-replication-error-2146893022-the-target-principal-n


Dan
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Hi Dan

Q:Is your DC2 the domain controller that is holding the PDC FSMO?
No. The Domain Controller holding PDC FSMO is DC1
repadmin_from_pdc.txt
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Leonardo MendesNetwork AnalystAuthor Commented:
I put another file from a failed dc
repadmin_from_dc_fail.txt
0
 
Dan McFaddenSystems EngineerCommented:
I recommend going thru the article I posted, step-by-step and verify the health of AD Replication and that DC Replication is running properly.  The article gives very specific actions to help you trouble shoot this issue.

All the recommended steps are in the article.

Dan
0
 
MaheshArchitectCommented:
netdom resetpwd /server:DC2 /UserD:domain\administrator /PasswordD:**

the above command actually u ran from dc1, so you reset dc1 password and that should be restarted
have you tried transfering fsmo on dc and then try resetting dc1 password from dc1 only
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Hi Mahesh,

  I did not try to transfer the FSMOs because there are DC's that are working. in my envirioment i have 14 DC's and 4 works fine. I don't know if transfer fsmo is the best choice for this case
0
 
Dan McFaddenSystems EngineerCommented:
Are your FSMOs distributed or held by a single DC?  If DC1 is functioning properly, I would not move any FSMOs.

Again, on ever DC that is getting the "Target principal Name Incorrect" error, run the recommended commands from the MS article.

Dan
0
 
MaheshArchitectCommented:
as per ms suggestions u need to reset dc1 account password
if you move fsmo to other dc, it would be easier to reset dc1 password
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Dan,

   All FSMO's are held only DC1 and DC1 works fine.  i would like to try resolve this problem in each dc. Yesterday i read the link that you posted above. I followed all steps on the article for troubleshooting and find the same problem described in the article. And finally i executed the solution proposed on the final article but i not had success. I put an image from DC that have a failure
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Sorry, i forgot the image
Event_From_DC_Fail.JPG
0
 
Dan McFaddenSystems EngineerCommented:
I disagree.  Unless I cannot read the repadmin report properly, replication is failing on the device named "PWI2270083."  Meaning that "PWI2270083" is the destination server.  Meaning that the password there has to be reset, not on the PDC Role Holder.

Reference Link:  https://support.microsoft.com/en-us/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows

Please note the example in step #4:


For example, the local domain controller computer is Server1 and the peer Windows domain controller is Server2. If you run Netdom.exe on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:
netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*

Applying the article's logic to this issue, the password needs to be reset on "PWI2270083," therefore the command should be:

netdom resetpwd /s:PWI2270083 /ud:mydomain\administrator /pd:*

Unless I've completely lost my mind (which is possible today), the issue is not the DC1 (where the FSMOs are), so moving the FSMOs do not make any sense, to me.

Dan
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Thanks Dan...

What makes me confused is where the command should be executed and how. Let's get real names to make understanding easier.

1. The PWI2270083 server is the domain controller that hosts all FSMOs. (Healthy DC)
2. The server where I got the print is the name pwi2020031 ( Failure DC)

Correct me if I'm wrong. I understand that the PWI2020031 server is where I have to stop the KDC and on the server pwi2270083 should I execute the command as follows:

netdom resetpwd / server: PWI2020031 / UserD: mydomain \ administrator / PasswordD: **

or

I can run the command from server PWI2020031 as follows

netdom resetpwd / server: PWI2270083 / UserD: mydomain \ administrator / PasswordD: **

I understand that the / server parameter should reference a DC that is running the KDC
0
 
Dan McFaddenSystems EngineerCommented:
Now that we have the real names, the command show be run on the server PWI2020031.

Dan
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Dan

please confirm the following steps:

1. Logon on DC pwi2020031 and stop KDC service
2. Execute the command from pwi2020031 netdom resetpwd /server:PWI2270083 / UserD: mydomain \ administrator / PasswordD: **
3. Start KDC

Correct me if I'm wrong
0
 
Dan McFaddenSystems EngineerCommented:
Looks right to me.

Dan
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Check the command
netdom_resetpwd.JPG
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
execute command from which server?
0
 
Dan McFaddenSystems EngineerCommented:
On server:  pwi2020031
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Dan

 Check the command and result. After ran command i tried replication. but don't worked. See the files
netdom_command_from_pwi2020031.JPG
showreps_from_PWI2020031.txt
0
 
Dan McFaddenSystems EngineerCommented:
You said that you have 14 DCs and only 4 are properly functioning, correct?

Before restarting replication, I would run the password reset command on all DCs that are reporting "Target principal Name Incorrect" error.  Then restart the KDC.

So on each commend, on each server with the password error, run the command and replace the server name, in the command, with the appropriate server name where you are running the command.

Also, if this fails to rectify the issue, following the steps in the article from MS is my recommendation.  You will need to go down into deep troubleshooting of AD.

Dan
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Dan
 
  This is very stranger... a few minutes ago i was check the replication in other domain controllers,  i don't know how, but in the anothers DC's replication they are ok.

  The only DC that has the failure in this moment is PWI2020031. More one DC show other error, but in another time i'll see the problem.
0
 
Leonardo MendesNetwork AnalystAuthor Commented:
Hi Dan

Today more early, i executed the following steps:

1. Stop KDC in DC Failure
2. Purge kerberos ticket
3. Force Replication from a good DC
4. Start KDC service

Works fine =)

Thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.