Replication Errors (The target principal name is incorrect )

Hello Guys

all my DCs kinda broke,   we had power cut about a month ago it was like 3-4 times in 2 weeks where servers did shutdown instead just went dead.  mistake i made didn't check replications after that and now can see vaious errors on domain servers. setup is as below

SA-DC1 (Main DC with all FSMO roles and its a physical box)
DBSDC1 (second DC as virtual machine and all servers interact with this mainly being close in same network)
SB-DC1 (3rd DC in another location we got 100mb linke between sites ,)

I can ping all DCs from each other fine by name.

done netdom passwd reset on SA-DC1  and DBSDC1  but still same above output .

any help will be much appreciated,

its very critical for domain to function or its going to be big disaster for me, so need best way forward,

will building new DCs help by moving FSMOs to that and then decommission SA-DC1  ?
I attach output of repadmin commands from all DCs, and errors from event log for all DCs.

see if someone can help me resolve this
H-SinghTechnical DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sajid Shaik MSystem AdminCommented:
check the following technet article ...

This issue may also be caused by corrupt Secure channel. Please try the following steps to reset Secure channel.

1.    Stopped KDC service and set that to manual.
2.    Ran resetpwd /server:SERVER’s IP /userd:USER  /passwordd:*
3.    Start KDC service to test.

If the issue persists, it’s suggested to collect MPS Report for research.

A.    Download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link:

Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location.

B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up.

C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]?

D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername> file. After collecting, please use Windows Live SkyDrive ( to upload the file and then give me the download address.

all the best
H-SinghTechnical DirectorAuthor Commented:
thanks Sajid
can you confirm on which server I should do below.
1.    Stopped KDC service and set that to manual.
2.    Ran resetpwd /server:SERVER’s IP /userd:USER  /passwordd:*
3.    Start KDC service to test.

also I did netdom resetpwd on both SA-DC1  by disabling KDC service and enable after reboot and same was done on DBSDC1 as well last night but still same issues.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
H-SinghTechnical DirectorAuthor Commented:
instead of server IP in reset command last time i used server names
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Sajid Shaik MSystem AdminCommented:
use the server IP ...

all the best
H-SinghTechnical DirectorAuthor Commented:
thanks Sajid
and just to confirm I need to run that on just one DC thats SA-DC1  main DC,  or on all DCs one by one
Shaun VermaakTechnical SpecialistCommented:
Just to confirm... You should do step two from DBSDC1 and SB-DC1 against SA-DC1
H-SinghTechnical DirectorAuthor Commented:
Hello Guys
Managed to fix the issue. didnt have to run password reset commands as I found solution as below.

krbtgt account password out of sync... Disable and stop the kdc service on all DCs but the PDC emulator. Then reboot them one at a time. This will force all to obtain their TGT from the PDC and will enable them to start replication. After that, enable and start the kdc service.

after following above now all DCs are replicating fine and no longer seeing any kerberos errors in event log.
Shaun VermaakTechnical SpecialistCommented:
That is the same process as #a42513254. Rebooting without any other DCs just means that it will update trust to PDC hence why I said in #a42514048
 you need to run resets against PDCe. I believe you should mark H-Singh's comment as answer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.