Thursday, February 9, 2017

Error -2146893022 The target principal name is incorrect (AD Replication)

The History


I had a client today that reported the CEO's computer unabled to login agaist Active Directory, it had the message 'Trust Relationship was lost'. In this kind of issues the solution is just to take out the computer from the domain and re-join it. After removing the computer from the AD I was unable to join it again, because of a error: "Logon failure: the target account name is incorrect". After checking the replication in the domain controllers, i figure out this:
Basically the CHENSDC2 and CHENSDC had 54 days without talking to each other. IPV6 was disabled on the servers And checking replication of Active Directory:
And this guide us to the headache

The Headache


Basically the Repadmin gives an error "The Target principal Name is incorrect", so replication from "CHENSDC2" to "CHENSDC" works, but from "CHENSDC" to "CHENSDC2", doesn't.
I tried several solutions to make this work but none of those worked, so I'll try to be as clean as I can be in the solution.

The Solution


To fix this issue you just need to go to do the following:

    1. Determine the Primary Domain Controller (PDC) by doing this steps:

  1. Windows key + R (at the same time)
  2. Write cmd and then press enter. A console windows will open.
  3. netdom query fsmo
The output will be something like this, and determine the server that has the PDC role:
So our PDC is called CHENSDC2 in this example, and the problematic domain controller will be CHENSDC

    2. Stop Kerberos Key Distribution Center (KDC) service in CHENSDC (problematic server):

  1. Open the console (cmd) as the previous step, if you don't have it
  2. Use the command Net stop KDC

Pre step Download WS2003 Resource kit in the link: https://www.microsoft.com/en-us/download/details.aspx?id=17657" then install it. I did it in windows server 2008 R2 with nothing but a warning about versions, just ignore it and install the software.

    3. Purge Kerberos keys in the CHENDC (problematic server)

  1. Navigate to: C:\Program files (x86)\Windows Resource Kits\Tools and run "kerbtray.exe"
  2. You will get a Green bar Next to the time, like this
  3. Now just right click the green bar and select "Purge tickets"
  4. After this the server will be aware of the syncronization KDC from the PDC.

    4. Reset the Computer's Password in the Primary Domain Controller (PDC)

  1. In the PDC computer, we got this computer in the step 1. Open the console (cmd) as the previous step, if you don't have it
  2. netdom resetpwd /server:serverName /userd:DomainName\Administrator /passwordd:AdminPassword

    5. Start the service in the CHENSDC (problematic server)

  1. Finally in the PDC computer, we got this computer in the step 1. Open the console (cmd) as the previous step, if you don't have it
  2. Then run the command: net start kdc

    6. Start IPV6 on both servers

  1. IPv6 is used by servers to communicate to each other, so enabled it and run "ipconfig /registerdns" so they can talk to each other, specially in the consoles for Active directory

Sidenote: This is basically to improve communication between domain controllers specially for the consoles of AD (AD sites and services, AD Users and Computers, etc)

    7. Check replication again

  1. run repadmin /replsum
  2. repadmin /showrepl
  3. repadmin /showreps
And make sure that all is working good again.

Please consider to donate and thank you very much for reading this.