The History
I had a client today that reported the CEO's computer unabled to login agaist Active Directory, it had the message 'Trust Relationship was lost'. In this kind of issues the solution is just to take out the computer from the domain and re-join it. After removing the computer from the AD I was unable to join it again, because of a error: "Logon failure: the target account name is incorrect". After checking the replication in the domain controllers, i figure out this:

The Headache
Basically the Repadmin gives an error "The Target principal Name is incorrect", so replication from "CHENSDC2" to "CHENSDC" works, but from "CHENSDC" to "CHENSDC2", doesn't.
I tried several solutions to make this work but none of those worked, so I'll try to be as clean as I can be in the solution.
The Solution
To fix this issue you just need to go to do the following:
- Windows key + R (at the same time)
- Write cmd and then press enter. A console windows will open.
- netdom query fsmo
1. Determine the Primary Domain Controller (PDC) by doing this steps:
- Open the console (cmd) as the previous step, if you don't have it
- Use the command Net stop KDC
2. Stop Kerberos Key Distribution Center (KDC) service in CHENSDC (problematic server):
Pre step Download WS2003 Resource kit in the link: https://www.microsoft.com/en-us/download/details.aspx?id=17657" then install it. I did it in windows server 2008 R2 with nothing but a warning about versions, just ignore it and install the software.
- Navigate to: C:\Program files (x86)\Windows Resource Kits\Tools and run "kerbtray.exe" You will get a Green bar Next to the time, like this
- Now just right click the green bar and select "Purge tickets" After this the server will be aware of the syncronization KDC from the PDC.
3. Purge Kerberos keys in the CHENDC (problematic server)
- In the PDC computer, we got this computer in the step 1. Open the console (cmd) as the previous step, if you don't have it
- netdom resetpwd /server:serverName /userd:DomainName\Administrator /passwordd:AdminPassword
4. Reset the Computer's Password in the Primary Domain Controller (PDC)
- Finally in the PDC computer, we got this computer in the step 1. Open the console (cmd) as the previous step, if you don't have it
- Then run the command: net start kdc
5. Start the service in the CHENSDC (problematic server)
- IPv6 is used by servers to communicate to each other, so enabled it and run "ipconfig /registerdns" so they can talk to each other, specially in the consoles for Active directory
6. Start IPV6 on both servers
Sidenote: This is basically to improve communication between domain controllers specially for the consoles of AD (AD sites and services, AD Users and Computers, etc)
- run repadmin /replsum
- repadmin /showrepl
- repadmin /showreps
7. Check replication again
Please consider to donate and thank you very much for reading this.
No comments:
Post a Comment