none
Replication Error "The target principal name is incorrect"

    Question

  • Ive picked up a client with some issues with AD replication.

    Servers S00 to s07 running windows 2008, all domain controllers.

    All servers are replicating except s07. Changes made on S07 do replicate but nothing changed on other DC's are replicated to S07

    I believe this server has had some manual "fiddling" take place before I joined regarding DNS/replication.

     

    In AD Sites and services on s01 (and others) I checked replication connections and they showed s07 twice. 

    When on server 07 trying to replicate configuration to s07 from s01 I  get an error : The target principal name is incorrect. I assume this means it cant recognise the name of the S07 server? I can ping the server and browse, in dns on s01 the alias in domain.local>_msdsc is showing aa4c1831-9afc-Bef6bc268a0 which is how it is shown in dns on s07. How can I check if this is the actual ID for s07 ?

    When I go onto s07 and try to "replicate configuration from the selected DC" from S01 it gives me the same error.

     

    If on s07  I try check sites and services and check the ntds settings for s07  it shows it is meant to replciated to and from s01. however when i check the same on s01 it says s07 is not replicating from s01 (although it is from other servers).

     

    It seems to me that server s07 has been changed or amended in someway and the otehr servers cant identify it anymore, although not sure why s07 gets same message when trying to replicate from s01 (unless same reason, s01 cant identify s07 so replies fail).

    Any ideas would be great.

     

    I have already run netdom password reset which seems to be answer for a lot of the errors I m getting.

     

     

     

     

     

    Thursday, November 24, 2011 12:36 PM

Answers

  • As you have mentioned that while replication with repadmin /shoreps show target principle name incorrect.

    This issue typically indicates a Kerberos authentication problem, although there are several exceptions.These steps outline how to resolve the authentication failure.

    To verify the Access this computer from network user right.
    Everyone, Authenticated Users, and Enterprise Domain Controllers must have that user right for successful replication.

    Important: 
    There are customers that are going to remove the Everyone group from Access this computer from the network which is acceptable as long as Authenticated Users and Enterprise Domain Controllers are listed.

    To check the CrashOnAuditFail Registry Key

    Check the <computername>_regentries.txt file in the Directory Services MPSReports to confirm if crashonauditfail [REG_DWORD] = 0x2

    If CrashOnAuditFail = 0x2 perform the following steps

    Type regedit from Start, and then click Run.

    Expand HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

    Right-click crashonauditfail, select Modify

    Under Value data:, select 2 and change the value to 0

    Reboot domain controller.

    To check the time skew between domain controllers.See Knowledge Base article 257187

    Ensure the Trust computer for delegation check box is selected on the General tab of the domain controller Properties dialog box in Active Directory Users and Computers.

    Using Adsiedit or Ldp (both included in the Windows 2000 Support Tools), confirm that the userAccountControl attribute is set to 532480. To check this, perform the following steps

    Type adsiedit.msc from Start, and then click Run.

    Expand the Domain NC container.

    Expand the object below, i.e. DC=Contoso, DC=COM

    Expand OU=Domain Controllers

    Right-click CN=<domain_controller>, and select Properties

    Under Select a property to view, select userAccountControl and verify the value is 532480

    Note: 
    Check this value for each failing DC account on the local copy of AD for every partner DC. For example if DC-A and DC-B are failing replication, check the above on DC-A’s copy of AD and DC-B’s copy of AD.

    Reset Password and Refresh Kerberos Tickets

    Follow these steps to reset KDC password :-

    1. Stop the Key Distribution Center (KDC) service on Server all Domain controller expect PDC role holder server. To do so, open
    a Command Prompt, type net stop KDC, and press Enter.

    2. Load Kerbtray.exe on problem DC in you case it is Server07. You can do so by clicking Start, clicking Run, and
    then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.You should see a little green ticket icon in your system tray in the lower right corner of your desktop.

    3. Purge the ticket cache on Server7, right-click the green ticket icon in your system tray, and then click Purge Tickets. You should receive a confirmation that your ticket cache was purged. Click OK.

    4. Reset the Server domain controller account password on Server (the PDC
    emulator).

    To do so, open a command prompt and type: netdom /resetpwd /server:server2 /userd:domain.com\administrator /passwordd:password, and then press Enter.

    5. Synchronize the domain. To do so, open a command prompt, type repadmin
    /syncall, and then press Enter.

    6. Start the KDC service on Server7 and all other DC. To do so, open a command prompt, typenet start KDC, and press Enter. This completes the process. 

    You can also review the following articles:

    Fixing Replication Connectivity Problems (Event ID 1925)

    http://technet.microsoft.com/en-us/library/cc780728.aspx

     

    Network connectivity problems can make it impossible for domain controllers to form replication partnerships. Various events and errors can indicate a problem with network connectivity that is preventing replication from occurring.

     

    Troubleshooting Event ID 1311: Knowledge Consistency Checker

    http://support.microsoft.com/kb/214745

     

    Cause: This behavior can occur if the Knowledge Consistency Checker (KCC) has determined that a site has been orphaned from the replication topology.

     

    In addition to the articles above, the following articles are useful for troubleshooting AD replication issues:

     

    Troubleshooting replication

    http://technet.microsoft.com/en-us/library/cc755349.aspx

     

    How to troubleshoot Event ID 1311 messages on a Windows 2000 domain

    http://support.microsoft.com/kb/307593

     

    Event ID 1925: Attempt to establish a replication link failed due to connectivity problem

    http://technet.microsoft.com/en-us/library/cc787129.aspx

     

    Event ID 1311 — KCC Replication Path Computation

    http://technet.microsoft.com/en-us/library/cc756493.aspx

     

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Friday, November 25, 2011 5:15 AM

All replies

  • The error "target principal name is incorrect" often seen due to broken secure channel on the DC. Did you try to reset the secure channel password on this dc using too, if not yet try it .Also, make sure S07 points to local dns serve only not any public IP. Verify necessary SRV records,cname exists in dns.

    http://support.microsoft.com/kb/260575

    If resetting the secure channel password doesn't work, post the relevant error message from the event log.

    Few references to troubleshoot AD replication.

    Troubleshooting AD replications.

    http://social.technet.microsoft.com/wiki/contents/articles/2285.aspx

    http://technet.microsoft.com/en-us/library/bb727057.aspx

    http://technet.microsoft.com/en-us/library/cc755349%28WS.10%29.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Thursday, November 24, 2011 12:55 PM
  • Thanks for the reply.

    As I said in my post I already reset the password using netdom, it completed but didnt resolve the issue.

     

    Just tried to open AD domains and trusts on s07 and received message, "The configuration information describing this enterprise is not available. The Target Principal name is incorrect".

     

    What Target Principal name is it actually referencing ?

    • Edited by jam_man Thursday, November 24, 2011 1:16 PM
    Thursday, November 24, 2011 1:08 PM
  • I was bit doubtful whether you performed for this DC or not. Did you verify all the dns records exists on the dns server. Also, can you post the relevant event id from the event log.

    http://support.microsoft.com/kb/816587

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Thursday, November 24, 2011 1:16 PM
  • Ive just done it again. Ran the command on s07 to reset password on s01. No errors and just completed.

    DNS records look same for s07 as they do on s01, but other than checking every entry I cant be 100% sure. Is there something I need to be looking for?

    Ive just gone to s01 and in AD Sites and services brosed to S01's ntds settings and tried to replicate to s07 but it now says object not found, which is at least different to before :)

     

     

     

    Thursday, November 24, 2011 2:09 PM
  • Realised hadnt restarted kerberos service on 07, started and now not getting the object not found error from s01.
    Thursday, November 24, 2011 2:14 PM
  • Ok theres been some change.

     

    Now when I go to AD sites and services from dc1 (another server) andgo to the nds settings for s07 and create a new AD domain services connection it is no longer giving me the target principal is not found  message.

     

    So far no replication has completed to s07 though.

    Thursday, November 24, 2011 2:22 PM
  • Current errors being recieved :

     

    Event ID 1865 Warning . 

    Event ID 1311 Error

    Event ID 1566 Warning

     

    The event ID 1925 warnings however are no longer appearing (the ones regarding the target principal name)

     

    However :

    Just ran repadmin /showreps but that is listing the the two servers it is meant to be replicating with and both are showing as target principal name is incorrect.

     

     

     

     

     

     

     


    • Edited by jam_man Thursday, November 24, 2011 2:32 PM
    Thursday, November 24, 2011 2:29 PM
  • Ok the 1925 errors have returned. 

     

    Seems like when KCC ran it has repopulated all servers into the NTDS settings and now getting same messags regarding Target Principal can not be found.

    Thursday, November 24, 2011 2:58 PM
  • Well after all that Im pretty much back to square one.

     

    S07 is not replicating, although changes on s07 do get to S01.

     

    When opening AD Domains and trusts still getting The configuration information describing this enterprise is not available. The target Principal name is incorrect.

    Thursday, November 24, 2011 3:12 PM
  • Hello,

    Please use Microsoft Skydrive to upload the output of theses commands on all DCs you have:

    • dcdiag > c:\dcdiag.txt
    • ipconfig /all > ipconfig.txt

    Once done, post a link here.

    If you have another healthy DC with GC then you can proceed like that:

    • Force demotion of the faulty DC by running dcpromo /forceremoval
    • Perform a metadata cleanup
    • Run netdom query fsmo to see if the old DC was an FSMO holder. If yes, resize the FSMO roles that it was holding on another DC
    • Promote again the DC

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Thursday, November 24, 2011 7:51 PM
  • As you have mentioned that while replication with repadmin /shoreps show target principle name incorrect.

    This issue typically indicates a Kerberos authentication problem, although there are several exceptions.These steps outline how to resolve the authentication failure.

    To verify the Access this computer from network user right.
    Everyone, Authenticated Users, and Enterprise Domain Controllers must have that user right for successful replication.

    Important: 
    There are customers that are going to remove the Everyone group from Access this computer from the network which is acceptable as long as Authenticated Users and Enterprise Domain Controllers are listed.

    To check the CrashOnAuditFail Registry Key

    Check the <computername>_regentries.txt file in the Directory Services MPSReports to confirm if crashonauditfail [REG_DWORD] = 0x2

    If CrashOnAuditFail = 0x2 perform the following steps

    Type regedit from Start, and then click Run.

    Expand HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

    Right-click crashonauditfail, select Modify

    Under Value data:, select 2 and change the value to 0

    Reboot domain controller.

    To check the time skew between domain controllers.See Knowledge Base article 257187

    Ensure the Trust computer for delegation check box is selected on the General tab of the domain controller Properties dialog box in Active Directory Users and Computers.

    Using Adsiedit or Ldp (both included in the Windows 2000 Support Tools), confirm that the userAccountControl attribute is set to 532480. To check this, perform the following steps

    Type adsiedit.msc from Start, and then click Run.

    Expand the Domain NC container.

    Expand the object below, i.e. DC=Contoso, DC=COM

    Expand OU=Domain Controllers

    Right-click CN=<domain_controller>, and select Properties

    Under Select a property to view, select userAccountControl and verify the value is 532480

    Note: 
    Check this value for each failing DC account on the local copy of AD for every partner DC. For example if DC-A and DC-B are failing replication, check the above on DC-A’s copy of AD and DC-B’s copy of AD.

    Reset Password and Refresh Kerberos Tickets

    Follow these steps to reset KDC password :-

    1. Stop the Key Distribution Center (KDC) service on Server all Domain controller expect PDC role holder server. To do so, open
    a Command Prompt, type net stop KDC, and press Enter.

    2. Load Kerbtray.exe on problem DC in you case it is Server07. You can do so by clicking Start, clicking Run, and
    then typing c:\program files\resource kit\kerbtray.exe and pressing Enter.You should see a little green ticket icon in your system tray in the lower right corner of your desktop.

    3. Purge the ticket cache on Server7, right-click the green ticket icon in your system tray, and then click Purge Tickets. You should receive a confirmation that your ticket cache was purged. Click OK.

    4. Reset the Server domain controller account password on Server (the PDC
    emulator).

    To do so, open a command prompt and type: netdom /resetpwd /server:server2 /userd:domain.com\administrator /passwordd:password, and then press Enter.

    5. Synchronize the domain. To do so, open a command prompt, type repadmin
    /syncall, and then press Enter.

    6. Start the KDC service on Server7 and all other DC. To do so, open a command prompt, typenet start KDC, and press Enter. This completes the process. 

    You can also review the following articles:

    Fixing Replication Connectivity Problems (Event ID 1925)

    http://technet.microsoft.com/en-us/library/cc780728.aspx

     

    Network connectivity problems can make it impossible for domain controllers to form replication partnerships. Various events and errors can indicate a problem with network connectivity that is preventing replication from occurring.

     

    Troubleshooting Event ID 1311: Knowledge Consistency Checker

    http://support.microsoft.com/kb/214745

     

    Cause: This behavior can occur if the Knowledge Consistency Checker (KCC) has determined that a site has been orphaned from the replication topology.

     

    In addition to the articles above, the following articles are useful for troubleshooting AD replication issues:

     

    Troubleshooting replication

    http://technet.microsoft.com/en-us/library/cc755349.aspx

     

    How to troubleshoot Event ID 1311 messages on a Windows 2000 domain

    http://support.microsoft.com/kb/307593

     

    Event ID 1925: Attempt to establish a replication link failed due to connectivity problem

    http://technet.microsoft.com/en-us/library/cc787129.aspx

     

    Event ID 1311 — KCC Replication Path Computation

    http://technet.microsoft.com/en-us/library/cc756493.aspx

     

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Friday, November 25, 2011 5:15 AM
  • Just in the way of an update, ran netdom again and this time it worked.

     

    Why it failed the first two times I have no idea, all is now working though.

     

     

    Monday, January 30, 2012 3:07 PM
  • It might be temporary glitch and fixed by itself.You can always run dcdiag utility to verify the health of the environments.

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Tuesday, January 31, 2012 12:58 PM