none
Replication Issues Windows 2012 R2 servers in multi-site config

    Question

  • Hi All,

    Having some major replication issues after a power outage took out the FSMO role holder. Ever since I am getting the following errors from repadmin /showrepl and Event id's 1311 and 1865 as well as a host of others in the event viewer for Directory Services. I have followed the resetting account using netdom to no avail. I have run it on all three DC's but nothing is improving. Server01 is the domain master, PDC, etc. Any help would be much appreciated. I have been wrestling with this for a week now. 

    C:\Users\Administrator.ESKIMOCANDY>repadmin /showrepl

    Repadmin: running command /showrepl against full DC localhost
    Eskimo-Candy-Maui\ESKIMO-SERVER01
    DSA Options: IS_GC
    Site Options: (none)
    DSA object GUID: 5dc455bd-3a5a-440e-b3fb-ea1e816b42e9
    DSA invocationID: a7c0f6d4-6dd8-4f04-93e7-a5349cf0815b

    ==== INBOUND NEIGHBORS ======================================

    DC=ESKIMOCANDY,DC=LOC
        Eskimo-Candy-Kauai\ESKIMO-SERVER05 via RPC
            DSA object GUID: 157c7a1c-f1d8-4c59-a0a8-e05252c1bf0c
            Last attempt @ 2017-01-28 16:50:15 failed, result -2146893022 (0x80090
    2):
                The target principal name is incorrect.
            26 consecutive failure(s).
            Last success @ 2017-01-28 10:39:32.
        Eskimo-Candy-Oahu\ESKIMO-SERVER03 via RPC
            DSA object GUID: 516e42de-bdd8-4f71-9e26-c7490c79fb25
            Last attempt @ 2017-01-28 16:50:16 failed, result -2146893022 (0x80090
    2):
                The target principal name is incorrect.
            182 consecutive failure(s).
            Last success @ 2017-01-26 20:27:57.

    CN=Configuration,DC=ESKIMOCANDY,DC=LOC
        Eskimo-Candy-Kauai\ESKIMO-SERVER05 via RPC
            DSA object GUID: 157c7a1c-f1d8-4c59-a0a8-e05252c1bf0c
            Last attempt @ 2017-01-28 16:50:15 failed, result -2146893022 (0x80090
    2):
                The target principal name is incorrect.
            26 consecutive failure(s).
            Last success @ 2017-01-28 10:39:32.
        Eskimo-Candy-Oahu\ESKIMO-SERVER03 via RPC
            DSA object GUID: 516e42de-bdd8-4f71-9e26-c7490c79fb25
            Last attempt @ 2017-01-28 16:50:15 failed, result -2146893022 (0x80090
    2):
                The target principal name is incorrect.
            182 consecutive failure(s).
            Last success @ 2017-01-26 20:27:57.

    CN=Schema,CN=Configuration,DC=ESKIMOCANDY,DC=LOC
        Eskimo-Candy-Kauai\ESKIMO-SERVER05 via RPC
            DSA object GUID: 157c7a1c-f1d8-4c59-a0a8-e05252c1bf0c
            Last attempt @ 2017-01-28 16:50:15 failed, result -2146893022 (0x80090
    2):
                The target principal name is incorrect.
            26 consecutive failure(s).
            Last success @ 2017-01-28 10:39:32.
        Eskimo-Candy-Oahu\ESKIMO-SERVER03 via RPC
            DSA object GUID: 516e42de-bdd8-4f71-9e26-c7490c79fb25
            Last attempt @ 2017-01-28 16:50:16 failed, result -2146893022 (0x80090
    2):
                The target principal name is incorrect.
            182 consecutive failure(s).
            Last success @ 2017-01-26 20:27:57.

    DC=DomainDnsZones,DC=ESKIMOCANDY,DC=LOC
        Eskimo-Candy-Kauai\ESKIMO-SERVER05 via RPC
            DSA object GUID: 157c7a1c-f1d8-4c59-a0a8-e05252c1bf0c
            Last attempt @ 2017-01-28 16:50:15 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network
    oubleshooting, see Windows Help.
            24 consecutive failure(s).
            Last success @ 2017-01-28 10:39:33.
        Eskimo-Candy-Oahu\ESKIMO-SERVER03 via RPC
            DSA object GUID: 516e42de-bdd8-4f71-9e26-c7490c79fb25
            Last attempt @ 2017-01-28 16:50:15 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network
    oubleshooting, see Windows Help.
            179 consecutive failure(s).
            Last success @ 2017-01-26 19:51:39.

    DC=ForestDnsZones,DC=ESKIMOCANDY,DC=LOC
        Eskimo-Candy-Kauai\ESKIMO-SERVER05 via RPC
            DSA object GUID: 157c7a1c-f1d8-4c59-a0a8-e05252c1bf0c
            Last attempt @ 2017-01-28 16:50:15 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network
    oubleshooting, see Windows Help.
            24 consecutive failure(s).
            Last success @ 2017-01-28 10:39:33.
        Eskimo-Candy-Oahu\ESKIMO-SERVER03 via RPC
            DSA object GUID: 516e42de-bdd8-4f71-9e26-c7490c79fb25
            Last attempt @ 2017-01-28 16:50:15 failed, result 1256 (0x4e8):
                The remote system is not available. For information about network
    oubleshooting, see Windows Help.
            179 consecutive failure(s).
            Last success @ 2017-01-26 19:51:39.

    Source: Eskimo-Candy-Oahu\ESKIMO-SERVER03
    ******* 182 CONSECUTIVE FAILURES since 2017-01-26 20:27:57
    Last error: -2146893022 (0x80090322):
                The target principal name is incorrect.

    Source: Eskimo-Candy-Kauai\ESKIMO-SERVER05
    ******* 26 CONSECUTIVE FAILURES since 2017-01-28 10:39:33
    Last error: -2146893022 (0x80090322):

    The target principal name is incorrect.


    Sunday, January 29, 2017 3:00 AM

All replies

  • Hi,

    I assume you also see this 'Source: Microsoft-Windows-Security-Kerberos Event ID: 4' on your domain controllers.

    Regarding resetting the password, you need to run the command from the 'broken' servers and point to the pdc in your case.


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Sunday, January 29, 2017 7:53 AM
  • So from the server that is broken (server03) when i run the netdom command the server in /server: would be server01?

    Thanks,

    Don

    Sunday, January 29, 2017 8:47 PM
  • Either dns name or ip address produces the same reult

    Could not find the network path. Nothing has changed on sonicwalls and replication was working fine so what else could be the cause? I can connect between servers using DNS names with RDP and dns appears to be resolving on all DC's in each site. Any other suggestions?

    Microsoft Windows [Version 6.2.9200]
    (c) 2012 Microsoft Corporation. All rights reserved.

    C:\Windows\System32>nslookup eskimo-server05
    Server:  eskimo-server01.eskimocandy.loc
    Address:  10.1.1.25

    Name:    eskimo-server05.ESKIMOCANDY.LOC
    Address:  192.168.2.25


    C:\Windows\System32>nslookup eskimo-server03
    Server:  eskimocandy.loc
    Address:  10.1.1.25

    Name:    eskimo-server03.ESKIMOCANDY.LOC
    Address:  192.168.1.10

    Connectivity is good

    C:\Windows\System32>ping eskimo-server03

    Pinging eskimo-server03.eskimocandy.loc [192.168.1.10] with 32 bytes of data:
    Reply from 192.168.1.10: bytes=32 time=42ms TTL=128
    Reply from 192.168.1.10: bytes=32 time=45ms TTL=128
    Reply from 192.168.1.10: bytes=32 time=38ms TTL=128
    Reply from 192.168.1.10: bytes=32 time=36ms TTL=128

    Ping statistics for 192.168.1.10:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 36ms, Maximum = 45ms, Average = 40ms

    C:\Windows\System32>ping eskimo-server05

    Pinging eskimo-server05.ESKIMOCANDY.LOC [192.168.2.25] with 32 bytes of data:
    Reply from 192.168.2.25: bytes=32 time=44ms TTL=128
    Reply from 192.168.2.25: bytes=32 time=51ms TTL=128
    Reply from 192.168.2.25: bytes=32 time=43ms TTL=128
    Reply from 192.168.2.25: bytes=32 time=43ms TTL=128

    Ping statistics for 192.168.2.25:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 43ms, Maximum = 51ms, Average = 45ms

    Sunday, January 29, 2017 9:24 PM
  • Hi Don,

    In event ID 1311 will log in the events when the replication configuration information in the AD DS does not provide the correct topology. The KCC (Knowledge Consistency Checker) is failing to gather the physical topology of your active directory.

    https://technet.microsoft.com/library/cc949129(ws.10).aspx

    Make sure that that no firewall rules or routing is correctly configured to the network. If after the power outage there seems to be a connectivity problem kindly check your routing tables. To isolate connectivity issue you can go through the steps provided in this article to troubleshoot the issue. Check the inter-Site Transport configuration and make sure it is able to transport.

    https://technet.microsoft.com/en-us/library/3fd2d305-acc9-4db0-8712-04fb738c2c0f

    Thanks,

    CD Technologies

    Monday, January 30, 2017 1:00 AM
  • Thanks. I have been through that article and tried those steps several times. No luck.

    Don

    Monday, January 30, 2017 2:16 AM
  • don,

    Can you share the current result for the command below. Another thing can you check the clock settings for all the servers.

    repadmin /showrepl * /csv >showrepl.csv

    Thank,

    CD Technologies

    Monday, January 30, 2017 2:31 AM
  • Clock settings are good. I have it narrowed to a firewall issue with the Sonicwalls. I have 3 sites with site to site vpn's. Site A is connected to B and C. Site B is connected to A and C and site C is connected to A and B. I can ping from A to B and C. I can ping from B to C and C to B but I cannot ping from B and C to A. I can ping the gateway in site A from B and C so I am assuming it is a firewall issue inn site A. I can ping from the gateway in A to the server. it's bizarre. I did find out that there was a power outage at site A so maybe something is amiss from that. The bizarre thing is that the configs are the same across all three firewallls. I may just have to reconfigure the firewall at site A.
    Monday, January 30, 2017 2:14 PM
  • Not seeing how to attach the file. But basically getting error 8341 or LDAP Bind Failed between servers. So it looks like the firewall is blocking 135 and 139 from what I have read. I have made rules to open those ports from the VPN along with AD and Netbios and still nothing. I am thinking a complete rebuild of the firewall may be necessary.

    Monday, January 30, 2017 2:26 PM
  • Hi,

    Just want to confirm the current situations. Please feel free to let us know if you need further assistance.

    Best Regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 2, 2017 1:43 AM
    Moderator
  • Getting the dreaded Target principal name is incorrect. When I run netdom resetpwd /s:broken_server /ud:domain\username /pd:password I get a network path not found. I can ping between all DC's in all sites. error 8341 on repadmin /syncall and repadmin /kcc *
    Thursday, February 2, 2017 5:22 AM
  • Hi,
    Please have a try the following suggestions to see if it helps:
    1. On the DC which showed the error, change the startup type to "Manual" for "Kerberos Key Distribution Center Service"
    “Stop" this service
    2. Now run the netdom command in your reply as administrator.
    3. Reboot DC and navigate back to the services and right click the kerberos one again and choose properties, now set it back to automatically and start it back.
    You could refer to more details step by step from the following article, please see:
    http://clintboessen.blogspot.sg/2010/02/errorreplicasyncfailedthe-target.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best Regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, February 6, 2017 2:00 AM
    Moderator