Target principal name is incorrect - Serious Problem RRS feed

  • Question

  • Dear all,

    I'm facing problem with the error message "Target Principal name is Incorrect!!!!'

    I've tried all recommendation from the previous threads but still not working.

    I've two DCs in my company, not replicating properly. When I tried from my dc2 server repadmin/syncall, show the error "target principal name is incorrect". 

    I opened the AD users & computer, name service incorrect error occurred.

    I've tried to clean up the metadata cleanup procedures in ntdsutil, end-up with target name is incorrect.

    I've tried demoting dc2 with dcpromo, network session with dc1 failed Target name is incorrect.

    Even I've tried to reset dc2 using netdom resetpwd /s:dc2 /ud:BMSI.ORG\administrator /pd:*.. But, I know we cant reset domain controllers with this command.

    Kindly Help me with this problem......................

    • Edited by shaji_ngr Saturday, July 12, 2014 10:33 AM
    Saturday, July 12, 2014 10:32 AM


All replies

  • sounds like name resolution / DNS issue.  What is your DNS configuration on these DCs?

    Santhosh Sivarajan | Houston, TX |

    Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012

    Blogs: Blogs
    Twitter: Twitter
    LinkedIn: LinkedIn
    Facebook: Facebook

    Microsoft Virtual Academy: Microsoft Virtual Academy

    This posting is provided AS IS with no warranties, and confers no rights.

    Sunday, July 13, 2014 6:33 PM
  • Hi,

    Can you please confirm whether dc1 have all FSMO roles,if not you need to seize the roles from dc2 to dc1 and then try to demote dc2.

    Checkout the below link for more information, 

    JiJi Technologies

    Monday, July 14, 2014 5:44 AM
  • Please rerun metadata cleanup on "healthy DC" and make sure connection is set to "healthy DC" and operation target set to "broken DC"

    No connection is made during metadata cleanup except to connection server unless FSMOs are transferred during process

    Wednesday, July 23, 2014 6:42 PM
  • Netdom /resetpwd will work if you:

    1) Stop the KDC
    2) Set the KDC service to Manual
    3) Run the netdom command from DC2 but /s: should be DC1
    4) Set the KDC service to automatic
    5) Reboot DC2

    Brad Held

    View Brad Held's LinkedIn profileView Brad Held's profile

    Thursday, July 24, 2014 2:14 AM
  • Is this still an issue?  Please update this forum if you are still looking for assistance since there have been updates but no feedback.

    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, July 24, 2014 12:01 PM
  • Please follow the troubleshooting steps in the following article: Troubleshooting AD Replication error -2146893022: The target principal name is incorrect.

    "The -2146893022 \ 0x80090322 \ SEC_E_WRONG_PRINCIPAL error code is not an error returned by Active Directory but may be returned by lower layer components, including RPC, Kerberos, SSL, LSA and NTLM, for different root causes.

    Kerberos errors that are mapped by  Windows code to -2146893022 \ 0x80090322 \ SEC_E_WRONG_PRINCIPAL include:

        • KRB_AP_ERR_MODIFIED (0x29 / 41 decimal / KRB_APP_ERR_MODIFIED)
        • KRB_AP_ERR_BADMATCH (0x24h / 36 decimal / Ticket and authenticator don't match)
        • KRB_AP_ERR_NOT_US (0x23h / 35 decimal /  The ticket isn't for us")

        Some specific root causes for Active Directory logging -2146893022 \ 0x80090322 \ SEC_E_WRONG_PRINCIPAL include:

        1. A bad name to IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in the same Kerberos realm.
        2. A bad name to IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in a different Kerberos realm.
    • The Kerberos target computer (source DC) was unable to decrypt Kerberos authentication data sent by the Kerberos client (destination DC) because the KDC and source DC have different versions of the source DCs computer account password.
    • The KDC could not find a domain to look for the source DCs SPN
    • Authentication data in Kerberos encrypted frames were modified by hardware (including network devices), software or an attacker."

    Friday, July 25, 2014 2:51 PM
  • Kindly offer update to Issue.

    W.Maxx MCITP MCSE MCSA MCP 2k8 2k3 2k nt4 AD, Exchange, DNS, msProject, SharePoint IBM iSeries RIM blackberry

    Friday, July 25, 2014 5:10 PM
  • Hi Brad, 

    question, my dc1 showing the target principal name is incorrect but it hold the PDC role. Should I transfer the role to dc2 then run netdom to reset machine password? Currently dc1 can pull the replication but dc2 can't pull the replication from dc1. 

    Thursday, July 14, 2016 4:10 PM