none
Unable to transfer roles -- DsBindWithSpnExW error 0x80090322(The target principal name is incorrect.)

    Question

  • Hi,

    I need help in our AD as i have started to face few problems recently. I would first explain the configuration and then define the problem:

    ADDH1(in office A) (Hold all the roles, master domain, primary)

    Schema master               FU-ADDH1.fu-com.com
    Domain naming master        FU-ADDH1.fu-com.com
    PDC                         FU-ADDH1.fu-com.com
    RID pool manager            FU-ADDH1.fu-com.com
    Infrastructure master       FU-ADDH1.fu-com.com
    The command completed successfully.

    ADDH2(in office A) (secondary domain for backup purpose)

    Schema master               FU-ADDH1.fu-com.com
    Domain naming master        FU-ADDH1.fu-com.com
    PDC                         FU-ADDH1.fu-com.com
    RID pool manager            FU-ADDH1.fu-com.com
    Infrastructure master       FU-ADDH1.fu-com.com
    The command completed successfully.

    ADDH3(in office B) (domain controller with golbal catalog connected using VPN to office A)

    C:\Users\administrator.FU-COM>netdom query fsmo
    Schema master               FU-ADDH3.fu-com.com
    Domain naming master        FU-ADDH3.fu-com.com
    PDC                         FU-ADDH3.fu-com.com
    RID pool manager            FU-ADDH3.fu-com.com
    Infrastructure master       FU-ADDH3.fu-com.com
    The command completed successfully.

    ****This should be same as above servers of Office A****

    Problem:

    Recently there were some changes in network after which i am unable to do the replication on either side. I did alot of troubleshooting for network, firewalls, antivirus, AD configurations but nothing works. Following are the error messages i get:

    In such a scenario i want to take over the roles and give it to Office A server ADDH1 but it shows following errors:

    C:\Users\administrator.FU-COM>ntdsutil
    ntdsutil: roles
    fsmo maintenance: connections
    server connections: connect to server fu-addh1
    Binding to fu-addh1 ...
    DsBindWithSpnExW error 0x80090322(The target principal name is incorrect.)
    server connections:

    Monday, September 8, 2014 5:34 AM

Answers

  • no for seize fsmo roles you must connect to the server which you want to be the fsmo role holder, for seizeing you do not need the current FSMO role holder to be up and accessible.

    try to connect to the server you want to be the FSMO role holder in future and simply seize roles then remove ex FSMO role holder, make sure you dissconnect the current FSMO role holder while you do the hole process.

    Monday, September 8, 2014 9:52 AM
  • seize roles :           http://www.petri.com/seizing_fsmo_roles.htm 

    delete failed DC :   http://www.petri.com/delete_failed_dcs_from_ad.htm

    • Proposed as answer by Dalili Cyrus Monday, September 8, 2014 10:11 AM
    • Marked as answer by ShahzadHaider87 Tuesday, September 9, 2014 3:45 AM
    Monday, September 8, 2014 9:59 AM
  • Hello,

    it seems that  ADDH3 has some problems or was restored from not AD aware backup or whatever was done with the other 2 DCs.

    So which machines are the correct working DCs?

    But in a single forest domain as yours there can ONLY be ONE FSMO roles holder and as there are listed also on ADDH3 some this is problematic.

    If the DC ADDH3 had problems and was not working correct or was restored then remove that DC run metadata cleanup on one of the other DCs and wait for replication between the healthy DCs.

    Now you can install a new machine and promote it as 3rd DC if required.

    For Metadata cleanup http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/ And also check that the problem DC is removed from AD sites and services, DNS zones and DNS zone properties, Name server tab.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  


    Monday, September 8, 2014 11:03 AM

All replies

  • Hi,

    What does dcdiag /v /e report?

    Also issue repadmin /showrepl and repadmin /replsum and show the output. The error tells that you might have duplicate SPNs on the DCs. Are your DCs physical or virtual machines?

    Thanks.

    Regards,

    Calin

    Monday, September 8, 2014 7:06 AM
  • why dont you just seize those roles?
    Monday, September 8, 2014 7:22 AM
  • try to enter full fqdn server name to connect to
    Monday, September 8, 2014 7:23 AM
  • To seize the role i need to connect to the server as connect to server fu-addh1.fu-com.com

    which gives me error and such scenario it is not possible for me to seize the role

    Monday, September 8, 2014 7:43 AM
  • i did but still the same error.
    Monday, September 8, 2014 7:43 AM
  • Output for repadmin /showrepl

    Repadmin: running command /showrepl against full DC localhost

    JAFZA\FU-ADDH3

    DSA Options: IS_GC 

    Site Options: (none)

    DSA object GUID: e1a5fa3d-7d55-442d-a474-19d2d6df00a9

    DSA invocationID: f31ebd37-5632-431e-9b5d-bfbe0874421c

    ==== INBOUND NEIGHBORS ======================================

    DC=fu-com,DC=com

        JAFZA\REMOTE-AD-02 via RPC

            DSA object GUID: 3ae2a699-e95d-4e95-885b-ec1b8ad2e842

            Last attempt @ 2014-09-08 11:48:11 was successful.

    CN=Configuration,DC=fu-com,DC=com

        JAFZA\REMOTE-AD-02 via RPC

            DSA object GUID: 3ae2a699-e95d-4e95-885b-ec1b8ad2e842

            Last attempt @ 2014-09-08 11:41:30 was successful.

    CN=Schema,CN=Configuration,DC=fu-com,DC=com

        JAFZA\REMOTE-AD-02 via RPC

            DSA object GUID: 3ae2a699-e95d-4e95-885b-ec1b8ad2e842

            Last attempt @ 2014-09-08 11:40:39 was successful.

    DC=DomainDnsZones,DC=fu-com,DC=com

        JAFZA\REMOTE-AD-02 via RPC

            DSA object GUID: 3ae2a699-e95d-4e95-885b-ec1b8ad2e842

            Last attempt @ 2014-09-08 11:40:39 was successful.

    DC=ForestDnsZones,DC=fu-com,DC=com

        JAFZA\REMOTE-AD-02 via RPC

            DSA object GUID: 3ae2a699-e95d-4e95-885b-ec1b8ad2e842

            Last attempt @ 2014-09-08 11:40:39 was successful.

    DC=uae,DC=fu-com,DC=com

        JAFZA\REMOTE-AD-02 via RPC

            DSA object GUID: 3ae2a699-e95d-4e95-885b-ec1b8ad2e842

            Last attempt @ 2014-09-08 11:40:39 was successful.

    Source: Default-First-Site-Name\FU-ADDH2

    ******* 1 CONSECUTIVE FAILURES since 2014-09-08 11:36:50

    Last error: -2146893022 (0x80090322):

                The target principal name is incorrect.


    Naming Context: CN=Configuration,DC=fu-com,DC=com

    Source: Default-First-Site-Name\FU-ADDH2

    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=ForestDnsZones,DC=fu-com,DC=com

    Source: Default-First-Site-Name\FU-ADDH2

    ******* WARNING: KCC could not add this REPLICA LINK due to error.


    Naming Context: DC=DomainDnsZones,DC=fu-com,DC=com

    Source: Default-First-Site-Name\FU-ADDH2

    ******* WARNING: KCC could not add this REPLICA LINK due to error.
    Naming Context: DC=fu-com,DC=com

    Source: Default-First-Site-Name\FU-ADDH2

    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Source: Default-First-Site-Name\FU-ADDH1

    ******* 199 CONSECUTIVE FAILURES since 2014-09-06 10:15:39

    Last error: -2146893022 (0x80090322):

                The target principal name is incorrect.
    Naming Context: CN=Configuration,DC=fu-com,DC=com

    Source: Default-First-Site-Name\FU-ADDH1

    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=uae,DC=fu-com,DC=com
    Source: Default-First-Site-Name\FU-ADDH1

    ******* WARNING: KCC could not add this REPLICA LINK due to error.
    Naming Context: DC=ForestDnsZones,DC=fu-com,DC=com
    Source: Default-First-Site-Name\FU-ADDH1
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=DomainDnsZones,DC=fu-com,DC=com
    Source: Default-First-Site-Name\FU-ADDH1
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=fu-com,DC=com
    Source: Default-First-Site-Name\FU-ADDH1
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Monday, September 8, 2014 7:49 AM
  • Output for repadmin /replsum

    Replication Summary Start Time: 2014-09-08 11:50:46

    Beginning data collection for replication summary, this may take awhile:

      ........

    Source DSA          largest delta    fails/total %%   error

     FU-ADDH1          25d.03h:55m:54s    6 /   6  100  (2148074274) The target principal name is incorrect.

     FU-ADDH3                  01m:24s    0 /   6    0  

     REMOTE-AD-02              10m:07s    0 /   6    0  

    Destination DSA     largest delta    fails/total %%   error

     FU-ADDH3                  10m:07s    0 /   6    0  

     REMOTE-AD-02      25d.03h:55m:54s    6 /  12   50  (2148074274) The target principal name is incorrect.

    Experienced the following operational errors trying to retrieve replication information:

            8341 - FU-ADDH1.fu-com.com

              58 - GEDC01.uae.fu-com.com

            8341 - FU-ADDH2.fu-com.com
    Monday, September 8, 2014 7:51 AM
  • if you can provide me your email i can send your the report of dcdiag /v /e

    Thank you

    Monday, September 8, 2014 7:53 AM
  • no for seize fsmo roles you must connect to the server which you want to be the fsmo role holder, for seizeing you do not need the current FSMO role holder to be up and accessible.

    try to connect to the server you want to be the FSMO role holder in future and simply seize roles then remove ex FSMO role holder, make sure you dissconnect the current FSMO role holder while you do the hole process.

    Monday, September 8, 2014 9:52 AM
  • seize roles :           http://www.petri.com/seizing_fsmo_roles.htm 

    delete failed DC :   http://www.petri.com/delete_failed_dcs_from_ad.htm

    • Proposed as answer by Dalili Cyrus Monday, September 8, 2014 10:11 AM
    • Marked as answer by ShahzadHaider87 Tuesday, September 9, 2014 3:45 AM
    Monday, September 8, 2014 9:59 AM
  • Hello,

    it seems that  ADDH3 has some problems or was restored from not AD aware backup or whatever was done with the other 2 DCs.

    So which machines are the correct working DCs?

    But in a single forest domain as yours there can ONLY be ONE FSMO roles holder and as there are listed also on ADDH3 some this is problematic.

    If the DC ADDH3 had problems and was not working correct or was restored then remove that DC run metadata cleanup on one of the other DCs and wait for replication between the healthy DCs.

    Now you can install a new machine and promote it as 3rd DC if required.

    For Metadata cleanup http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/ And also check that the problem DC is removed from AD sites and services, DNS zones and DNS zone properties, Name server tab.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  


    Monday, September 8, 2014 11:03 AM
  • Thank you guys it worked perfectly fine.

    I seized the roles to FU-ADDH1 and removed the faulty DC. Afterwards did the meta cleanup. Now the problem is resolved. 

    Tuesday, September 9, 2014 3:47 AM