FIX: Active Directory Replication errors: The RPC server is unavailable. Or The target principal name is incorrect. Or The Kerberos client received a KRB_AP_ERR_MODIFIED error.

Scenario:

One of your Site Domain Controller went Out-of-Sync (unable to communicate) for 10-15 days with your PDC.  When you attempt to make replication from that server to the PDC, you’ll end receiving below error messages:

  • REPADMIN /SHOWREPS, results in error “The target principal name is incorrect.” as shown below:
  • C:\>REPADMIN /SHOWREPS
    HYD-Network\INDHYD-DC02
    DSA Options: IS_GC
    Site Options: IS_GROUP_CACHING_ENABLED
    DSA object GUID: 57014cf3-43d0-4f07-8cab-83f0b99o256e
    DSA invocationID: 1acac066-b749-44fa-b142-9d142e505b55
  • ==== INBOUND NEIGHBORS ======================================

    DC=mylab,DC=lan
        US-Network\US-DC01 via RPC
            DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
            Last attempt @ 2016-06-30 13:15:09 failed, result -2146893022 (0x80090322):
              
    The target principal name is incorrect.
            295 consecutive failure(s).
            Last success @ 2016-05-27 21:22:30.

    CN=Configuration,DC=mylab,DC=lan
        US-Network\US-DC01 via RPC
            DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
            Last attempt @ 2016-06-30 13:15:10 failed, result -2146893022 (0x80090322):
               
    The target principal name is incorrect.
            295 consecutive failure(s).
            Last success @ 2016-05-27 21:22:29.

    CN=Schema,CN=Configuration,DC=mylab,DC=lan
        US-Network\US-DC01 via RPC
            DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
            Last attempt @ 2016-06-30 13:15:11 failed, result -2146893022 (0x80090322):
                The target principal name is incorrect.
            295 consecutive failure(s).
            Last success @ 2016-05-27 21:22:29.

    DC=DomainDnsZones,DC=mylab,DC=lan
        US-Network\US-DC01 via RPC
            DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
            Last attempt @ 2016-06-30 13:15:13 failed, result -2146893022 (0x80090322):
                The target principal name is incorrect.
            294 consecutive failure(s).
            Last success @ 2016-05-27 21:22:30.

    DC=ForestDnsZones,DC=mylab,DC=lan
        US-Network\US-DC01 via RPC
            DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
            Last attempt @ 2016-06-30 13:15:14 failed, result -2146893022 (0x80090322):
                The target principal name is incorrect.
            294 consecutive failure(s).
            Last success @ 2016-05-27 21:22:31.

    Source: US-Network\US-DC01
    ******* 295 CONSECUTIVE FAILURES since 2016-05-27 21:22:31
    Last error: -2146893022 (0x80090322):
                The target principal name is incorrect.

    C:\>

  • DCDIAG /TEST:CHECKSECURITYERROR, indicates possible LDAP and RPC errors as shown below:
    • C:\>DCDIAG /TEST:CHECKSECURITYERROR
    • Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server…
       Home Server = INDHYD-DC02
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: HYD-Network\INDHYD-DC02
          Starting test: Connectivity
             The host 57914uf3-49d0-4i07-8cab-85f0b09a266e._msdcs.mylab.lan could not be resolved to an IP address.
             Check the DNS server, DHCP, server name, etc.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ……………………. INDHYD-DC02 failed test Connectivity

    Doing primary tests

       Testing server: HYD-Network\INDHYD-DC02

       Running partition tests on : ForestDnsZones

       Running partition tests on : DomainDnsZones

       Running partition tests on : Schema

      Running partition tests on : Configuration

       Running partition tests on : mylab

       Running enterprise tests on : mylab.lan

    C:\>

  • NETDOM RESET, attempt to reset Secure channel results in error “Access is denied.” as shown below:
    • C:\>NETDOM RESET /domain:mylab.lan INDHYD-DC02
      The secure channel from INDHYD-DC02 to mylab.LAN was not reset.
    • Access is denied.

    Access is denied.

    The command failed to complete successfully.

    C:\>

  • In the event logs you’ll notice below error messages:
    • Source:        Microsoft-Windows-Security-Kerberos
      Event ID:      4
      Level:         Error
      Computer:      India-DC02.MYLAB.lan
      Description:
      The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server US-DC01$. The target name used was ldap/US-DC01.MYLAB.lan. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYLAB.LAN) is different from the client domain (MYLAB.LAN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
  • Manual attempt to replicate will result in below error:
    • —————————
      Replicate Now
      —————————
      The following error occurred during the attempt to synchronize naming context Runaware.lan from Domain Controller US-DC01 to Domain Controller INDHYD-DC02:
    • The target principal name is incorrect.

     

    This operation will not continue.
    —————————
    OK  
    —————————

  •  

    Fix:

    Use below steps to troubleshoot and resolve this error such that replication gets restored on your domain controller:

    On Server that is experiencing the replication issues:

    • Ensure the time zone matches and is in-sync with the time zone of your PDC
    • Update your computer account password with your PDC
    • Stop the KDC (Kerberos Key Distribution Center) service
    • Reset the password for this computer account using netdom utility
    • C:\>netdom resetpwd /server:172.21.22.100 /userd:mylab\govardhan /passwordd:*
      Type the password associated with the domain user:
      The machine account password for the local machine has been successfully reset.
    • The command completed successfully.

    C:\>

  • Restart the server and verify that KDC service is running fine.
  • Run DCDiag /fix
  • Restart the Server if it still reports errors.
  •  

    References:

    Leave a Reply

    Your email address will not be published. Required fields are marked *