Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
You can see DC-01 and DC-02 are fine but DC-03 has replication errors and shows the error
message"The target principal name is incorrect."
Resetting the domain controllers computer account using the following steps resolved the
replication issues.
Step 2
On the domain controller, disable the Kerberos Key Distribution Center service (KDC).
Click Start, point to Programs, click Administrative Tools, and then click
Services.
Double-click KDC, set the startup type to Disabled, and then restart the
computer.
(Restarting is required or else you will get an error on the next step)
Step 3
Login to the DC again and run the following command to reset the computer account.
netdom resetpwd /server:server_name /userd:domain_name\administrator
/passwordd:administrator_password
(This can not be done in Active Directory Users and Computers for Domain Controllers.)
Step 4
Set the KDC service to "Automatic" again and restart the server again.
Step 5
Run the following commands to ensure there are no replication issues.
repadmin /syncall
repadmin /replsummary
Resolution
issue command: netdom reset DOMAINCONTROLLERNAME (in my case STAR)
Open a run-as administrator command prompt and enter the following command:
netdom reset DOMAINCONTROLLERNAME
Crashed on Audit Fail resolution for condition: CrashOnAuditFail=2
(http://support.microsoft.com/kb/2002013)
AD Replication fails when HKLMSystemCurrentControlSetControlLSACrashOnAuditFail = has
a value of 2,
A CrashOnAduitFail value of 2 is triggered when the Audit: Shut down system immediately if
unable to log security audits setting in Group Policy has been enabled AND the local security
event log becomes full.
Active Directory domain controllers are especially prone to maximum capacity security logs
when auditing has been enabled AND the size of the security event log has been constrained by
the Do not overwrite events (clear log manually) or Overwrite as needed options in Event
Viewer or group policy equivalents.
User Action if HKLMSystemCCSControlLSACrashOnAuditFail = 2:
Clear the security event log (save to alternate location as required)
Re-evalaute any size constraints on the security event log, including policy based settings.
Recreate CrashOnAuditFail (REG_DWORD) = 1
Reboot
On seeing a CrashOnAuditFail value of 0 or 1, some CSS engineers have resolved access is
denied errors by again clearing the security event log, deleting the CrashOnAuditFail registry
value and rebooting the destination DC.
Followed Excessive Time Skew Steps from same article:
C:>DCDIAG /TEST:CheckSecurityError
AND
C:>W32TM /MONITOR
Ensure Trust computer for delegation is enabled:
(based on the steps in green from: http://social.technet.microsoft.com/Forums/enUS/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/)
Ensure the Trust computer for delegation check box is selected on the General tab of the domain
controller Properties dialog box in Active Directory Users and Computers.
Confirm that the userAccountControl attribute is set to 532480:
Using Adsiedit or Ldp (both included in the Windows 2000 Support Tools), confirm that the
userAccountControl attribute is set to 532480. To check this, perform the following steps
Type adsiedit.msc from Start, and then click Run.
Expand the Domain NC container.
Expand the object below, i.e. DC=Contoso, DC=COM
Expand OU=Domain Controllers
Right-click CN=<domain_controller>, and select Properties
Under Select a property to view, select userAccountControl and verify the value is 532480
Note:
Check this value for each failing DC account on the local copy of AD for every partner DC. For
example if DC-A and DC-B are failing replication, check the above on DC-As copy of AD and
DC-Bs copy of AD.
Reset Password and Refresh Kerberos Tickets:
1. Stop the Key Distribution Center (KDC) service on Server all Domain controller expect PDC
role holder server. To do so, open
a Command Prompt, type net stop KDC, and press Enter.
2. Load Kerbtray.exe on problem DC in you case it is STAR. You can do so by clicking Start,
clicking Run, and
then typing c:program filesresource kitkerbtray.exe and pressing Enter.You should see a little
green ticket icon in your system tray in the lower right corner of your desktop.
3. Purge the ticket cache on STAR, right-click the green ticket icon in your system tray, and then
click Purge Tickets. You should receive a confirmation that your ticket cache was purged. Click
OK.
4. Reset the Server domain controller account password on Server (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2
/userd:domain.comadministrator /passwordd:password, and then press Enter.
5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.
6. Start the KDC service on STAR and all other DC. To do so, open a command prompt, typenet
start KDC, and press Enter. This completes the process.
Alright! at this point the issue was finally resolved, what a quest. Through the process I refined
an excellent procedure for fixing this type of issue in the future.
I also found the new DC has same IP as old DC and old DC never removed from Name Servers:
Now onto our third installment in this series: The target principal name is incorrect | DC Stops
Replicating Pt. 3
Domain Controller no longer replicating Pt. 1 Replication has been explicitly
disabled
Issue: Domain Controller in Los Angeles site hasnt replicated for over a
month
The first step is to run DCDIAG from the command prompt (right click run as administrator).
Amongst other errors DCDIAG reveals that Inbound and Outbound Replication is Disabled:
2. Type the following command, and then press ENTER (where SERVERNAME is
the computer name of the Domain Controller):
repadmin /options SERVERNAME -DISABLE_INBOUND_REPL
3. Verify the new replication option, the following message should appear:
Current DC options: DISABLE_INBOUND_REPL
New DC Options: <none>
4. Type the following command, and then press ENTER:
repadmin /options SERVERNAME -DISABLE_OUTBOUND_REPL
5. Verify the new replication option, the following message should appear:
Current DC options: DISABLE_OUTBOUND_REPL
New DC Options: <none>
Here is an example, notice Current DC Options shows the conditions that were in effect at the
time that you ran the command. New DC Options shows the effect of the command, see how the
Disable Replication Option is not set:
Email
Print
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13,
2010. The Windows 2000 End-of-Support Solution Center is a starting point for
planning your migration strategy from Windows 2000. For more information see the
Microsoft Support Lifecycle Policy.
Symptoms
When you use the Active Directory Sites and Services snap-in to manually replicate
data between Windows 2000 domain controllers, you may receive one of the
following error messages:
The Target Principal Name is incorrect
-orAccess is denied
In addition, the following event ID messages may be logged in the system log:
Event Source: Netlogon
Event Category: None Event ID: 3210
User: N/A Event Description:
Failed to authenticate with \\DOMAINDC, a Windows NT domain controller fordomain
DOMAIN.
-andEvent Source: Netlogon
Event ID: 5722
Event Category: None User: N/A Event Description:
The session setup from the computer 1 failed to authenticate. The name of the
account referenced in the security database is 2. The following error occurred: n3
Resolution
To resolve this issue, first determine which domain controller is the current primary
domain controller (PDC) Emulator operations master role holder. To do this, use
either of the following methods:
Install the Netdom.exe utility from Windows 2000 Support Tools, and then run
the following command:
netdom query fsmo
Start the Active Directory Users and Computers snap-in, right-click the
domain, and then click Operations Masters. Click the PDC tab; the current role
holder is displayed in the Operations Master window. On this tab, you can
change the operations master role to the current computer in the second
window (if this computer is not the current holder).
Use the Ntdsutil.exe utility (that is included in Windows 2000), and the
Resource Kit command-line utility. However, these interfaces are
recommended for more advanced users.
For additional information, click the article number below to view the article in the
Microsoft Knowledge Base:
234790 How to Find FSMO Role Holders
On domain controllers that are experiencing this issue, disable the Kerberos Key
Distribution Center service (KDC). To do so:
1. Click Start, point to Programs, click Administrative Tools, and then click
Services.
2. Double-click KDC, set the startup type to Disabled, and then restart the
computer.
After the computer restarts, use the Netdom utility to reset the secure channels
between these domain controllers and the PDC Emulator operations master role
holder. To do so, run the following command from the domain controllers other than
the PDC Emulator operations master role holder:
netdom resetpwd /server:server_name /userd:domain_name\administrator
/passwordd:administrator_password
Where server_name is the name of the server that is the PDC Emulator operations
master role holder.
For additional information, click the article number below to view the article in the
Microsoft Knowledge Base:
260575 How to Use Netdom.exe to Reset Machine Account Passwords
After you reset the secure channel, restart the domain controllers. Even if you
attempt to reset the secure channel using the Netdom utility, and the command
does not complete successfully, proceed with the restart process.
If only the PDC Emulator operations master role holder is running, the KDC forces
the other domain controllers to resynchronize with this computer, instead of issuing
themselves a new Kerberos ticket.
After the computers have finished restarting, start the Services program, restart the
KDC service, and then attempt replication again.