Share via

Error -2146893022 The target principal name is incorrect (AD Replication)

  • Article

The History

I had a client today that reported the CEO's computer enabled to login against Active Directory; it had the message 'Trust Relationship was lost'. In this kind of issues, the solution is just to take out the computer from the domain and re-join it. After removing the server from the AD, I was unable to join it again, because of error: "Logon failure: the target account name is incorrect." After checking the replication in the domain controllers, I figure out this: 

https://3.bp.blogspot.com/-6K6syFrZ6PA/WJwfem09UtI/AAAAAAAAfJw/XEf3r3Q_p24WqYEWD4-Ke1ZbVLZGw_h1QCLcB/s1600/Screenshot_2.png

The CHENSDC2 and CHENSDC had 54 days without talking to each other. IPV6 was disabled on the servers And checking replication of Active Directory:

https://1.bp.blogspot.com/-VTOJzQDLZ48/WJwgAlWr-QI/AAAAAAAAfJ0/CVVmCW0opNI_PcvBLdMXvrWgPMKZo3nxQCLcB/s1600/showreps%2B%2Bshowrpl%2Btarget%2Bprincipal%2Berror.png

And this guide us to a headache

The Headache

The Repadmin gives an error "The Target Principal Name is incorrect," so replication from "CHENSDC2" to "CHENSDC" works, but from "CHENSDC" to "CHENSDC2", doesn't. I tried several solutions to do this job but none of those worked, so I'll try to be as clean as I can be in the solution.

The Solution

To fix this issue, you just need to go to do the following:

  1. Windows key + R (at the same time)
  2. Write cmd and then press Enter. Console windows will open.
  3. Netdom query fsmo

The output will be something like this, and determine the server that has the PDC role:

https://1.bp.blogspot.com/-CT_IPGT3kQc/WKJumK2RthI/AAAAAAAAffE/OSxDE6UZgfQ3CNHMhu1nZaXvDxaBjE7ZACLcB/s1600/fsmo.png

So our PDC is called CHENSDC2 in this example, and the problematic domain controller will be CHENSDC

  1. Open the console (cmd) as the previous step, if you don't have it
  2. Use the command Net stop KDC

https://2.bp.blogspot.com/-2_vjD1KgokU/WJws7CHq5kI/AAAAAAAAfKo/aFaLqUO5tiMprr1XRVjo93USjf2UT2jDwCLcB/s1600/kdc%2Bstop.png

Pre step Download WS2003 Resource kit in the link: https://www.microsoft.com/en-us/download/details.aspx?id=17657" then install it. I did it in windows server 2008 R2 with nothing but a warning about versions, just ignore it and install the software.

  1. Navigate to: C:\Program Files (x86)\Windows Resource Kits\Tools and run "kerbtray.exe" https://4.bp.blogspot.com/-Ha5wbjioVHM/WJytyM7DEVI/AAAAAAAAfSw/PRVattDRZKspdTYh19nrOgd-oXgMGsE0wCLcB/s1600/kertray%2Bsoftware.png You will get a Green bar Next to the time, like this https://3.bp.blogspot.com/-Sg9PMPhLZjk/WJyuDKV6l8I/AAAAAAAAfS0/4uWnwIm41cgEyPe9llxikVgSoT0Vq4FpgCLcB/s1600/tray.png
  2. Now just right click the green bar and select "Purge tickets." https://1.bp.blogspot.com/-YvN8SXBACS0/WJyugz7JJNI/AAAAAAAAfS4/aEacwmknRhUgTYrJgkF_-gNL5dM02L2MwCLcB/s1600/purge%2Btickets.png After this, the server will be aware of the synchronization KDC from the PDC.
  1. In the PDC computer, we got this computer in step A. Open the console (cmd) as the previous step, if you don't have it
  2. netdom resetpwd /server:serverName /userd:DomainName\Administrator /passwordd:AdminPassword
  1. Finally, in the PDC computer, we got this computer in step A. Open the console (cmd) as the previous step, if you don't have it
  2. Then run the command: net start kdc

https://3.bp.blogspot.com/-uOnCuBFqVzw/WJwuY-iwa2I/AAAAAAAAfK0/4aaikEtZEewgh245-IknXaSXmH2Z-SzzQCLcB/s1600/kdc%2Bstart.png

  1. IPv6 is used by servers to communicate to each other, so enabled it and run "ipconfig /registerdns" so they can talk to each other, especially in the consoles for Active directory

Sidenote: This is basically to improve communication between domain controllers especially for the consoles of AD (AD sites and services, AD Users and Computers, etc.)

  1. run repadmin /replsum
  2. repadmin /showrepl
  3. repadmin /showreps

And make sure that all is working good again.