FIX: Active Directory Replication errors: The RPC server is unavailable. Or The target prin...

Datetime:2016-08-23 03:10:07          Topic: RPC           Share

Scenario:

One of your Site Domain Controller went Out-of-Sync (unable to communicate) for 10-15 days with your PDC.  When you attempt to make replication from that server to the PDC, you’ll end receiving below error messages:

  • REPADMIN /SHOWREPS, results in error “The target principal name is incorrect.” as shown below:
  • C:\>REPADMIN /SHOWREPS

    HYD-Network\INDHYD-DC02

    DSA Options: IS_GC

    Site Options: IS_GROUP_CACHING_ENABLED

    DSA object GUID: 57014cf3-43d0-4f07-8cab-83f0b99o256e

    DSA invocationID: 1acac066-b749-44fa-b142-9d142e505b55

  • ==== INBOUND NEIGHBORS ======================================

    DC=mylab,DC=lan

    US-Network\US-DC01 via RPC

    DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680

    Last attempt @ 2016-06-30 13:15:09 failed, result -2146893022 (0x80090322):

    The target principal name is incorrect.

    295 consecutive failure(s).

    Last success @ 2016-05-27 21:22:30.

    CN=Configuration,DC=mylab,DC=lan

    US-Network\US-DC01 via RPC

    DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680

    Last attempt @ 2016-06-30 13:15:10 failed, result -2146893022 (0x80090322):

    The target principal name is incorrect.

    295 consecutive failure(s).

    Last success @ 2016-05-27 21:22:29.

    CN=Schema,CN=Configuration,DC=mylab,DC=lan
    US-Network\US-DC01 via RPC
    DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
    Last attempt @ 2016-06-30 13:15:11 failed, result -2146893022 (0x80090322):
    The target principal name is incorrect.
    295 consecutive failure(s).
    Last success @ 2016-05-27 21:22:29.

    DC=DomainDnsZones,DC=mylab,DC=lan
    US-Network\US-DC01 via RPC
    DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
    Last attempt @ 2016-06-30 13:15:13 failed, result -2146893022 (0x80090322):
    The target principal name is incorrect.
    294 consecutive failure(s).
    Last success @ 2016-05-27 21:22:30.

    DC=ForestDnsZones,DC=mylab,DC=lan
    US-Network\US-DC01 via RPC
    DSA object GUID: f9719614-f32a-4bbd-842a-2fb144f83680
    Last attempt @ 2016-06-30 13:15:14 failed, result -2146893022 (0x80090322):
    The target principal name is incorrect.
    294 consecutive failure(s).
    Last success @ 2016-05-27 21:22:31.

    Source: US-Network\US-DC01
    ******* 295 CONSECUTIVE FAILURES since 2016-05-27 21:22:31
    Last error: -2146893022 (0x80090322):
    The target principal name is incorrect.

    C:\>

  • DCDIAG /TEST:CHECKSECURITYERROR, indicates possible LDAP and RPC errors as shown below:
    • C:\>DCDIAG /TEST:CHECKSECURITYERROR
    • Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server…
    Home Server = INDHYD-DC02
    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: HYD-Network\INDHYD-DC02

    Starting test: Connectivity

    The host 57914uf3-49d0-4i07-8cab-85f0b09a266e._msdcs.mylab.lan could not be resolved to an IP address.

    Check the DNS server, DHCP, server name, etc.

    Got error while checking LDAP and RPC connectivity. Please check your firewall settings.

    ……………………. INDHYD-DC02 failed test Connectivity

    Doing primary tests

    Testing server: HYD-Network\INDHYD-DC02

    Running partition tests on : ForestDnsZones

    Running partition tests on : DomainDnsZones

    Running partition tests on : Schema

    Running partition tests on : Configuration

    Running partition tests on : mylab

    Running enterprise tests on : mylab.lan

    C:\>

  • NETDOM RESET, attempt to reset Secure channel results in error “Access is denied.” as shown below:
    • C:\>NETDOM RESET /domain:mylab.lan INDHYD-DC02

      The secure channel from INDHYD-DC02 to mylab.LAN was not reset.

    • Access is denied.

    Access is denied.

    The command failed to complete successfully.

    C:\>

  • In the event logs you’ll notice below error messages:
    • Source:        Microsoft-Windows-Security-Kerberos

      Event ID:      4

      Level:         Error

      Computer:      India-DC02.MYLAB.lan

      Description:

      The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server US-DC01$. The target name used was ldap/US-DC01.MYLAB.lan. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (MYLAB.LAN) is different from the client domain (MYLAB.LAN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
  • Manual attempt to replicate will result in below error:
    • —————————

      Replicate Now

      —————————

      The following error occurred during the attempt to synchronize naming context Runaware.lan from Domain Controller US-DC01 to Domain Controller INDHYD-DC02:

    • The target principal name is incorrect.

    This operation will not continue.

    —————————

    OK  

    —————————

    Fix:

    Use below steps to troubleshoot and resolve this error such that replication gets restored on your domain controller:

    On Server that is experiencing the replication issues:

    • Ensure the time zone matches and is in-sync with the time zone of your PDC
    • Update your computer account password with your PDC
    • Stop the KDC (Kerberos Key Distribution Center) service
    • Reset the password for this computer account using netdom utility
    • C:\>netdom resetpwd /server:172.21.22.100 /userd:mylab\govardhan /passwordd:*

      Type the password associated with the domain user:

      The machine account password for the local machine has been successfully reset.

    • The command completed successfully.

    C:\>

  • Restart the server and verify that KDC service is running fine.
  • Run DCDiag /fix
  • Restart the Server if it still reports errors.
  • References:





    About List