About 15 days ago we had a virtual host issue which reset the time of our primary time server (domain controller) to something back in 2011. We quickly resolved the issue but replication hasn't been completely functional since then to our remote domain controllers (another site). Replication to DC01 is function from all servers. DC04 is not replicating to DC02 (SiteA), DC03(SiteB) or DC04(SiteB). DC03(SiteB) & DC04(SiteB) replicate between eachother. DC01 is set to replicate to DC04. When I look at the operations master under ADUC for DC03 & DC04 the PDC/RID are not set to a host but are set to ERROR. I am pretty sure that it is a Kerberos issue but I am not sure how to fix it! Below is the repadmin /replsummary (only from DC03 & DC04 as they are the ones with issues) as well as the dcdiag below that. Furthermore, I have ran through all of this article... to no success. Hopefully someone can help shed some light!
repadmin /replsummary
DC04
DC01 17d.04h:22m:14s 10 / 10 100 (2148074274) The target principal name is incorrect.
DC04 02m:44s 0 / 5
DC03 02m:40s 0 / 5 0
DC03
DC01 17d.04h:25m:12s 10 / 10 100 (2148074274) The target principal name is incorrect.
DC04 05m:42s 0 / 5 0
DC03 05m:38s 0 / 5 0
DCDIAG
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC04
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: SiteB\DC04
Starting test: Connectivity
......................... DC04 passed test Connectivity
Doing primary tests
Testing server: SiteB\DC04
Starting test: Advertising
......................... DC04 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC04 passed test FrsEvent
Starting test: DFSREvent
......................... DC04 passed test DFSREvent
Starting test: SysVolCheck
......................... DC04 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x80000B46
Time Generated: 06/01/2012 05:17:12
Event String:
The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing
(integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
A warning event occurred. EventID: 0x8000051C
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following directory service has consistently failed.
A warning event occurred. EventID: 0x8000061E
Time Generated: 06/01/2012 05:22:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 06/01/2012 05:22:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 06/01/2012 05:22:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
A warning event occurred. EventID: 0x8000061E
Time Generated: 06/01/2012 05:22:12
Event String:
All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
An error event occurred. EventID: 0xC000051F
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
A warning event occurred. EventID: 0x80000749
Time Generated: 06/01/2012 05:22:12
Event String:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
......................... DC04 failed test KccEvent
Starting test: KnowsOfRoleHolders
[DC1] DsBindWithSpnEx() failed with error -2146893022,
The target principal name is incorrect..
Warning: DC1 is the PDC Owner, but is not responding to DS RPC
Bind.
[DC1] LDAP bind failed with error 8341,
A directory service error has occurred..
Warning: DC1 is the PDC Owner, but is not responding to LDAP Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not
responding to DS RPC Bind.
Warning: DC1 is the Infrastructure Update Owner, but is not
responding to LDAP Bind.
......................... DC04 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC04 passed test MachineAccount
Starting test: NCSecDesc
......................... DC04 passed test NCSecDesc
Starting test: NetLogons
......................... DC04 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC04 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC04] A recent replication attempt failed:
From DC1 to DC04
Naming Context: DC=ForestDnsZones,DC=company,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2012-06-01 05:14:15.
The last success occurred at 2012-05-14 20:02:37.
1672 failures have occurred since the last success.
[Replications Check,DC04] A recent replication attempt failed:
From DC1 to DC04
Naming Context: DC=DomainDnsZones,DC=company,DC=local
The replication generated an error (1256):
The remote system is not available. For information about network troubleshooting, see Windows Help.
The failure occurred at 2012-06-01 05:14:15.
The last success occurred at 2012-05-14 20:02:37.
1672 failures have occurred since the last success.
[Replications Check,DC04] A recent replication attempt failed:
From DC1 to DC04
Naming Context: CN=Schema,CN=Configuration,DC=company,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2012-06-01 05:14:17.
The last success occurred at 2012-05-14 20:02:36.
1672 failures have occurred since the last success.
[Replications Check,DC04] A recent replication attempt failed:
From DC1 to DC04
Naming Context: CN=Configuration,DC=company,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2012-06-01 05:14:16.
The last success occurred at 2012-05-14 20:02:36.
1672 failures have occurred since the last success.
[Replications Check,DC04] A recent replication attempt failed:
From DC1 to DC04
Naming Context: DC=company,DC=local
The replication generated an error (-2146893022):
The target principal name is incorrect.
The failure occurred at 2012-06-01 05:14:15.
The last success occurred at 2012-05-14 20:02:35.
1672 failures have occurred since the last success.
......................... DC04 failed test Replications
Starting test: RidManager
......................... DC04 passed test RidManager
Starting test: Services
......................... DC04 passed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x8000001D
Time Generated: 06/01/2012 04:29:13
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if
this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x00001695
Time Generated: 06/01/2012 04:29:45
Event String:
Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.company.local.' failed. These records are used by other computers to locate this
server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
An error event occurred. EventID: 0x40000004
Time Generated: 06/01/2012 04:32:12
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was LDAP/bfcad039-6a2a-4e12-9e7e-5be7f3aa1a62._msdcs.company.local. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on,
and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are
identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x0000165B
Time Generated: 06/01/2012 04:33:47
Event String:
The session setup from computer 'ANALLAPATI' failed because the security database does not contain a trust account 'ANALLAPATI$' referenced by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 06/01/2012 04:36:49
Event String:
The session setup from the computer ANALLAPATI failed to authenticate. The following error occurred:
An error event occurred. EventID: 0x40000004
Time Generated: 06/01/2012 04:40:21
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was cifs/DC1.company.local. This indicates that the target server failed to decrypt the ticket
provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used
by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two
domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/01/2012 05:05:49
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was ldap/DC1.company.local. This indicates that the target server failed to decrypt the ticket
provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used
by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two
domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/01/2012 05:09:08
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was company\DC1$. This indicates that the target server failed to decrypt the ticket provided
by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server.
This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC
are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two domains, or
use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/01/2012 05:14:15
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/bfcad039-6a2a-4e12-9e7e-5be7f3aa1a62/company.local@company.local.
This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target
SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target
service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check
if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
A warning event occurred. EventID: 0x8000001D
Time Generated: 06/01/2012 05:17:21
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if
this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
A warning event occurred. EventID: 0x00002724
Time Generated: 06/01/2012 05:17:22
Event String:
This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
A warning event occurred. EventID: 0x000003F6
Time Generated: 06/01/2012 05:17:45
Event String:
Name resolution for the name company.local timed out after none of the configured DNS servers responded.
A warning event occurred. EventID: 0x000003F6
Time Generated: 06/01/2012 05:17:45
Event String:
Name resolution for the name company.local timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0x00000457
Time Generated: 06/01/2012 05:18:03
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 06/01/2012 05:18:04
Event String:
Driver KONICA MINOLTA C353 Series PCL required for printer !!noxfile!CopyRoom.2 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 06/01/2012 05:18:04
Event String:
Driver KONICA MINOLTA bizhub 40P PCL required for printer !!noxfile!IT.1 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 06/01/2012 05:18:05
Event String:
Driver CutePDF Writer required for printer CutePDF Writer is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x0000165B
Time Generated: 06/01/2012 05:18:47
Event String:
The session setup from computer 'ANALLAPATI' failed because the security database does not contain a trust account 'ANALLAPATI$' referenced by the specified computer.
A warning event occurred. EventID: 0x000727AA
Time Generated: 06/01/2012 05:19:51
Event String:
The WinRM service failed to create the following SPNs: WSMAN/DC04.company.local; WSMAN/DC04.
An error event occurred. EventID: 0x40000004
Time Generated: 06/01/2012 05:20:58
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was ldap/DC1.company.local. This indicates that the target server failed to decrypt the ticket
provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used
by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server
and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are identically named server accounts in these two
domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/01/2012 05:23:24
Event String:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC1$. The target name used was LDAP/bfcad039-6a2a-4e12-9e7e-5be7f3aa1a62._msdcs.company.local. This indicates that the
target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on,
and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account.
Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.LOCAL) is different from the client domain (company.LOCAL), check if there are
identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x000016AD
Time Generated: 06/01/2012 05:23:49
Event String:
The session setup from the computer ANALLAPATI failed to authenticate. The following error occurred:
......................... DC04 failed test SystemLog
Starting test: VerifyReferences
......................... DC04 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : company
Starting test: CheckSDRefDom
......................... company passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... company passed test CrossRefValidation
Running enterprise tests on : company.local
Starting test: LocatorCheck
......................... company.local passed test LocatorCheck
Starting test: Intersite
......................... company.local passed test Intersite