This article is the final installment of our three part series. We will be continuing from our previous article: “[WARNING] Failed to query SPN registration on DC” | Domain Controller Stops Replicating Pt. 2. Our previous efforts have brought us even closer to resolving the replication issues on our Los Angeles Domain Controller, however more work awaits us in this AD Replication saga.
We will now continue and troubleshoot the error: “The target principal name is incorrect” which is detected when running netdom /query fsmo
Issue: The target principal name is incorrect
Resolution…
- issue command: netdom reset DOMAINCONTROLLERNAME (in my case STAR)
Open a ‘run-as’ administrator command prompt and enter the following command:
netdom reset DOMAINCONTROLLERNAME
- “Crashed on Audit Fail” resolution for condition: “CrashOnAuditFail=2” (https://support.microsoft.com/kb/2002013)
AD Replication fails when HKLMSystemCurrentControlSetControlLSACrashOnAuditFail = has a value of “2”,
A CrashOnAduitFail value of 2 is triggered when the “Audit: Shut down system immediately if unable to log security audits” setting in Group Policy has been enabled AND the local security event log becomes full.
Active Directory domain controllers are especially prone to maximum capacity security logs when auditing has been enabled AND the size of the security event log has been constrained by the “Do not overwrite events (clear log manually) or “Overwrite as needed” options in Event Viewer or group policy equivalents.
User Action if HKLMSystemCCSControlLSACrashOnAuditFail = 2:
Clear the security event log (save to alternate location as required)
Re-evalaute any size constraints on the security event log, including policy based settings.
Recreate “CrashOnAuditFail (REG_DWORD) = 1
Reboot
On seeing a CrashOnAuditFail value of 0 or 1, some CSS engineers have resolved “access is denied” errors by again clearing the security event log, deleting the CrashOnAuditFail registry value and rebooting the destination DC.
- Followed Excessive Time Skew Steps from same article:
C:>DCDIAG /TEST:CheckSecurityError
AND
C:>W32TM /MONITOR
- Ensure “Trust computer for delegation” is enabled:
(based on the steps in green from: https://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/)
Ensure the Trust computer for delegation check box is selected on the General tab of the domain controller Properties dialog box in Active Directory Users and Computers.
- Confirm that the userAccountControl attribute is set to 532480:
Using Adsiedit or Ldp (both included in the Windows 2000 Support Tools), confirm that the userAccountControl attribute is set to 532480. To check this, perform the following steps
Type adsiedit.msc from Start, and then click Run.
Expand the Domain NC container.
Expand the object below, i.e. DC=Contoso, DC=COM
Expand OU=Domain Controllers
Right-click CN=<domain_controller>, and select Properties
Under Select a property to view, select userAccountControl and verify the value is 532480
Note:
Check this value for each failing DC account on the local copy of AD for every partner DC. For example if DC-A and DC-B are failing replication, check the above on DC-A’s copy of AD and DC-B’s copy of AD.
- Reset Password and Refresh Kerberos Tickets:
1. Stop the Key Distribution Center (KDC) service on Server all Domain controller expect PDC role holder server. To do so, open
a Command Prompt, type net stop KDC, and press Enter.
2. Load Kerbtray.exe on problem DC in you case it is STAR. You can do so by clicking Start, clicking Run, and
then typing c:program filesresource kitkerbtray.exe and pressing Enter.You should see a little green ticket icon in your system tray in the lower right corner of your desktop.
3. Purge the ticket cache on STAR, right-click the green ticket icon in your system tray, and then click Purge Tickets. You should receive a confirmation that your ticket cache was purged. Click OK.
4. Reset the Server domain controller account password on Server (the PDC
emulator).
To do so, open a command prompt and type: netdom /resetpwd /server:server2 /userd:domain.comadministrator /passwordd:password, and then press Enter.
5. Synchronize the domain. To do so, open a command prompt, type repadmin
/syncall, and then press Enter.
6. Start the KDC service on STAR and all other DC. To do so, open a command prompt, typenet start KDC, and press Enter. This completes the process.
Alright! at this point the issue was finally resolved, what a quest. Through the process I refined an excellent procedure for fixing this type of issue in the future.
Great work..