“[WARNING] Failed to query SPN registration on DC” | Domain Controller Stops Replicating Pt. 2

This article is our second part of our three part series, continuing where we left off in our last article: Domain Controller no longer replicating Pt. 1 — “Replication has been explicitly disabled…”.  Our previous steps have brought us closer to resolving the replication issues on our Los Angeles Domain Controller, however issues still remain.

Now I will walk you through tackling:

  • DCDIAG / NETDIAG shows Time Service is stopped and Netlogon service is paused
  • “[WARNING] Failed to query SPN registration on DC”

Issue: We discovered a stopped Time service and a paused Netlogon service on the troubled Los Angeles DC:
w32time Service stopped on DC / NETLOGON Service pause on DC
Starting test: Services
w32time Service is stopped on [STAR]
NETLOGON Service is paused on [STAR]

Resolution: Using services.msc, I took the Netlogon service off of pause and started the Time Service.

Issue: “[WARNING] Failed to query SPN registration on DC”

After further investigation in DNS, I found that the PTR record is wrong for the Los Angeles Domain Controller:

AD DNS Name Servers List / Tab

I also found the new DC has same IP as old DC and old DC never removed from Name Servers:

AD_DNS_PTR_Record_Wrong_For_DC

  • Verified Access this computer from the network rights, per MS Article https://support.microsoft.com/kb/2002013 by running:
    DCDAIG /TEST:CheckSecurityError

Now onto our third installment in this series: “The target principal name is incorrect” | DC Stops Replicating Pt. 3

Related

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.