During an Active Directory domain controller upgrade from Windows 2003 to Windows 2012 R2 I observed replication issues on the Domain Controller which also owned the PDC emulator role.
A problem logging onto the domain controller is what initially triggered the investigation into potential issues. It is always a good idea to ensure replication and event logs are healthy before performing Active Directory changes and upgrades for situations like this.
Identifying the Error
repadmin /replsummary showed the following error:
Source DSA largest delta fails/total %% error<br /> DC-01 15m:05s 0 / 10 0<br /> DC-02 41m:15s 0 / 10 0<br /> DC-03 06d.05h:43m:01s 4 / 10 40 (2148074274) <strong>The target principal name is incorrect.</strong><br />
You can see DC-01 and DC-02 are fine but DC-03 has replication errors and shows the error message"The target principal name is incorrect.”
Resetting the domain controllers computer account using the following steps resolved the replication issues.
Fixing the Issue
Identify the DC which owns the PDC role:
netdom query fsmo
On the domain controller, disable the Kerberos Key Distribution Center service (KDC).
Click Start, point to Programs, click Administrative Tools, and then click Services.<br /> Double-click KDC, set the startup type to Disabled, and then restart the computer.
(Restarting is required or else you will get an error on the next step)
Login to the DC again and run the following command to reset the computer account.
netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
(This can not be done in Active Directory Users and Computers for Domain Controllers.)
Set the KDC service to “Automatic” again and restart the server again.
Run the following commands to ensure there are no replication issues.
repadmin /syncall<br /> repadmin /replsummary
A clean replication summary looks like this:
Source DSA largest delta fails/total %% error<br /> DC-01 13m:10s 0 / 10 0<br /> DC-02 15m:05s 0 / 10 0<br /> DC-03 15m:05s 0 / 10 0<br />