The Blog

“The target principal name is incorrect”: Active Directory Domain Controller Replication Issue

During an Active Directory domain controller upgrade from Windows 2003 to Windows 2012 R2 I observed replication issues on the Domain Controller which also owned the PDC emulator role.

A problem logging onto the domain controller is what initially triggered the investigation into potential issues. It is always a good idea to ensure replication and event logs are healthy before performing Active Directory changes and upgrades for situations like this.

Identifying the Error

repadmin /replsummary showed the following error:

Source DSA largest delta fails/total %% error
DC-01 15m:05s 0 / 10 0
DC-02 41m:15s 0 / 10 0
DC-03 06d.05h:43m:01s 4 / 10 40 (2148074274) The target principal name is incorrect.

You can see DC-01 and DC-02 are fine but DC-03 has replication errors and shows the error message"The target principal name is incorrect."

Resetting the domain controllers computer account using the following steps resolved the replication issues.

Fixing the Issue

Step 1

Identify the DC which owns the PDC role:

netdom query fsmo

Step 2

On the domain controller, disable the Kerberos Key Distribution Center service (KDC).

Click Start, point to Programs, click Administrative Tools, and then click Services.
Double-click KDC, set the startup type to Disabled, and then restart the computer.

(Restarting is required or else you will get an error on the next step)

Step 3

Login to the DC again and run the following command to reset the computer account.

netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
(This can not be done in Active Directory Users and Computers for Domain Controllers.)

Step 4

Set the KDC service to "Automatic" again and restart the server again.

Step 5

Run the following commands to ensure there are no replication issues.

repadmin /syncall
repadmin /replsummary

A clean replication summary looks like this:

Source DSA largest delta fails/total %% error
DC-01 13m:10s 0 / 10 0
DC-02 15m:05s 0 / 10 0
DC-03 15m:05s 0 / 10 0

Neil Bryan
IT Consultant & Technical Trainer
Neil Bryan is an IT consultant and technical trainer specializing in VMware, Citrix and Microsoft virtualization and infrastructure.

8 Comments

  1. Gohar

    Well done!!

  2. Kyle

    Hi Neil,

    Looks like I’m having the same issue you discussing here. Hoping you can clarify a couple of things for me. For me, the domain controller that’s having the “The target principal name is incorrect” is also the DC with the PDC role. Do I do steps 2 and 3 on the problematic DC with the PDC role or do I run those steps on a working DC? I’m having having active directory replication issues.

    Thanks for posting all this info!

    1. Neil Bryan

      Hi Kyle,

      You should run all of these steps on the PDC. Correction, run the password reset command from another domain controller other than the PDC. It’s possible it may work either way though. Let me know how it goes and good luck!

      1. Kyle

        thanks! I found Microsoft KB288167 that said not to run it on the PDC, so I decided to run the commands on another DC, and everything is working great now. Your article definitely helped. thanks again.

        btw, during my google search for answers to this problem, I found something very interesting on another site. If you email me, I can discuss it privately.

        1. Ingram

          Well, what did you find that was interesting? You can’t just say something like that and not post it!

  3. Malik

    Hello Kyle,

    When I got to step 3 and I ran the command and kept on receiving an error stating “The machine account password for the local machine could not be reset”

    I am using a domain admin account.

    Should I use another administrator account?

    Thanks,
    Malik

  4. George

    While I think this is going to work fine, I still have 2 questions for you Neil:
    – When I disable the KDC (from the PDC) I will run the command on step 3, if I do this, will the AD users be able to authenticate again to re-enable the KDC? I as this as I do not have the local Administrator account for the computer, the only Admin access I have is for the AD.
    – I have 2 DC’s DC-A and DC-C. DC-A is my PDC, so I will disable the KDC on DC-A and run the command on step 3 FROM the other DC (DC-C). I will then re-log back in to DC-A and turn on the KDC.

    Is this correct?

    1. Neil Bryan

      George,

      1) Users will be able to authenticate to another domain controller in the meantime. The server should be down for more than 10 minutes total depending on how long the restart takes.

      2) Correct. Run the command from your other domain controller. Then restart the KDC service on the PDC DC.

Leave a Reply

Skip to toolbar