KDC problem - internal domain same as external domain

Jack Chuong 856 Reputation points
2021-04-05T08:38:21.857+00:00

Hi all,
here my environment:

3 sites/locations :

Default-First-Site-Name (Data center) :
2 domain controllers : dc1 (Windows Server 2016 Standard) holds 5 FSMO roles , dc2 (Windows Server 2012 R2 Standard) , Forest/Domain function level : Windows Server 2008 R2.

South site : 1 domain controller dc-south (Windows Server 2016 Standard)

North site : 1 domain controller dc-north (Windows Server 2012 R2 Standard)

At the beginning , I made a basic mistake , my internal domain is same as an external domain which I don't own.
It causes some annoying errors , like , if I look into event log at 4 DC servers I can see many event id 4 errors :

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server workstation32$. The target name used was RPCSS/workstation32.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mydomain.COM) is different from the client domain (mydomain.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Sometime , my user's workstation got error about relationship with domain controller ... (I can live with that) , but the last time it caused a fatal error : dc2 kerberos ticket or computer account password mismatch.
At the same time:
I cannot UNC \dc2
I can UNC \dc1 , \dc-south , \dc-north and see NETLOGON , SYSVOL folder shared.
At Active Directory Sites and Services , when I try to manual replicate from dc1 --> dc2 I get error "The target principal name is incorrect" , testing with Repadmin or dcdiag has similar result
I fixed it by reset dc2 account password by this command on dc2:

      netdom resetpwd /server:dc1 /userd:mydomain\administrator /passwordd:*
         The machine account password for the local machine has been successfully reset.

         The command completed successfully.

I want to stop that from happening again, change internet domain is not an option, can I fix it by adding into 4 DC servers host file A records of 4 DC servers ?
Please give me some advice, thank you very much.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,116 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,846 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-04-06T05:49:55.85+00:00

    Hello @Jack Chuong ,

    Thank you for posting here.

    1.Based on the post title "internal domain same as external domain", do you have two domain with the same domain name?
    2.What are the relationship between the two domains?

    The issue id 4 errors or/and the issue "workstation got error about relationship with domain controller"/"The target principal name is incorrect" should have nothing to do with the same domain name you mentioned.

    can I fix it by adding into 4 DC servers host file A records of 4 DC servers ?
    A:We should analyze specific problems in order to troubleshoot or solve problems.

    For more information about “The target principal name is incorrect”, we can refer to the links below.
    Error (Target Principal Name is incorrect) when manually replicating data between domain controllers
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/target-principal-name-is-incorrect-when-replicating-data

    Active Directory replication error -2146893022: The target principal name is incorrect
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-2146893022

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Jack Chuong 856 Reputation points
    2021-04-06T06:56:41.81+00:00

    Hi DaisyZhou, thanks for your reply
    mydomain.com is a real domain, I don't own this domain, it is purchased/owned/used by other people , I have no relationship with it, I can query something.mydomain.com and see it is pointed to real public IP address.
    I used mydomain.com for my internal domain active directory , so stupid , I know but the system grew too big and change the internal domain is not an option.

    I think I get many event id 4 error related to my workstations , even my DC2 because somehow other DCs "see" that workstation32.mydomain.com or dc2.mydomain.com point to 2 different IP addresses : 1 real public IP address and 1 internal IP address like 192.168.x.x , it caused computer account password mismatch error.
    when the problem happened last week , I pinged dc2.mydomain.com and saw it is pointed to external IP address , though , when I queried dc.mydomain.com (nslookup set name server other DCs) , it was pointed to internal IP

    I read your docs and I can fix it by reset dc2 computer account password, I just want to stop that from happening again because I have many services depend on KDC service on DC (like Exchange) and when KDC has problem it causes a lot of trouble for other services.
    can I fix it by adding into 4 DC servers host file A records of 4 DC servers ? 

        192.168.1.100 dc1.mydomain.com
    192.168.1.101 dc2.mydomain.com
    192.168.10.100 dc-south.mydomain.com
    192.168.20.100 dc-north.mydomain.com