Share via

DC replication Problem

Barbara F 5 Reputation points
2023-08-31T20:27:28.89+00:00 
Hi,

I'm having sync issues on two domain controllers.
I currently have the following situation

dc1 - (dc primary, has all FSMO roles).
dc2
dc3

dc1 and dc3 are on the same network. Dc2 is on external network (VPN)

After running windows update on DC1, replication between dc2 and dc1 fails

Through ping the two DCs are seen but when I try to force the replica I get the following error


"DsReplicaSync() failed with status -2146893022 (0x80090322):
    The target entity name is incorrect."

I tried stopping the keberos service on the DC2 and doing the netdom resetpwd but to no avail.

On the dc2 event logs today I found the error

""The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server {....}.""

but I can not figure out where is the error how to fix.
I initially thought it was a FW rules problem but from the FW logs I have no evidence of dropped packages.
Do you have any suggestions?
Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-09-04T08:27:03.0966667+00:00

    Hello Barbara F,

    It is a pleasure to answer this question for you and hope it can help you.

    According to the information you published, the error type is KRB_AP_ERR_MODIFIED

    Some encrypted Kerberos authentication data sent by the client did not decrypt properly at the server because:

    1.A service ticket is issued to the local computer account, for which a host/SPN is automatically created, instead of to the service account, for which no SPN has been created. The reason for this is that a service does not register an SPN for itself, yet the service belongs to a service class for which the computer will automatically map the SPN to a host/service class. The result is that the service cannot decrypt the resultant ticket.

    Resolution: If the root cause appears to be that an SPN has not been set, verify that each service running on the target computer has an SPN set. Those services that do not have SPNs set might have had their SPNs remapped to the computer’s host SPN.

    2.The authentication data was encrypted with the wrong key for the intended server.

    3.The authentication data was modified in transit by a hardware or software error, or by an attacker.

    4.The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.

    5.The client sent the authentication data to the wrong server because DNS data was out-of-data on the client.

    Resolution: Verify that DNS is functioning properly.

    6.Two computers in different domains have the same name and the client sent the authentication data to the wrong computer.

    Resolution: Verify that there are not multiple computers with the same name, including NetBIOS names, anywhere on the network.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Was this answer helpful?

  2. Anonymous
    2023-08-31T21:31:08.7433333+00:00

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.