AD Replication Woes

Question

Hi All,

I have 1 site out of 3 that is having replication errors. Seems to be a Kerberos issue with error -2146893022. Upon many Google searches over the last month I have come to the conclusion that all existing articles solutions on this error do not work in this situation. THe topology looks like the following:

Site 1: 1 Windows 2016 Domain Controller

Site 2: 1 Windows 2016 DC and 1 Windows 2012 DC

Site 3: 1 Windows 2012 DC (I had 1 2016 DC here but demoted it and have not been able to re-promote it)

Sites 1 & 2 are replicating AD no problem. Site 3 has an unreplicated copy of the AD and I cannot get the DC to replicate. It reports that the Windows 2016 DC in Site and Aite 1 are unreachable. I downloaded and ran the Port Query tool and it connects to both DC's on ports 53, 88 & 389.

I had originally had a Windows 2003 server in Site1 That was the original AD server for this forest. It died and I have made sure that all of the remaining junk from that server was cleaned out of AD and DNS. Not sure what else to consider at this point. DCDIAG reports that RPC Bind fails due to Target Principal Name being incorrect and the password is bad. I have reset the password on both DC's in Site 1 and Site 2 many times to no avail.

Thanks for any help,
Don

Answer 1

Hi Don Mangiarelli,

Thank you for posting in the Microsoft Community Forums.

Based on your description, the issue you're experiencing centers around the fact that the Windows Server 2012 domain controller (DC) in Site 3 is unable to perform Active Directory replication with the DCs in Site 1 and Site 2. This is usually related to Kerberos authentication, network connectivity, time synchronization, or AD replication settings. Here are some suggested troubleshooting and resolution steps:

Check time synchronization:

Ensure that the time is synchronized across all DCs. Unsynchronized time can cause Kerberos authentication to fail. You can use Windows Time Service (W32time) to synchronize the time, or use a third-party time synchronization tool such as NTP.

Kerberos and SPN (Service Principal Name):

Since DCDIAG reports RPC binding failures and mentions incorrect target subject names and wrong passwords, this is most likely a Kerberos SPN configuration issue. You can use the setspn -Q command to query if the service account (usually the DC's computer account) is registered with the correct SPN.

If you find any duplicate SPNs, use the setspn -D command to remove the duplicate SPNs.

Ensure that all DC's computer accounts are properly registered in DNS.

Check the network firewall and ports:

Although you have checked ports 53, 88, and 389 using the Port Query tool, make sure there are no additional firewall rules or network security devices blocking other necessary Kerberos or AD replication ports (e.g., 445, 135, etc.).

Check for any network ACLs or routing issues that may be preventing Site 3's DC from communicating with Site 1 and Site 2's DC.

Check DCDIAG and REPLMON:

Run dcdiag /v /c /d /e /s:<DC name> to check the status of the DCs in detail.

Use the REPLMON (Replication Monitor) tool to view replication queues and errors.

Check DNS:

Ensure that Site 3's DC is able to correctly resolve the FQDN of Site 1 and Site 2's DC.

Check the SRV records in DNS to make sure they point to the correct DCs.

Rejoin the domain:

If possible, consider removing Site 3's DC from the domain and then rejoining it. This can resolve some of the issues caused by corrupted domain memberships.

Review event logs:

Carefully review the DC's event logs, especially the system logs and security logs, for any errors related to Kerberos authentication or AD replication.

Best regards

Neuvi Jiang