I need to decommission an on-prem domain controller and deploy a new DC in Azure. Before I go adding and removing DCs, I want to make sure our AD replication is clean. Below is the output of what I am getting when looking at the basic health of AD replication. Any ideas on next steps to get it clean?
From FSMO role DC:
C:\Users\xxxxx>repadmin /replsummary
Replication Summary Start Time: 2024-06-08 16:39:40
Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
CRSVR01 48m:33s 0 / 5 0
Destination DSA largest delta fails/total %% error
HQSVR01 48m:33s 0 / 5 0
Experienced the following operational errors trying to retrieve replication information:
8341 - CRSVR01.xxxxx.local
From other DC:
C:\Windows\system32>repadmin /replsummary
Replication Summary Start Time: 2024-06-08 16:40:40
Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
HQSVR01 41d.22h:53m:53s 5 / 5 100 (8524) The DSA operation is unable to proceed because of a DNS lookup failure.
Destination DSA largest delta fails/total %% error
CRSVR01 41d.22h:53m:53s 5 / 5 100 (8524) The DSA operation is unable to proceed because of a DNS lookup failure.
Experienced the following operational errors trying to retrieve replication information:
8341 - HQSVR01.xxxxx.local
Output from DCDIAG:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = HQSVR01
* Identified AD Forest.
[CRSVR01] LDAP bind failed with error 8341,
A directory service error has occurred..
Got error while checking if the DC is using FRS or DFSR. Error: A directory service error has occurred.The VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this error.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CRSVR01
Starting test: Connectivity
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
......................... CRSVR01 failed test Connectivity
Testing server: Default-First-Site-Name\HQSVR01
Starting test: Connectivity
......................... HQSVR01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CRSVR01
Skipping all tests, because server CRSVR01 is not responding to directory service requests.
Testing server: Default-First-Site-Name\HQSVR01
Starting test: Advertising
......................... HQSVR01 passed test Advertising
Starting test: FrsEvent
......................... HQSVR01 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... HQSVR01 failed test DFSREvent
Starting test: SysVolCheck
......................... HQSVR01 passed test SysVolCheck
Starting test: KccEvent
......................... HQSVR01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... HQSVR01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... HQSVR01 passed test MachineAccount
Starting test: NCSecDesc
......................... HQSVR01 passed test NCSecDesc
Starting test: NetLogons
[HQSVR01] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... HQSVR01 failed test NetLogons
Starting test: ObjectsReplicated
......................... HQSVR01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,HQSVR01] DsReplicaGetInfo(PENDING\_OPS, NULL) failed, error 0x2105 "Replication access was denied."
......................... HQSVR01 failed test Replications
Starting test: RidManager
......................... HQSVR01 passed test RidManager
Starting test: Services
Could not open NTDS Service on HQSVR01, error 0x5 "Access is denied."
......................... HQSVR01 failed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 15:54:26
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server hqsvr01$. The target name used was DNS/hqsvr01.xxxx.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxx.LOCAL) is different from the client domain (xxxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x0000168F
Time Generated: 06/08/2024 15:54:26
Event String: The dynamic deletion of the DNS record '\_kerberos.\_tcp.dc.\_msdcs.xxxxx.local. 600 IN SRV 0 100 88 hqsvr01.xxxxxx.local.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 06/08/2024 15:54:26
Event String: The dynamic deletion of the DNS record '\_kerberos.\_tcp.Default-First-Site-Name.\_sites.dc.\_msdcs.xxxxx.local. 600 IN SRV 0 100 88 hqsvr01.xxxxx.local.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 06/08/2024 15:54:26
Event String: The dynamic deletion of the DNS record '\_kerberos.\_tcp.xxxxx.local. 600 IN SRV 0 100 88 hqsvr01.xxxxx.local.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 06/08/2024 15:54:26
Event String: The dynamic deletion of the DNS record '\_kerberos.\_tcp.Default-First-Site-Name.\_sites.xxxxx.local. 600 IN SRV 0 100 88 hqsvr01.xxxxxx.local.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 06/08/2024 15:54:26
Event String: The dynamic deletion of the DNS record '\_kerberos.\_udp.xxxxx.local. 600 IN SRV 0 100 88 hqsvr01.xxxxx.local.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 06/08/2024 15:54:27
Event String: The dynamic deletion of the DNS record '\_kpasswd.\_tcp.xxxxx.local. 600 IN SRV 0 100 464 hqsvr01.xxxxx.local.' failed on the following DNS server:
An error event occurred. EventID: 0x0000168F
Time Generated: 06/08/2024 15:54:27
Event String: The dynamic deletion of the DNS record '\_kpasswd.\_udp.xxxxx.local. 600 IN SRV 0 100 464 hqsvr01.xxxxx.local.' failed on the following DNS server:
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 15:59:00
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server hqsvr01$. The target name used was ldap/HQSVR01.xxxx.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxxx.LOCAL) is different from the client domain (xxxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 15:59:00
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server hqsvr01$. The target name used was ldap/HQSVR01.xxxx.local/xxxxx.local@xxxxx.LOCAL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxxx.LOCAL) is different from the client domain (xxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x000003EE
Time Generated: 06/08/2024 15:59:00
Event String:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 16:34:24
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server crsvr01$. The target name used was E3514235-4B06-11D1-AB04-00C04FC2DCD2/7a41e033-a1b8-4ccb-9f1b-0d81f7cc18c0/xxxx.local@xxxx.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxx.LOCAL) is different from the client domain (xxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 16:39:36
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server crsvr01$. The target name used was ldap/CRSVR01.xxxx.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxx.LOCAL) is different from the client domain (xxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 16:40:20
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server crsvr01$. The target name used was xxxxx\CRSVR01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxxx.LOCAL) is different from the client domain (xxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 16:41:10
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server crsvr01$. The target name used was LDAP/7A41E033-A1B8-4CCB-9F1B-0D81F7CC18C0.\_msdcs.xxxx.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxxx.LOCAL) is different from the client domain (xxxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 16:43:24
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server crsvr01$. The target name used was ldap/crsvr01.xxxxx.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxx.LOCAL) is different from the client domain (xxxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
An error event occurred. EventID: 0x40000004
Time Generated: 06/08/2024 16:44:18
Event String:
The Kerberos client received a KRB\_AP\_ERR\_MODIFIED error from the server crsvr01$. The target name used was LDAP/7a41e033-a1b8-4ccb-9f1b-0d81f7cc18c0.\_msdcs.xxxx.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (xxxx.LOCAL) is different from the client domain (xxxx.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
......................... HQSVR01 failed test SystemLog
Starting test: VerifyReferences
......................... HQSVR01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : xxxx
Starting test: CheckSDRefDom
......................... xxxx passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... xxxxx passed test CrossRefValidation
Running enterprise tests on : xxxxx.local
Starting test: LocatorCheck
......................... xxxxx.local passed test LocatorCheck
Starting test: Intersite
......................... xxxxx.local passed test Intersite
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
