target principal name is incorrect while doing repadmin /replsum

Question

We have 3 domain controller and after restoring Primary domain controller on different server. We are getting the target principal name is incorrect when running repadmin /replsum.

The other two controller are syncing but the primary domain controller is not syncing.

Please help.

Answer 1

Hi Shishant,

Thank you for posting in the Microsoft Community Forum.

In the scenario where the error "Target principal name is incorrect" is encountered, it is possible that the issue arises due to the restoration of the primary domain controller. Here are some potential steps and solutions to ensure proper synchronization between domain controllers:

1. **Check Time Synchronization:** Ensure that the system time on all domain controllers is correctly synchronized. Incorrect time synchronization can lead to synchronization issues.
2. **Check RID Pool on the Primary Domain Controller:** If issues occurred during the restoration process of the primary domain controller, it might result in an inconsistent RID pool. You can check the RID pool using the following command:

   
      repadmin /showrepl 
   
   

   Check the output for any errors or warnings related to the RID pool.
3. **Force Full Synchronization:** On the target primary domain controller, attempt to force a full synchronization. Run the following command:

   
      repadmin /syncall /A /P /e /d 
   
   

   This command will force the domain controller to perform a full synchronization.
4. **Check DNS Configuration:** Ensure that the DNS configuration on the primary domain controller and other domain controllers is correct. Domain controllers should correctly point to the DNS of other domain controllers.
5. **Check NTDS Settings on the Primary Domain Controller:** Ensure that the NTDS settings on the primary domain controller are correct. You can use the following command to check:

   
      repadmin /showutdvec <Primary Domain Controller Name> <Other Domain Controller Name> 
   
   

   This will display information about update vectors.
6. **Check Event Logs:** Examine the event logs of the domain controller, especially Directory Service and DNS events, for any errors or warnings related to synchronization issues.
7. **Run DCDiag Tool:** Use the DCDiag tool to check the health status of the domain controller. Run the following command:

   
      dcdiag /v /c /d /e /s:<Primary Domain Controller Name> 
   
   

   Ensure that no errors or failed tests are reported.
8. **Consider Recreating Connection Objects if Issues Persist:** If problems persist, consider deleting and recreating connection objects. In Active Directory Users and Computers, navigate to "Sites" -> "Inter-Site Transports" -> "IP" -> "CN=DEFAULTIPSITELINK" -> "CN=Inter-Site Transports," and then delete the problematic connection object.

Exercise caution when performing these operations, and test them in a controlled environment before applying changes in a production setting. If the issue persists, a more detailed investigation may be needed to identify the root cause.

Best regards

Neuvi Jiang

Answer 2

Hi Neuvi,

Apologize as I was not available during the interval & thanks for your swift response to the query.

However, I have gone through all the above commands and I am getting the below errors.

1. The target principal name is incorrect
2. error 1722: The RPC server is unavailable.
3. The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server.

Answer 3

Hi Shishant,

Have a nice day!

Sometimes, restarting the Windows Time service () on the PDC Emulator can resolve synchronization issues. After restarting the service, force a resynchronization with the configured time source.w32time

Configure an authoritative time - Windows Server | Microsoft Learn

Best regards

Neuvi Jiang