question

JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 asked DaisyZhou-MSFT commented

KDC problem - internal domain same as external domain

Hi all,
here my environment:

3 sites/locations :

Default-First-Site-Name (Data center) :
2 domain controllers : dc1 (Windows Server 2016 Standard) holds 5 FSMO roles , dc2 (Windows Server 2012 R2 Standard) , Forest/Domain function level : Windows Server 2008 R2.

South site : 1 domain controller dc-south (Windows Server 2016 Standard)

North site : 1 domain controller dc-north (Windows Server 2012 R2 Standard)

At the beginning , I made a basic mistake , my internal domain is same as an external domain which I don't own.
It causes some annoying errors , like , if I look into event log at 4 DC servers I can see many event id 4 errors :

 The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server workstation32$. The target name used was RPCSS/workstation32.mydomain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (mydomain.COM) is different from the client domain (mydomain.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Sometime , my user's workstation got error about relationship with domain controller ... (I can live with that) , but the last time it caused a fatal error : dc2 kerberos ticket or computer account password mismatch.
At the same time:
I cannot UNC \\dc2
I can UNC \\dc1 , \\dc-south , \\dc-north and see NETLOGON , SYSVOL folder shared.
At Active Directory Sites and Services , when I try to manual replicate from dc1 --> dc2 I get error "The target principal name is incorrect" , testing with Repadmin or dcdiag has similar result
I fixed it by reset dc2 account password by this command on dc2:

       netdom resetpwd /server:dc1 /userd:mydomain\administrator /passwordd:*
          The machine account password for the local machine has been successfully reset.
                
          The command completed successfully.

I want to stop that from happening again, change internet domain is not an option, can I fix it by adding into 4 DC servers host file A records of 4 DC servers ?
Please give me some advice, thank you very much.


windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @JackChuong-8462,

Thank you for posting here.

1.Based on the post title "internal domain same as external domain", do you have two domain with the same domain name?
2.What are the relationship between the two domains?

The issue id 4 errors or/and the issue "workstation got error about relationship with domain controller"/"The target principal name is incorrect" should have nothing to do with the same domain name you mentioned.

can I fix it by adding into 4 DC servers host file A records of 4 DC servers ?
A:We should analyze specific problems in order to troubleshoot or solve problems.

For more information about “The target principal name is incorrect”, we can refer to the links below.
Error (Target Principal Name is incorrect) when manually replicating data between domain controllers
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/target-principal-name-is-incorrect-when-replicating-data

Active Directory replication error -2146893022: The target principal name is incorrect
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-2146893022


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JackChuong-8462 avatar image
0 Votes"
JackChuong-8462 answered DaisyZhou-MSFT commented

Hi DaisyZhou, thanks for your reply
mydomain.com is a real domain, I don't own this domain, it is purchased/owned/used by other people , I have no relationship with it, I can query something.mydomain.com and see it is pointed to real public IP address.
I used mydomain.com for my internal domain active directory , so stupid , I know but the system grew too big and change the internal domain is not an option.

I think I get many event id 4 error related to my workstations , even my DC2 because somehow other DCs "see" that workstation32.mydomain.com or dc2.mydomain.com point to 2 different IP addresses : 1 real public IP address and 1 internal IP address like 192.168.x.x , it caused computer account password mismatch error.
when the problem happened last week , I pinged dc2.mydomain.com and saw it is pointed to external IP address , though , when I queried dc.mydomain.com (nslookup set name server other DCs) , it was pointed to internal IP

I read your docs and I can fix it by reset dc2 computer account password, I just want to stop that from happening again because I have many services depend on KDC service on DC (like Exchange) and when KDC has problem it causes a lot of trouble for other services.
can I fix it by adding into 4 DC servers host file A records of 4 DC servers ?

     192.168.1.100 dc1.mydomain.com
     192.168.1.101 dc2.mydomain.com
     192.168.10.100 dc-south.mydomain.com
     192.168.20.100 dc-north.mydomain.com


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JackChuong-8462,

I am sorry for the late reply.

You can try your way by adding into 4 DC servers host file A records of 4 DC servers?

If it does not work, then remove the changes.

Best Regards,
Daisy Zhou

1 Vote 1 ·

I did, but I'm not sure if it works (stop that from happening again in future) , it seems this error rarely occurs and this is also the first time I get this error with a domain controller, so just wait and see , I think this case should close.

0 Votes 0 ·

Hello @JackChuong-8462,

Thank you so much for your update.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!


Best Regards,
Daisy Zhou

0 Votes 0 ·