To totally unlock this section you need to Log-in
During an Active Directory domain controller upgrade or after deploying a new VM of Windows Server (then promoted to Domain Controller), we could observe replication issues on the Domain Controller which also owned the PDC emulator role. It is always a good idea to ensure replication and event logs are healthy before performing Active Directory changes and upgrades to avoid situations like this.
The following procedure will show how to get some clues about this issue and how to solve it. Let's begin with repadmin tool:
repadmin /replsummary
It shows, for example, the following error:
Source DSA largest delta fails/total %% error DC-01 15m:05s 0 / 10 0 DC-02 41m:15s 0 / 10 0 DC-03 06d.05h:43m:01s 4 / 10 40 (2148074274) The target principal name is incorrect.
You can see DC-01 and DC-02 are fine but DC-03 has replication errors and shows the error message "The target principal name is incorrect".
Resetting the domain controllers computer account using the following steps should resolve the replication issues.
Identify the DC which owns the PDC role:
netdom query fsmo
On the domain controller, disable the Kerberos Key Distribution Center service (KDC).
- Click Start, point to Programs, click Administrative Tools, and then click Services.
- Double-click KDC, set the startup type to Disabled, and then restart the computer (Restarting is required or else you will get an error on the next step).
- Login to the DC again and run the following command to reset the computer account.
netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
NOTE: This can not be done in Active Directory Users and Computers for Domain Controllers.
Set the KDC service to "Automatic" and restart the affected domain controller again.
Run the following commands to ensure there are no replication issues.
repadmin /syncall repadmin /replsummary
A clean replication summary looks like this:
Source DSA largest delta fails/total %% error DC-01 16m:08s 0 / 10 0 DC-02 12m:40s 0 / 10 0 DC-03 14m:35s 0 / 10 0
More Information
If there are multiple domain controllers in the domain, the error message that you receive when this issue occurs varies depending on which way replication is being attempted, and if one of the domain controllers that is involved is also the PDC Emulator operations master role holder.
In some cases, when you use the net view \\computername to attempt to connect to the domain controller that has the PDC Emulator operations master role from another domain controller, you may receive an "Access denied" error message. However, if you use the Internet protocol (IP) address, the command may succeed.
When this problem occurs, numerous errors may be reported in the event logs. These errors vary depending on any of the following conditions:
- The domain controller was not fully functional before the problem occurred.
- The domain controller did not successfully completed the Active Directory Installation Wizard process.
- The Sysvol folder on the domain controller was not shared out.
- The domain controller did not have the full file structure under the Domain_name folder and the Policies folder that is located in %SystemRoot%\Sysvol\Sysvol\Domain_name\Policies.