Loading...
Loading...
Replication fails between an affected DC and others in the domain. The reason given for the failure may vary, but "The target principal name is incorrect" is a strong indicator of a broken secure channel. Result codes associated with this error include -2146893022 and 0x80090322 . These codes may appear in repadmin output or events in the Directory Service event log. "The trust relationship between this workstation and the primary domain failed" is another error associated with a broken secure channel. If the affected DC is a DNS server, the DNS Manager console may produce an "Access denied" error when connecting to that DC.
The DC's own copy of its computer account password does not match the corresponding password stored in the Active Directory (AD) database. When these passwords differ, a secure channel cannot be established. More information about computer account passwords in AD can be found in Additional Info below.
The Test-ComputerSecureChannel PowerShell command with the -Repair switch can repair a broken secure channel on a DC. (There are other methods, but this command is simple and straightforward.) Perform these steps on the affected DC to repair its secure channel: Skip this step if there is only one DC in the domain. Stop the Kerberos Key Distribution Center (KDC) service and set its startup type to Disabled . It may also be necessary to do this on other DCs in the domain, but the service must be left running on at least one DC. See Additional Information below. Launch an elevated PowerShell prompt. Run klist purge to delete existing Kerberos tickets. Run the following command: Test-ComputerSecureChannel -Server <good_dc> -Repair -Verbose Replace <good_dc> with the name or IP address of a DC on which the KDC service is running. The output of the command should indicate that the secure channel was successfully repaired: Figure 1: The secure channel was successfully repaired. If the previous command fails to repair the secure channel, this command may succeed: netdom resetpwd /server:<good_dc> /userd:<domain>\<domain_admin> /passwordd:* Note the extra d in passwordd . This is not a typo. Replace <good_dc> with the name or IP address of a DC on which the KDC service is running. Replace <domain> with the name of the domain. Replace <domain_admin> with the name of an administrative account in the domain. Supply the password of the specified user account when prompted. The output of the command should indicate that the server's computer account password was successfully reset. Figure 2: The server's computer account password has been successfully reset. Force AD replication to and from the affected DC and confirm that it succeeds. Reset the startup type of the KDC service to Automatic on all DCs and start the service. (In other words, undo what was done in step 1.)
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.