Target principal names 2

[JPJeffery]

We're getting some Directory Replication issues.

We've made some changes to DNS in response to this problem and our Spotlight server is now telling us that DNS is working fine (which took some doing!)

However, an error we're still seeing from our Directory Replication tests is "The target principal name is incorrect".

If "The target principal name is incorrect" then how do I find out what the correct target principal name is?

I believe the principal name being referred to is the long alpha-numeric string (e.g. b54063b0-2712-43d2-aa4b-0942b5b2f180) representing the target server in the Forward Lookup Zone in the _msdcs folder in DNS. Am I right? How can I tell?!

JJ
[small][purple]Variables won't. Constants aren't[/purple][/small]

 

[kmkeshav]

http://www.windowsitpro.com/Article/ArticleID/46088/46088.html

 

[JPJeffery]

You know, since I posted the thread but before you replied, we'd done exactly what the article you pasted the URL of suggested. And it looks like things are starting to come together...

Cheers, kmkeshav.

JJ
[small][purple]Variables won't. Constants aren't[/purple][/small]

 

[JPJeffery]

This is mostly working, but when we try to reset the password on our New York DC by referring to the PDC Emulator in London it fails with an error of "The target account name is incorrect."

This looks like being our last stumbling block so any ideas gratefully received...!

JJ
[small][purple]Variables won't. Constants aren't[/purple][/small]

 

[JPJeffery]

Further tests (Spotlight on Active Directory is very good!)have revealed a pattern.

We have three sites. London, New York and Hong Kong.

Each site contains two DCs. The London DC is acting as the PDC Emulator.

Intra-site replication is working.

London to Hong Kong replication is working.
Hong Kong to London replication is working.
New York to London replication is working.
New York to Hong Kong replication is working.
but
London to New York replication is NOT working.
Hong Kong to New York replication is NOT working.

Or in summary, inter-site replication IN to New York is failing.

We've reset the Kerberos account password using Netdom on the NY DCs but this hasn't worked. One clue here is that to reset this password on New York DC01 we had to refer to the London PDC Emulator (DC01) by IP address as it didn't like the name (I'll be trawling through the DNS entries soon to sanity check them).

Please help!

JJ
[small][purple]Variables won't. Constants aren't[/purple][/small]

 

[sutors]

Can you ping the servers from other sites to New York?
What's the biggest packet size that can go through?

If you ping using FQDN, does it reply with correct IPs?

If yes, then DNS is most likely fine.

Can you access sysvol share from one of the London's server accessing New York's DC by FQDN or by IP?

If it only works with IPs then kerberos is failing.
You might want to force it to use TCP instead of UDP.

Netdom command is common to fail using FQDN. just an FYI.

 

[JPJeffery]

Wow. How did you come across this thread? It must have been at least a couple of pages down!

Anyway, yes, I agree that Kerberos is failing. I think it's all tied in to the fact that all six of our domain controllers have the same SID.

The tests you suggested failed where you predicted. I can connect to the NYC sysvol using \\ip.address\sysvol but not \\fqdn\sysvol.

Anyway, I've demoted one of the DCs, done a metadata cleanup, applied newsid, dcpromo'd it back in, re-fixed DNS and so on but I don't think this is really going to prove if I'm right until I've done at least five out of six...

JJ
[small][purple]Variables won't. Constants aren't[/purple][/small]