Thursday, October 22, 2015

Replications problems between two DCs caused by faulty Schannel and wrong Kerberos ticket of the affected DCs Computer object

Problem:
•    Automatic and manual replication gives error:
Error Message "Target Principal Name is Incorrect"

•    AD Replication error 8452 remains:
"The naming context is in the process of being removed or is not replicated from the specified server."

•    KCC builds wrong NTDS partners

Directory Services Events:
•    EventID 36871  Schannel
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

•    Event  ID 36886 Schannel
No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.




Solution:
•    Affected DC cannot communicate with the PDC
•    Renewal of the Schannel on the affected DC is required
•    New Kerberos ticket has to be requested from PDC
•    KCC has to be restarted to rebuild the replications partner(s)


Actions needed:
1.    Stop the KDC service:
C:\>net stop KDC
2.    Purge kerberos tickets using KLIST:
C:\>klist purge
3.    Find PDC Domain Controller in the domain of the affected DC
4.    Reset secure channel from Problem DC's to PDC:
C:\>netdom resetpwd /server:<PDC> /userd:<DOMAIN>\<Admin_account>
/passwordd:*
5. Access the PDC by FQDN to force the Problem DC's to request new kerberos
tickets:
C:\>net use \\<PDC FQDN>\IPC$
6. Force the DC to replicate from PDC: (from active directory sites and services)
7. Start the KDC service:
C:\>net start KDC

Delete existing NTDS connections and check replication topology.