I had an issue in my lab where the PDC emulator changed his password while the IPv6 communication was not properly up and running, and so 2 different password were register on my 2 DCs, this remember that IPv6 is the preferred network in Windows and been like that since Vista.
Nothing new in the this article, but just some precision, as the documentation can be confusing sometimes and we tend to forget things.
The architecture is the following:
DC1 : Server 2012R2
DC2 : Server 2016 (All FMSO hosted) – The culprit
First thing to check is the DNS and point the network card of DC2 to the working DC, as DC2 DNS server might not be working properly, in my case DC2 didn’t had IPv6 records while DC1 had them and since the DNS zone is replicated via AD, we clearly see an issue here.
Restart DC2, this will help for resolution and initiate AD with a correct DNS server.
Stop Kerberos Key Distribution Center service and put it on Manual on DC2, when you do Kerberos will use another Domain controller for it, if you want to target a specific one, modify the host file so the domain resolve to the DC you want or disable all KDC on every DC you don’t want to targeted, can be cumbersome.
Purge System Kerberos tickets
KLIST -li 0x3e7 purgeTo reset the password of a computer, you need to use the following command (don’t do it yet read on):
netdom resetpwd /s:server_name /ud:DOMAIN\Admin /pd:*or
netdom resetpwd /server:server_name /userd:DOMAIN\Admin /passwordd:*If you follow this documentation : https://support.microsoft.com/en-us/help/288167/error-message-target-principal-name-is-incorrect-when-manually-replica, it state that server_name should be the PDC emulator however this is not true, it should be a healthy server doesn’t have to be the PDC and in my case it make a huge difference! This is described in this documentation : https://support.microsoft.com/en-us/help/325850/how-to-use-netdom-exe-to-reset-machine-account-passwords-of-a-windows
So the correct command is to be run on DC2 targeting DC1, like so:
netdom resetpwd /s:DC1 /ud:DOMAIN\Administrator /pd:*Now you can try to force replication, it should succeed, if not maybe other issue are at hand.
Solved my problem in my case and now everyone is up and running correctly.