On: Feb 14Author: Neil Bryan


During an Active Directory domain controller upgrade from Windows 2003 to Windows 2012 R2 I observed replication issues on the Domain Controller which also owned the PDC emulator role.


A problem logging onto the domain controller is what initially triggered the investigation into potential issues. It is always a good idea to ensure replication and event logs are healthy before performing Active Directory changes and upgrades for situations like this.




repadmin /replsummary showed the following error:


Source DSA largest delta fails/total %% error
DC-01 15m:05s 0 / 10 0
DC-02 41m:15s 0 / 10 0
DC-03 06d.05h:43m:01s 4 / 10 40 (2148074274) The target principal name is incorrect.


You can see DC-01 and DC-02 are fine but DC-03 has replication errors and shows the error message"The target principal name is incorrect."


Resetting the domain controllers computer account using the following steps resolved the replication issues.






Identify the DC which owns the PDC role:


netdom query fsmo




On the domain controller, disable the Kerberos Key Distribution Center service (KDC).


Click Start, point to Programs, click Administrative Tools, and then click Services.
Double-click KDC, set the startup type to Disabled, and then restart the computer.

(Restarting is required or else you will get an error on the next step)




Login to the DC again and run the following command to reset the computer account.


netdom resetpwd /server:server_name /userd:domain_name\administrator /passwordd:administrator_password
(This can not be done in Active Directory Users and Computers for Domain Controllers.)




Set the KDC service to "Automatic" again and restart the server again.




Run the following commands to ensure there are no replication issues.


repadmin /syncall
repadmin /replsummary


A clean replication summary looks like this:


Source DSA largest delta fails/total %% error
DC-01 13m:10s 0 / 10 0
DC-02 15m:05s 0 / 10 0
DC-03 15m:05s 0 / 10 0










This issue may also be caused by corrupt Secure channel. Please try the following steps to reset Secure channel.

1.    Stopped KDC service and set that to manual.
2.    Ran resetpwd /server:SERVER’s IP /userd:USER  /passwordd:*
3.    Start KDC service to test. 

If the issue persists, it’s suggested to collect MPS Report for research. 

A.    Download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link: 

Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location.

B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up.

C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]?

D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. After collecting, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.