Active Directory error message "2148074274 The target principal name is incorrect"

Jean-Yves Moschetto (ANVOLE) | Debug | Active Directory | | View Counts (13947) |Return|
0 ( 0 reviews)



as it regularly happens when you stop a test platform for a long time, computer accounts password expire and Active Directory controllers do not replicate anymore (well known item since Windows 2000 Active Directory).


When you try to manually replicate using dssite.msc, you get the error message "2148074274 The target principal name is incorrect".


Moreover, you can see in event viewer some messages such as:

Log Name: System
Source: Security-Kerberos
Event ID: 4
Error: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server DC2. The target name used was cifs/DC2.dom2016.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (DOM2016.LOCAL) is different from the client domain (DOM2016.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.



- Locate PDC emulator with Active Directory Users and Computers snap-in
- On the DC(s) no more replicating:

  • Disable service "Kerberos Key Distribution Center" (KDC)
  • Reboot DC
  • Reset password within an administrator command prompt
    netdom resetpwd /server:PDC_EMULATOR /userd:DOM2016\administrator /passwordd:password
  • Reboot DC
  • Restart KDC service
  • Force replication



Performance tuning Windows Server 2016 containers

Windows Server 2016 is the first version of Windows to ship support for container technology built i...

Remote Desktop Administrative Session

When you connect to Microsoft Windows RDS (Remote Desktop Services), it can be done either as a USER...

La sécurisation des environnements Cloud Microsoft

L'objectif de cette présentation est de parcourir rapidement certains points clés de sécurité lo...

Clients Office 365, protégez votre messagerie !!!

Beaucoup d'utilisateurs Office 365 pensent être protégés des SPAM et virus avec l'offre Exch...

ADDS Forest and Domain Functional Levels

Regularly customers ask "why should I raise ADDS functional level"? Here are the anwsers

Protect Email Phishing with MX, SPF, DKIM and DMARC

Basic phishing emails are so effective that most hackers don't use exploit kits anymore. It bec...