Dave
2006-04-11 23:30:20 UTC
I have two DCs in my domain: one is a 2000 server, the other is server 2003.
Yesterday, on both machines, I started getting the following error when
attempting to open any AD snap-in:
"Naming information cannot be located because:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is properly
configured and is currently online."
After much trial and error, I was able to resolve this issue on the 2000
server by restoring the default GPO, using the RecreateDefPol.exe utility.
I am now able to open any AD snap-in on that machine. Since that utility is
not included on server 2003, I attemped instead to use the Dcgpofix.exe
utility. When doing so, I receive the following error:
"Could not open the Active Directory object LDAP://rootDSE"
I have attempted to uninstall AD but it will not do so. I also cannot leave
the domain and join a workgroup. I've tried everything I can find or think
of.
Below is one error from the Application event log and the second one is from
the System event log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 4/11/2006
Time: 7:23:01 PM
User: NT AUTHORITY\SYSTEM
Computer: ADVINPDC
Description:
Windows cannot determine the user or computer name. (The target principal
name is incorrect. ). Group Policy processing aborted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
==================
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/11/2006
Time: 6:48:12 PM
User: N/A
Computer: ADVINPDC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
MRPAD$. The target name used was ldap/mrpad.mrp.in. This indicates that the
password used to encrypt the kerberos service ticket is different than that
on the target server. Commonly, this is due to identically named machine
accounts in the target realm (MRP.IN), and the client realm. Please
contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
================
Does anyone have any ideas? This is keeping one of our remote users from
accessing a database on the offending server because the server they are
logging into is on another domain. If I try to access the domain with the
above machine in it, it tells me that the trust has been broken and should
be re-established.
Thanks,
Dave
Yesterday, on both machines, I started getting the following error when
attempting to open any AD snap-in:
"Naming information cannot be located because:
The target principal name is incorrect.
Contact your system administrator to verify that your domain is properly
configured and is currently online."
After much trial and error, I was able to resolve this issue on the 2000
server by restoring the default GPO, using the RecreateDefPol.exe utility.
I am now able to open any AD snap-in on that machine. Since that utility is
not included on server 2003, I attemped instead to use the Dcgpofix.exe
utility. When doing so, I receive the following error:
"Could not open the Active Directory object LDAP://rootDSE"
I have attempted to uninstall AD but it will not do so. I also cannot leave
the domain and join a workgroup. I've tried everything I can find or think
of.
Below is one error from the Application event log and the second one is from
the System event log:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 4/11/2006
Time: 7:23:01 PM
User: NT AUTHORITY\SYSTEM
Computer: ADVINPDC
Description:
Windows cannot determine the user or computer name. (The target principal
name is incorrect. ). Group Policy processing aborted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
==================
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/11/2006
Time: 6:48:12 PM
User: N/A
Computer: ADVINPDC
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
MRPAD$. The target name used was ldap/mrpad.mrp.in. This indicates that the
password used to encrypt the kerberos service ticket is different than that
on the target server. Commonly, this is due to identically named machine
accounts in the target realm (MRP.IN), and the client realm. Please
contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
================
Does anyone have any ideas? This is keeping one of our remote users from
accessing a database on the offending server because the server they are
logging into is on another domain. If I try to access the domain with the
above machine in it, it tells me that the trust has been broken and should
be re-established.
Thanks,
Dave