複製錯誤-2146893022 目標主體名稱不正確Replication error -2146893022 The target principal name is incorrect

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題解釋,包括症狀、原因,以及如何解析 Active Directory 複寫錯誤-2146893022:目標主體名稱不正確。This topic explains symptoms, causes and how to resolve Active Directory replication error -2146893022: The target principal name is incorrect. 症狀造成解析度更多資訊 Symptoms Causes Resolutions More Information
症狀 此文章將描述包括症狀、原因和解析度步驟時 Active Directory︰ 複寫失敗,錯誤-2146893022︰「不正確的目標主體名稱]。 的測試 Active Directory 複寫失敗,錯誤-2146893022 DCDIAG 報告︰「不正確的目標主體名稱]。 [Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: <DN path of directory partition> The replication generated an error (-2146893022): The target principal name is incorrect. The failure occurred at <date> <time>. The last success occurred at <date> <time>. <X> failures have occurred since the last success. REPADMIN。EXE 報告該︰ 複寫失敗的狀態-2146893022 (0x80090322)。REPADMIN 命令通常引用-2146893022(0x80090322 狀態),包括但不是限於: Symptoms This article describes the symptoms, cause, and resolution steps when Active Directory replication fails with error -2146893022: "The target principal name is incorrect." DCDIAG reports that the Active Directory Replications test has failed with error -2146893022: "The target principal name is incorrect." [Replications Check,<DC Name>] A recent replication attempt failed: From <source DC> to <destination DC> Naming Context: <DN path of directory partition> The replication generated an error (-2146893022): The target principal name is incorrect. The failure occurred at <date> <time>. The last success occurred at <date> <time>. <X> failures have occurred since the last success. REPADMIN.EXE reports that replication attempt has failed with status -2146893022 (0x80090322).REPADMIN commands that commonly cite the -2146893022 (0x80090322 status) include but are not limited to:
REPADMIN /REPLSUMREPADMIN /SHOWREPLREPADMIN /REPLSUMREPADMIN /SHOWREPLREPADMIN 進行REPADMIN /SYNCALLREPADMIN /SHOWREPSREPADMIN /SYNCALL
範例「REPADMIN 進行」和 REPADMIN 輸出 /SYNCALL 描繪」目標主體名稱不正確的「錯誤如下所示:c:>repadmin /showreps <site name><destination DC> DC Options: IS_GC Site Options: (none) DC object GUID: <NTDS settings object object GUID> DChttp://bemis/13/Pages/2090913_en-US.aspx invocationID: <invocation ID string> ==== INBOUND NEIGHBORS ====================================== DC=<DN path for directory partition> <site name><source DC via RPC DC object GUID: <source DCs ntds settings object object guid> Last attempt @ <date> <time> failed, result -2146893022 (0x80090322): The target principal name is incorrect. <X #> consecutive failure(s). Last success @ <date> <time>. c:&gt;repadmin /syncall /Ade Syncing all NC's held on localhost. Syncing partition: DC=<Directory DN path> CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=<server name>,CN=Servers,CN=<site name>,CN=Sites,CN=Configuration,DC=<forest root domain> (network error): -2146893022 (0x80090322): 複製現在命令 Active Directory 網站和服務會傳回」不正確的目標主體名稱]。連接物件來源俠上按一下滑鼠右鍵,然後選擇複製現在會失敗,且「」目標主體名稱不正確。」下方螢幕上會顯示錯誤訊息文字和螢幕擷取畫面:對話方塊的標題文字:立即複寫對話方塊的訊息文字:下列時發生嘗試連絡網域控制站<來源俠名稱>:目標主體名稱不正確NTDS KCC、NTDS 一般或 Microsoft-Windows-ActiveDirectory_DomainService 事件-2146893022 狀態的登入事件檢視器中 Directory 服務登入。Active Directory 事件通常引用-2146893022 狀態,包括但不是限於:Sample output from "REPADMIN /SHOWREPS" and REPADMIN /SYNCALL depicting the "target principal name is incorrect" error are shown below:c:>repadmin /showreps <site name><destination DC> DC Options: IS_GC Site Options: (none) DC object GUID: <NTDS settings object object GUID> DChttp://bemis/13/Pages/2090913_en-US.aspx invocationID: <invocation ID string> ==== INBOUND NEIGHBORS ====================================== DC=<DN path for directory partition> <site name><source DC via RPC DC object GUID: <source DCs ntds settings object object guid> Last attempt @ <date> <time> failed, result -2146893022 (0x80090322): The target principal name is incorrect. <X #> consecutive failure(s). Last success @ <date> <time>. c:&gt;repadmin /syncall /Ade Syncing all NC's held on localhost. Syncing partition: DC=<Directory DN path> CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=<server name>,CN=Servers,CN=<site name>,CN=Sites,CN=Configuration,DC=<forest root domain> (network error): -2146893022 (0x80090322): The Replicate now command in Active Directory Sites and Services returns "The target principal name is incorrect."Right-clicking on the connection object from a source DC and choosing Replicate now fails with ""The target principal name is incorrect." The on-screen error message text and screenshot is shown below:Dialog title text: Replicate NowDialog message text: The following error occurred during the attempt to contact the domain controller <source DC name>:The target principal name is incorrectNTDS KCC, NTDS General or Microsoft-Windows-ActiveDirectory_DomainService events with the -2146893022 status are logged in the Directory Services log in Event Viewer.Active Directory events that commonly cite the -2146893022 status include but are not limited to:
事件編號Event ID事件來源Event Source事件字串Event String
15861586NTDS 複寫NTDS ReplicationWindows nt4.0 或先前複寫檢查點 pdc 模擬器未成功。The Windows NT 4.0 or earlier replication checkpoint with the PDC emulator master was unsuccessful. 完整的同步處理的安全性帳號 manager(坡)資料庫,以執行 Windows nt4.0 網域控制站和之前可能需要進行如果 PDC 模擬器主角轉移到本機網域控制站之前的下一步成功檢查點。A full synchronization of the security accounts manager (SAM) database to domain controllers running Windows NT 4.0 and earlier might take place if the PDC emulator master role is transferred to the local domain controller before the next successful checkpoint.
19251925NTDS KCCNTDS KCC建立下列寫入 directory 磁碟分割的連結︰ 複寫失敗。The attempt to establish a replication link for the following writable directory partition failed.
13081308NTDS KCCNTDS KCC後續複製下列網域控制站的嘗試一直無法偵測知識一致性檢查程式 (KCC)。The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed.
19261926Microsoft-Windows-ActiveDirectory_DomainServiceMicrosoft-Windows-ActiveDirectory_DomainService嘗試使用下列的參數,無法建立複寫唯讀 directory 磁碟分割的連結。The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
13731373NTDS 網站間的訊息中心NTDS Inter-site Messaging間的訊息中心服務可能會不會收到下列服務透過下列傳輸的任何訊息。The Intersite Messaging service could not receive any messages for the following service through the following transport. 無法查詢的訊息。The query for messages failed.
並不是由 Active Directory 傳回錯誤-2146893022 0x80090322 SEC_E_WRONG_PRINCIPAL 錯誤碼,但可能會傳回低層元件,包括 RPC、Kerberos、SSL、LSA 和 NTLM,針對不同的根本原因。 Windows-2146893022 0x80090322 的程式碼來對應 Kerberos 錯誤 SEC_E_WRONG_PRINCIPAL 包含: KRB_AP_ERR_MODIFIED (0x29 / 41 小數點日 KRB_APP_ERR_MODIFIED) KRB_AP_ERR_BADMATCH (0x24h / 36 小數點 / 票證與 authenticator 不相符) KRB_AP_ERR_NOT_US (0x23h / 35 小數點 / 票證不是我們) 某些特定起因的 Active Directory 登入-2146893022 0x80090322 SEC_E_WRONG_PRINCIPAL 包含: 不良名稱 TO-IP 對應 DNS、WINS、主機或 LMHOST 檔案造成俠連接到錯誤來源俠相同 Kerberos 領域中的目的地。 不良名稱 TO-IP 對應 DNS、WINS、主機或 LMHOST 檔案造成俠連接至不同的 Kerberos 領域錯誤來源俠的目的地。 Kerberos 目標電腦(來源俠)無法解密 Kerberos 驗證資料傳送 Kerberos client(目的地俠),因為的 \ [KDC 和來源 DC 有不同版本的來源 Dc 電腦密碼。 \ [KDC 找不到尋找 SPN 俠來源的網域。 (包括網路的裝置)的硬體、軟體或攻擊修改加密的框架 Kerberos 驗證資料。 Causes The -2146893022 0x80090322 SEC_E_WRONG_PRINCIPAL error code is not an error returned by Active Directory but may be returned by lower layer components, including RPC, Kerberos, SSL, LSA and NTLM, for different root causes. Kerberos errors that are mapped by Windows code to -2146893022 0x80090322 SEC_E_WRONG_PRINCIPAL include: KRB_AP_ERR_MODIFIED (0x29 / 41 decimal / KRB_APP_ERR_MODIFIED) KRB_AP_ERR_BADMATCH (0x24h / 36 decimal / Ticket and authenticator do not match) KRB_AP_ERR_NOT_US (0x23h / 35 decimal / The ticket is not for us) Some specific root causes for Active Directory logging -2146893022 0x80090322 SEC_E_WRONG_PRINCIPAL include: A bad name-to-IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in the same Kerberos realm. A bad name-to-IP mapping in DNS, WINS, HOST or LMHOST file caused the destination DC to connect to the wrong source DC in a different Kerberos realm. The Kerberos target computer (source DC) was unable to decrypt Kerberos authentication data sent by the Kerberos client (destination DC) because the KDC and source DC have different versions of the source DCs computer account password. The KDC could not find a domain to look for the SPN of the source DC. Authentication data in Kerberos encrypted frames were modified by hardware (including network devices), software, or an attacker.
解析度 執行 dcdiag//test: checksecurityerror 來源 DC Spn 可能會遺失,無效或重複延遲複寫簡單,因為尤其是下列促銷或︰ 複寫失敗。 複製 Spn 可能會造成錯誤 SPN 名稱對應。 DCDIAG//TEST: CheckSecurityErrorr 可以檢查遺失或複製 Spn 和其他錯誤。 上的所有來源網域控制站失敗 SEC_E_WRONG_PRINCIPAL 發生錯誤」輸出」複寫主機執行這個命令。 您可以檢查針對特定位置使用語法 SPN 登記: dcdiag /test:checksecurityerror replsource:<remote dc> 驗證 Kerberos 加密網路流量達到預期的 Kerberos 目標(名稱為 TO-IP 對應)。 時輸入複寫 Active Directory 目的 Dc 搜尋他們本機 Active Directory objectguid 的來源 Dc NTDS 設定物件,資訊的複本,然後查詢 active DNS 伺服器的符合俠引導 CNAME 然後對應至主機的 [A] / [AAAA「記錄包含來源 Dc IP 位址。Active Directory 執行名稱解析回溯 DNS 或單一標籤主機 wins 包含查詢的完整的電腦名稱 (請注意:DNS 伺服器回溯案例中也可以執行 WINS 對應)。 過時 NTDS 設定物件、不良名稱-TO-IP 對應 DNS 和 WINS 裝載記錄、過時主機檔案中的項目所有造成目的地俠提交 Kerberos 加密的資料傳輸到錯誤 Kerberos 目標。 有兩種方法來檢查是否有此條件: 拍攝網路追蹤。 或者 手動驗證 DNS 名稱 / NetBIOS 名稱查詢解析預期的目標電腦。 網路追蹤方法(如網路監視器 3.3.1641 剖析的功能完整的預設分析) 的網路流量總覽出現時顯示下的表目的地 DC1 輸入複製 Active Directory DC2 來源。 Resolutions Run dcdiag /test:checksecurityerror on the source DC SPNs may be missing, invalid or duplicated due to simple replication latency, especially following promotion, or replication failures. Duplicate SPNs may cause bad SPN to name mappings. DCDIAG /TEST:CheckSecurityErrorr can check for missing or duplicate SPNs and other errors. Run this command on the console of all source DCs that fail "outbound" replication with the SEC_E_WRONG_PRINCIPAL error. You can check SPN registration against a specific location using the syntax: dcdiag /test:checksecurityerror replsource:<remote dc> Verify that Kerberos encrypted network traffic reached the intended Kerberos target (name-to-IP mapping). When inbound replicating Active Directory, destination DCs search their local copy of Active Directory for the objectGUID of the source DCs NTDS Settings objects, then query the active DNS Server for a matching DC GUIDed CNAME record which is then mapped to a host "A" / "AAAA" record containing the source DCs IP address. Active Directory performs name resolution fallback that includes queries for fully qualified computer names in DNS or single-label hostnames in WINS (note: DNS servers can also perform WINS lookups in fallback scenarios). Stale NTDS Settings objects, bad name-to-IP mappings in DNS and WINS host records, stale entries in HOST files can all cause a destination DC to submit Kerberos-encrypted traffic to the wrong Kerberos target. There are two methods to check for this condition: Take a network trace. Or Manually verify that name DNS / NetBIOS name queries resolve to the intended target computer. Network trace method (as parsed by Network Monitor 3.3.1641 with full default parsers enabled) The table below shows a synopsis of network traffic exhibited when destination DC1 inbound replicates Active Directory from source DC2.
F #F# SRCSRC 目的地DEST 通訊協定Protocol 畫面Frame 意見Comment
11 DC1DC1 DC2DC2 MSRPCMSRPC MSRPC:c / o 要求:未知的通話 = 0x5 Opnum = 0x3 操作 = 0x1 提示 = 0x90MSRPC:c/o Request: unknown Call=0x5 Opnum=0x3 Context=0x1 Hint=0x90 呼叫 EPM 來源俠超過 135 目的地俠 RPCDest DC RPC call to EPM on source DC over 135
22 DC2DC2 DC1DC1 MSRPCMSRPC MSRPC:c 日 o 回應:未知的通話 = 0x5 操作 = 0x1 提示 = 0xF4 取消 = 0x0MSRPC:c/o Response: unknown Call=0x5 Context=0x1 Hint=0xF4 Cancels=0x0 RPC 來電者 EPM 回應EPM response to RPC caller
33 DC1DC1 DC2DC2 MSRPCMSRPC MSRPC:c / o 繫結: {E3514235-4B06-11D1-AB04-00C04FC2DCD2} UUID DRSR(DRSR) 通話 = 0x2 關聯群組 = 0x0 傳輸 = 0x16D0 接收 = 0x16D0MSRPC:c/o Bind: UUID{E3514235-4B06-11D1-AB04-00C04FC2DCD2} DRSR(DRSR) Call=0x2 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 要求繫結至 E351 服務 UUID RPCRPC bind request to E351 service UUID
44 DC2DC2 DC1DC1 MSRPCMSRPC MSRPC:c / o 繫結 Ack:通話 = 0x2 關聯群組 = 0x9E62 傳輸 = 0x16D0 接收 = 0x16D0MSRPC:c/o Bind Ack: Call=0x2 Assoc Grp=0x9E62 Xmit=0x16D0 Recv=0x16D0 繫結 RPC 回應RPC Bind response
55 DC1DC1 \ [KDCKDC Kerberos v5Kerberos v5 KerberosV5:TGS 要求領域:CONTOSO.COM Sname: E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f3f96d3-dfbf-4daf-9236-4d6da6909dd2/contoso.comKerberosV5:TGS Request Realm: CONTOSO.COM Sname: E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f3f96d3-dfbf-4daf-9236-4d6da6909dd2/contoso.com TGS 複寫 SPN 俠來源的要求。TGS request for replication SPN of source DC. 這項操作不會出現的目標 DC 使用的網路上自我 KDC。This operation will not appear on the wire of destination DC uses self as KDC.
66 \ [KDCKDC DC1DC1 Kerberos v5Kerberos v5 KerberosV5:TGS 回應 Cname: CONTOSO lax-dc1 $KerberosV5:TGS Response Cname: CONTOSO-DC1$ 目的地俠 contoso lax-dc1 TGS 回應。TGS response to destination DC contoso-dc1. 這項操作不會出現的目標 DC 使用的網路上自我 KDC。This operation will not appear on the wire of destination DC uses self as KDC.
77 DC1DC1 DC2DC2 MSRPCMSRPC MSRPC:c / o 改變續: {E3514235-4B06-11D1-AB04-00C04FC2DCD2} UUID DRSR(DRSR) 通話 = 0x2MSRPC:c/o Alter Cont: UUID{E3514235-4B06-11D1-AB04-00C04FC2DCD2} DRSR(DRSR) Call=0x2 AP 要求AP request
88 DC2DC2 DC1DC1 MSRPCMSRPC MSRPC:c o 改變續回應 /: 通話 = 0x2 關聯群組 = 0x9E62 傳輸 = 0x16D0 接收 = 0x16D0MSRPC:c/o Alter Cont Resp: Call=0x2 Assoc Grp=0x9E62 Xmit=0x16D0 Recv=0x16D0 AP 回應AP response
顯示進一步 7 畫面上的資料Drilldown on Frame 7 顯示進一步框架 8 上的資料Drilldown on Frame 8 回應Comments
MSRPC MSRPC:c / o 改變續: {E3514235-4B06-11D1-AB04-00C04FC2DCD2} UUID DRSR(DRSR) 通話 = 0x2MSRPC MSRPC:c/o Alter Cont: UUID{E3514235-4B06-11D1-AB04-00C04FC2DCD2} DRSR(DRSR) Call=0x2 MSRPC:c o 改變續回應 /: 通話 = 0x2 關聯群組 = 0xC3EA43 傳輸 = 0x16D0 接收 = 0x16D0MSRPC:c/o Alter Cont Resp: Call=0x2 Assoc Grp=0xC3EA43 Xmit=0x16D0 Recv=0x16D0 DC1 連接 AD 複寫服務 DC2 上透過 DC2 上傳回 EPM 連接埠。DC1 connects to AD Replication Service on DC2 over the port returned by the EPM on DC2.
Ipv4: Src = x.x.x.245,目的地 = x.x.x.35 下, 一步通訊協定 = TCP、封包 ID =、總 IP 長度 = 0Ipv4: Src = x.x.x.245, Dest = x.x.x.35, Next Protocol = TCP, Packet ID =, Total IP Length = 0 Ipv4: Src = x.x.x.35,目的地 = x.x.x.245 下, 一步通訊協定 = TCP、封包 ID = 31546,總計 IP 長度 = 278Ipv4: Src = x.x.x.35, Dest = x.x.x.245, Next Protocol = TCP, Packet ID = 31546, Total IP Length = 278 驗證,AD 複寫來源 DC (此處提到為 1 欄中的「目的地「電腦」和「2 欄中的「Src「電腦」擁有 ' 引用追蹤 (在此範例中 x.x.x.35) 中的 IP 位址。Verify that AD replication source DC (referred to here as the "Dest" computer in 1st column and "Src" computer in column 2 "owns' the IP address cited in the trace (x.x.x.35 in this example).
恐怖:領域:CONTOSO.COM,Sname: E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f3f96d3-dfbf-4daf-9236-4d6da6909dd2/contoso.comTicket: Realm: CONTOSO.COM, Sname: E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f3f96d3-dfbf-4daf-9236-4d6da6909dd2/contoso.com 錯誤碼:KRB_AP_ERR_MODIFIED (41)ErrorCode: KRB_AP_ERR_MODIFIED (41) 領域:<確認該領域來源俠傳回符合預期目的地俠 Kerberos 領域>。Realm: <verify that realm returned by the source DC matches the Kerberos realm intended by the destination DC>. Sname:<確認 AP 回應相符項目中的 sName 包含的預期來源 DC 主機並不另一個 DC 目的地誤解析為因為不正確的名稱--ip 對應的問題。Sname: <verify that the sName in the AP response matches contains the hostname of the intended source DC and NOT another DC that the destination incorrectly resolved to due to a bad name-to-ip mapping problem. 在 1 欄中,請注意目標 Kerberos 領域領域」contoso.com「後面來源所組成 Active Directory 複寫服務連接物件來源網域控制站 NTDS 設定物件的 GUID UUID (E351) 的網域控制站複寫 SPN (」Sname」)。In column 1, note the realm of the target Kerberos realm as "contoso.com" followed by the source DCs Replication SPN ("Sname") which consists of the Active Directory replication service UUID (E351) concatenated with object GUID of the source DCs NTDS Settings object. 「引導式值」6f3f96d3-dfbf-4daf-9236-4d6da6909dd2」E351...右邊複寫服務 UUID 是物件 GUID 的來源網域控制站 NTDS 設定目前定義物件目的地中的 Active Directory Dc 複本。The GUIDED value "6f3f96d3-dfbf-4daf-9236-4d6da6909dd2" to the right of the E351... replication service UUID is the Object GUID for the source DCs NTDS settings object currently defined in the destination DCs copy of Active Directory. 確認此物件 GUID 符合」DSA 物件 GUID] 欄位中的值」repadmin 進行」的來源 DC 主控台執行時)。Verify that this object GUID matches the value in the "DSA Object GUID" field when "repadmin /showreps" is run from the console of the source DC). Ping 或 nslookup 來源的網域控制站完整 CNAME 連接使用「_msdcs。<樹系根 DNS 名稱>「俠必須從目的地的「主控台傳回來源 Dc 目前的 IP 位址:ping 6f3f96d3-dfbf-4daf-9236-4d6da6909dd2._msdcs.contoso.comnslookup -type=cname 6f3f96d3-dfbf-4daf-9236-4d6da6909dd2._msdcs.<forest root domain> <DNS Server IP>中 2 欄中的回覆,對焦於「Sname] 欄位,並確認它包含 AD 複寫來源俠的主機。A ping or nslookup of the source DCs fully qualified CNAME concatenated with "_msdcs.<forest root DNS name>" from the console of the destination DC must return the source DCs current IP address: ping 6f3f96d3-dfbf-4daf-9236-4d6da6909dd2._msdcs.contoso.com nslookup -type=cname 6f3f96d3-dfbf-4daf-9236-4d6da6909dd2._msdcs.<forest root domain> <DNS Server IP> In the reply shown in column 2, focus on the "Sname" field and verify that it contains the hostname of the AD replication source DC. 錯誤名稱-TO-IP 對應無法使 DC 目的地連接到 DC 造成領域值完全不正確的目標領域中無法在此範例所示。Bad name-to-IP mappings could cause the destination DC to connect to a DC in a completely invalid target realm causing the Realm value to be invalid as shown in this case. 錯誤主機-TO-IP 對應可能會造成連接到 DC3 在相同的網域此時將仍然 KRB_AP_ERR_MODIFIED DC1 但領域中的名稱框架 8 想符合框架 7 領域。Bad host-to-IP mappings could cause DC1 to connect to DC3 in the same domain which would still generate KRB_AP_ERR_MODIFIED but the realm name in frame 8 would match the realm in frame 7.
(而不使用網路追蹤)IP 對應驗證名稱從的來源 DC 主機: Name to IP mapping verification (without using a network trace) From the console of the source DC:
命令Command 意見Comment
IPCONFIG//ALL |更多IPCONFIG /ALL |MORE 請注意 NIC 目的地 Dc 所使用之 IP 位址。Note IP address of NIC used by destination DCs.
REPADMIN /SHOWREPS |更多REPADMIN /SHOWREPS |MORE 請注意」DSA 物件 GUID」的代表物件 GUID 來源 DC NTDS 設定物件複本來源 DC 的 Active Directory 中的值。Note value of "DSA Object GUID" which denotes the object GUID for the source DC's NTDS Settings Object in the source DC's copy of Active Directory.
從目的 DC 主機:From the console of the destination DC:
命令Command 意見Comment
IPCONFIG//ALL |更多IPCONFIG /ALL |MORE 注意的主要次要,並設定目標 DC 無法查詢期間 DNS 對應的任何第三個 DNS 伺服器。Note the primary, secondary and any tertiary DNS Servers configured that the destination DC could query during DNS lookups.
REPADMIN /SHOWREPS |更多REPADMIN /SHOWREPS |MORE 在 [repadmin 輸出的「輸入鄰居] 區段,找出複寫狀態目的 DC 位置複製常見的磁碟分割的來源 DC 有問題。In the "Inbound Neighbors" section of the repadmin output, locate the replication status where the destination DC replicates a common partition from the source DC in question. 「DSA「物件 GUID「列出的來源 DC 報告複寫狀態一節中應該符合 GUID 列中的物件 /showreps DC 來源的主機上執行時的首。The "DSA" object GUID" listed for the source DC in the replication status section of the report should match the object GUID listed in the /showreps header when run on the console of the source DC.
IPCONFIG /FLUSHDNSIPCONFIG /FLUSHDNS 清除 DNS Client 快取。Clear the DNS Client cache.
開始->執行->「記事本」%systemroot%\system32\drivers\etc\hostsStart ->Run -> Notepad %systemroot%\system32\drivers\etc\hosts 請參考來源 Dc 單一標籤或完整的 DNS 名稱 IP 對應至主機。Check for host to IP mappings referencing the source DCs single label or fully qualified DNS name. 如果有的話,移除。Remove if present. 儲存對主機檔案。Save changes to HOST file. 執行「Nbtstat R」(大寫 [R])重新整理 NetBIOS 名稱快取。Run "Nbtstat -R" (upper case "R") to refresh the NetBIOS name cache.
NSLOOKUP-輸入 = CNAME<物件 guid 來源網域控制站 NTDS 設定物件的>._msdcs。<樹系根 DNS 名稱><主要 DNS 伺服器的 IPNSLOOKUP -type=CNAME <object guid of source DCs NTDS Settings object>._msdcs.<forest root DNS name> <primary DNS Server IP 重複的每個其他 DNS 伺服器的 IP 目的地俠設定。Repeat for each additional DNS Server IP configured on the destination DC. 範例:example: c:&gt;nslookup -type=cname 8a7baee5-cd81-4c8c-9c0f-b10030574016._msdcs.contoso.com 152.45.42.103 請確認 IP 傳回符合的目標俠上面所列的來源 DC 主控台從的 IP 位址。適用於所有設定目標 DC DNS 伺服器 IPs 重複。Verify that IP returned matches the IP address of target DC listed above recorded from the console of the source DC. Repeat for all DNS Servers IPs configured on destination DC.
nslookup-輸入 = A + AAAA<的來源 DC FQDN><DNS 伺服器的 IP>nslookup -type=A+AAAA <FQDN of source DC> <DNS Server IP> 設定目標 DC 上所有的 DNS 伺服器 ip 重複主機「A「記錄檢查。Check for duplicate host "A" records on all DNS Server IPs configured on the destination DC.
nbtstat-<的 DNS 伺服器的 IP 位址傳回 nslookup>nbtstat -A <IP address of DNS Server IP returned by nslookup> 應該會傳回來源俠的名稱。Should return name of the source DC.
注意︰ 複寫要求導向非 DC(因為不良名稱-TO-IP 對應)或不目前已 E351...俠 UUID 登記端點對應程式與服務會傳回錯誤 1753 年:有可用的端點對應程式的更多結束點。Note: A replication request directed to a non-DC (due to a bad name-to-IP mapping) or a DC that does not currently have the E351... service UUID registered with the endpoint mapper will return error 1753: there are no more endpoints available with the endpoint mapper. Kerberos 目標無法解密 Kerberos 驗證資料,因為密碼不符如果來源 DC 密碼不同的 Active Directory 來源俠複製 KDC 之間發生此條件。來源 DC 電腦密碼目的地 DC 的複本可能會如果它不使用本身為 \ [KDC 過時。︰ 複寫失敗可避免網域控制站目前的密碼值為網域控制站在指定的網域。每網域控制站執行它們 domain 領域的 \ [KDC 服務。相同領域交易,目的地 DC偏袒收到 Kerberos 從本身門票,但可能會從遠端 DC 取得票證。轉介用來從其他領域取得門票 Kerberos。快速找出的 \ [KDC Kerberos client 為目標,開放提升權限的命令提示字元中,執行下列命令快 SEC_E_WRONG_PRINCIPAL 錯誤出現時。 The Kerberos target cannot decrypt Kerberos authenticated data due to a password mismatch This condition can occur if the password for the source DC differs between the KDC and source DC's copy of Active Directory. The destination DC's copy of the source DC computer account password may be stale if it is not using itself as the KDC. Replication failures can prevent DCs from having a current password values for DCs in a given domain. Every domain controller runs the KDC service for their domain realm. For same realm transactions, a destination DC favors getting Kerberos tickets from itself but may obtain a ticket from a remote DC. Referrals are used to obtain Kerberos tickets from other realms. To quickly identify which KDC a Kerberos client is targeting, open an elevated command prompt and run the following command near to when the SEC_E_WRONG_PRINCIPAL error appears. NLTEST /DSGETDC:<DNS domain of target domain> /kdc 判斷俠 Kerberos client 取得票證為拍攝網路追蹤明確的方式。The definitive way to determine which DC a Kerberos client obtained a ticket from is to take a network trace. 網路追蹤 Kerberos 流量缺乏可能 Kerberos client,已經有取得門票,已取得的門票關閉--花朵本身或網路追蹤應用程式會不正確剖析 Kerberos 資料傳輸。The lack of Kerberos traffic in a network trace may indicate that the Kerberos client has already acquired tickets, is getting tickets off-the-wire from itself or your network trace application is not properly parsing Kerberos traffic. Kerberos 門票的登入的使用者可以清除 account 從系統管理員權限命令提示字元使用「KLIST 清除]。Kerberos tickets for the logged on user account can be purged from an admin privileged CMD prompt using "KLIST purge". 使用複寫 Active Directory 系統帳號 Kerberos 門票可以清除使用「KLIST li 0x3e7 清除 [重新開機。Kerberos tickets for the system account used by Active Directory replication can be purged without a reboot using "KLIST -li 0x3e7 purge". 網域控制站可使用其他網域控制站在本機或遠端 DC 停止 KDC 服務。DCs can be made to use other DCs by stopping the KDC service on a local or remote DC. 使用 REPADIN /SHOWOBJMETA 來檢查是否有明顯的版本號碼密碼相關屬性不同 (dBCSPwd UnicodePWD、NtPwdHistory PwdLastSet,lmPwdHistory) 的來源俠和目的地 DC 的複本 Active Directory C:&gt;repadmin /showobjmeta <source DC> <DN path of source DC computer account>C:&gt;repadmin /showobjmeta <KDC selected by destination DC> <DN path of source DC computer account>來重設電腦 account DC 的密碼,請在已提升權限的命令提示字元中執行下列命令:Use REPADIN /SHOWOBJMETA to check for obvious version number differences in password-related attributes (dBCSPwd, UnicodePWD, NtPwdHistory, PwdLastSet, lmPwdHistory) for the source DC and destination DC's copy of Active Directory C:&gt;repadmin /showobjmeta <source DC> <DN path of source DC computer account> C:&gt;repadmin /showobjmeta <KDC selected by destination DC> <DN path of source DC computer account> To reset DC machine account passwords, run the following command at an elevated command prompt: netdom resetpwd /server:<DC to direct password change to> /userd:<user name> /passwordd:<password>
<span data-ttu-id="ae097-245">更多的資訊</span><span class="sxs-lookup"><span data-stu-id="ae097-245">More Information</span></span>
步驟會錯誤來源不良主機 IP 對應造成目的俠重現 促銷 dc1 + DC2 + DC3 contoso.com 網域中的。End-to-end 複寫發生不會發生錯誤。 上 DC1 DC2 強制可在網路追蹤觀察關閉方塊 Kerberos 流量停止 KDC。End-to-end 複寫發生不會發生錯誤。 建立主機檔案的項目 DC2 指向 DC 模擬 IP 對應主機的 [A] 中的錯誤主機的遠端森林中的 IP 位址 /」AAAA「記錄或可能是過時 NTDS 設定目標 DC 的複本 Active Directory 中的物件。 開始 Active Directory 網站和服務的 DC1 主機上。以滑鼠右鍵按一下 DC2 輸入的連接 DC1 的物件,並記下複寫錯誤」目標帳號不正確的「。 Repro steps for bad host to IP mapping causing destination DC to pull from wrong source Promote dc1 + DC2 + DC3 in contoso.com domain. End-to-end replication occurs without error. Stop the KDC on DC1 and DC2 to force off-box Kerberos traffic that can be observed in network trace. End-to-end replication occurs without error. Create Host file entry for DC2 pointing to IP address of a DC in a remote forest simulating a bad host to IP mapping in a host "A" / "AAAA" record or perhaps a stale NTDS Settings object in the destination DC's copy of Active Directory. Start Active Directory Sites and Services on the console of DC1. Right-click DC1's inbound connection object from DC2 and note replication error "the target account name is incorrect."
重現 KDC 之間來源 DC 步驟來源 DC 密碼不符合 促銷 dc1 + DC2 + DC3 contoso.com 網域中的。End-to-end 複寫發生不會發生錯誤。 上 DC1 DC2 強制可在網路追蹤觀察關閉方塊 Kerberos 流量停止 KDC。End-to-end 複寫發生不會發生錯誤。 停用輸入的複寫在 \ [KDC DC3 模擬 KDC︰ 複寫失敗。 重設電腦密碼 DC2 上的三個或更多時間,讓 DC1 和 DC2 擁有 DC2 目前的密碼。 開始 Active Directory 網站和服務的 DC1 主機上。以滑鼠右鍵按一下 DC2 輸入的連接 DC1 的物件,並記下複寫錯誤」目標帳號不正確的「。 Repro steps for source DC password mismatch between KDC and source DC Promote dc1 + DC2 + DC3 in contoso.com domain. End-to-end replication occurs without error. Stop the KDC on DC1 and DC2 to force off-box Kerberos traffic that can be observed in network trace. End-to-end replication occurs without error. Disabling inbound replication on KDC DC3 simulating a replication failure on the KDC. Reset the computer account password on DC2 three or more times such that DC1 and DC2 have DC2 current password. Start Active Directory Sites and Services on the console of DC1. Right click DC1's inbound connection object from DC2 and note replication error "the target account name is incorrect."
DS RPC client 登入 設定 NTDSDiagnostics LoggingsDS RPC Client = 3。觸發程序複寫。尋找工作分類事件 1962 + 1963。請注意的完整的 cname」directory 服務] 欄位中引用。目的地俠應該可以 ping 這個記錄,並傳回對應至目前的 IP 位址 DC 來源的地址。 DS RPC client logging Set NTDSDiagnostics LoggingsDS RPC Client = 3. Trigger replication. Look for Task Category Event 1962 + 1963. Note the fully qualified cname cited in the "directory service" field. Destination DC should be able to ping this record and have the returned address map to the current IP address of the source DC.
Kerberos 工作流程 工作流程 電腦 Client 呼叫IntializeSecurityContexthttp://msdn.microsoft.com/en-us/library/aa375506(VS.85).aspx,並在指定交涉安全性支援提供者 (SSP)。 Client 連絡人的其 TGT KDC 和要求目標俠 TGS 票證。 \ [KDC 目的地 Dc 領域中搜尋通用來源(e351 或主機名稱)。 如果目標俠目的地 Dc 領域中,KDC 傳遞 client 的服務票證。 如果目標俠的不同領域中,KDC 傳遞 client 推薦票證。 Client 連絡人 KDC 目標 Dc 網域要求服務票證。 如果來源 DC SPN 不存在領域中,您會收到一則錯誤。 目的 DC 連絡人目標,並提供其票證。 如果目標俠擁有票證名稱,才能將其解密驗證的運作方式。 如果目標俠主控 RPC 伺服器服務 UUID,然後在網路 Kerberos 錯誤」KRB_AP_ERR_NOT_US 或 KRB_AP_ERR_MODIFIED 取得對應至-2146893022 小數點日 0x80090322 日 SEC_E_WRONG_PRINCIPAL /」不正確的目標主體名稱]。 查看錯誤的疑難排解 Kerberoshttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id = 21820白皮書如需詳細資訊 Kerberos Workflow Workflow Client Computer calls IntializeSecurityContexthttp://msdn.microsoft.com/en-us/library/aa375506(VS.85).aspx and specifies the Negotiate security support provider (SSP). The client contacts the KDC with its TGT and requests a TGS Ticket for the target DC. The KDC searches the Global Catalog for a source (either e351 or hostname) in destination DCs realm. If the target DC is in the destination DCs realm, the KDC hands the client a service ticket. If the target DC is in a different realm, the KDC hands the client a referral ticket. The client contacts a KDC in the target DCs domain requesting a service ticket. If the source DC's SPN does not exist in the realm, you get an error. The destination DC contacts the target and presents its ticket. If the target DC owns the name in the ticket and can decrypt it, the authentication works. If the target DC hosts the RPC server service UUID, then the on-wire Kerberos error "KRB_AP_ERR_NOT_US or KRB_AP_ERR_MODIFIED gets remapped to -2146893022 decimal / 0x80090322 / SEC_E_WRONG_PRINCIPAL / "The target principal name is incorrect." See the Troubleshooting Kerberos Errorshttp://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21820 white paper for additional information
疑難排解 Active Directory 操作失敗的錯誤-2146893022:目標主體名稱不正確。 http://support.microsoft.com/kb/2090913 Active Directory 複寫型號的運作方式 http://technet.microsoft.com/library/cc772726(WS.10).aspx repsFrom,RepsFromhttp://msdn.microsoft.com/library/cc228409(PROT.13).aspx Troubleshooting Active Directory operations that fail with error -2146893022: The target principal name is incorrect. http://support.microsoft.com/kb/2090913 How the Active Directory Replication Model Works http://technet.microsoft.com/library/cc772726(WS.10).aspx repsFrom, RepsFromhttp://msdn.microsoft.com/library/cc228409(PROT.13).aspx