Domain Controller failed test Machineaccount
While you run a DCDIAG command on Domain Controller which failed with bellow error, will discuss how to find the issue and solution to fix the issueStarting test: MachineAccount
* DC Name is not a server trust account
* DC Name is not trusted for account delegation
……………………. DC Name failed test MachineAccount
Issue may be with DNS, Computer Account, and Duplicate SPN registration, troubleshoot one by one to find the root cause
Computer Account: Check if any duplicate Domain Controller computer accounts with same name are present on your Domain/Forest, yes shouldn’t be any computer object with the same on your entire Forest, so check your entire child Domains with in the Forest
In my case, I found the Domain Controller computer object with same name in different Domain, have deleted the duplicate computer accounts to resolve the issue
DNS: Check if any issue with the DNS registration on host record and other SRV record, also the assigned primary ans secondary DNS servers are operational and reachable from the affected server
SPN Registration: Check if any duplicate service principal name in active directory, sometime the same name might be registered with other Computer in a Domain
Also verify the Domain Controller computer account trust relationship by net view or net use command,
Active Directory Replication failed with “Target principal name is incorrect”
Active Directory Replication failed with “Target principal name is incorrect”
If you have issue with the computer account of the domain controller then you may receive target principal name is incorrect or access denied error while the time of replicationTo check the computer account run the below command from affected domain controller where you receive the error
net view \\DC Name
or
net use \\DC Name
If you receive access denied error then it’s confirm computer account issue, to resolve this issue, you have to reset the computer account, reset the secure channels between these domain controllers and the PDC
Run the below command to reset the computer account,
Before running this command, disables the Kerberos Key Distribution Center service (KDC).
And this command should be run from the domain controller in which you are going to reset the password, server_name should be PDC or the replication partner
netdom resetpwd /server:server_name /userd:domain_nameadministrator /passwordd:administrator_password
More info: http://support.microsoft.com/kb/288167
I have resolved the issue by deleting the duplicate Domain Controller computer object from different Domain, you may find different solution for the same issue, hope this will help you to fix the issue
0 Comments