How to repair Kerberos and NTFRS replication issues between domain controllers
Posted by Jared Thomas on 11 November 2016 11:27 AM

Issues related to a domain controller being offline for long enough to get out of sync with the other domain controllers. These issues also commonly occur when a domain controller has to be restored from a backup, particularly with Veeam which restores the machine to a point in time block-for-block. Here are the symptoms:

  • Clients cannot connect to shared drives or printers, get either authentication errors or simply cannot see the shares
  • Dcdiag fails primary tests, can’t communicate with other domain controllers and/or its own shares.
  • Repadmin /showrepl shows errors
  • Attempts to replicate from running DC using AD Sites and Services – Default-First-Site-Name – Servers – server – NTDS Settings – Replicate configuration from the selected DC fails.
  • Event Viewer shows warnings and errors for Security-Kerberos, NtFrs, ActiveDirectory_DomainService, NETLOGON and other AD-related systems

The Kerberos errors are caused by the machine account for the domain controller losing its authentication; replication and FRS errors are caused by problems with replication of SYSVOL and NETLOGON breaking between domain controllers. The following steps fixed everything:

  1. “netdom resetpwd /s:server /ud:administrator /pd:*” to fix secure channel/Kerberos issues and reset the machine account
  2. On working domain controller, copy SYSVOL and NETLOGON folders to safe location in case things go wrong
  3. “net stop ntfrs” to stop FRS service
  4. Set BurFlags to “d2” per this document to force non-authoritative restore:
  5. “net start ntfrs” to start FRS service
  6. Test by creating a folder on \\SERVER\SYSVOL\domain\Policies and see if it replicates to the other domain controller

Other related articles:

Target Principal Name incorrect:

Force the replication manually :-

(0 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).