I’m too tired to write up more background information on this, suffice to say I spent quite literally hours searching for this and I want to be able to easily find it again if the need arises. As often happens with these things, the answer is really simple when you know it.
The solution from the linked article was:
- Stop the KDC service on the destination domain controller. To do this, run the following command at a command prompt:
net stop KDC
- Start replication on the destination domain controller from the source domain controller by using AD Sites and Services or Repadmin.
- Using repadmin:
Repadmin replicate destinationDC sourceDC DN_of_Domain_NC
For example, if replication is failing on ContosoDC2.contoso.com, run the following command on ContosoDC1.contoso.com:
Repadmin replicate ContosoDC2.contoso.com ContosoDC1.contoso.com "DC=contoso,DC=com"
- Start the Kerberos KDC service on the destination domain controller. To do this, run the following command:
net start KDC
This article describes how to troubleshoot a problem in which Active Directory replication fails and generates error -2146893022: “The target principal name is incorrect.” This error occurs when the source domain controller does not decrypt the service ticket that’s provided by the destination (target) domain controller. Top cause: The destination domain controller receives a service ticket from a Kerberos Key Distribution Center (KDC) that has an old version of the password for the source domain control