KERBEROS error 4 (Part II)

Scenario:

For an unknown reason Domain Controller in a branch office stopped to replicate Active Directory data with Domain Controllers in the main site.

DCDIAG showed this:

[DC1] DsBindWithSpnEx() failed with error -2146893022,

The target principal name is incorrect..

Warning: DC1 is the Schema Owner, but is not responding to DS RPC Bind.

[DC1] LDAP bind failed with error 8341,

A directory service error has occurred..

Warning: DC1 is the Schema Owner, but is not responding to LDAP Bind.

Warning: DC1 is the Domain Owner, but is not responding to DS RPC Bind.

Warning: DC1 is the Domain Owner, but is not responding to LDAP Bind.

DC1 is a Domain Controller in the main site with all FSMO roles.

Event viewer kept logging Error from source Kerberos and EventID 4 :

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/.... The target name used was..... This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server.

Commonly, this is due to identically named machine account in the target realm (...), and the client realm.

And at the end my favorite sentence:

Please contact your system administrator.

Have they ever considered a very small possibility that the one who is reading this message in the System log of a Domain Controller might be actually "our System Administrator" ...;))

Screenshot from Event Viewer:

Reason:

Yet another classic problem, solved many times never documented it before...have no idea why, it just happens from time to time.

Solution:

If you want to solve this problem quickly run:

dcpromo /forceremoval on branch office DC, restart server, and run dcpromo again.

Almost all Google results on this subjects points to NETDOM and reset computer account. Never worked for me.

Conclusion/Advice:

If you have branch offices connected with slow and unreliable links and a Domain Controller in it, bookmark this page.....this can happen to you too....;)