Active Directory

How to fix SPN issue on Windows Server 2012R2 domain controller?

Hello.
Recently, on one of the domain controllers, the following error began to appear:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the kem-dc-01$ server. The target name used was MLVZ\KEM-DC-01$. This means that the target server was unable to decrypt the ticket provided by the client. This is possible when the target SPN is registered to an account other than the account used by the target service. Make sure the target SPN is only registered to the account used by the server. This error can also occur if the target service's password differs from the password set for it in the Kerberos Key Distribution Center. Make sure that the passwords in the service on the server and in the KDC match. If the server name is incomplete and the destination domain (MLVZ.LOCAL) is different from the client domain (MLVZ.LOCAL),

PS C:\Users\Administrator.MLVZ> setspn -q MLVZ/TUMEN-DC
Domain check DC=MLVZ,DC=LOCAL
No such SPN found.

Accordingly, the replica between the CD does not pass.
It seems that the accounts with which I set up the CD successfully access it via RDP.
Tried https://social.technet.microsoft.com/Forums/window... didn't help.
I don't really want to lower the controller and raise it again.