windowswideopen.com

The Active Directory Services log on the local domain controller may show the following event if replication fails to replication partner:

Event ID 1645
The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is 62d85225-76bf-4b46-b929-25a1bb295f51._msdcs.enterpise.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/62d85225-76bf-4b46-b929-25a1bb295f51/

domain.enterprise.com@domain.enterprise.com.

Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer’s identity to replicate to the KDC before this computer can be authenticated.

To recover from this error, do the following:

1. First get the IP address of the computer by pinging the name shown in the event:

ping 62d85225-76bf-4b46-b929-25a1bb295f51._msdcs.enterprise.com

Pinging HubDC.domain.enterprise.com [1.1.1.10] with 32 bytes of data:

Reply from 1.1.1.10: bytes=32 time=94ms TTL=124

…

2. Either remotely or through Terminal services (if installed), launch ADSIEDIT.MSC directly against the domain NC of the two replication partners.

3. On both DCs, locate the local DC computer account and get the properties.

3. In the list of properties, locate “servicePrincipalName”. There will be a list of multi-valued entries.

4. One of them will be with two GUID, for example : “E3514235-4B06-11D1-AB04-00C04FC2DCD2/

62d85225-76bf-4b46-b929-25a1bb295f51/domain.enterprise.com”

5. Select this entry and press the remove button.

6. In the Edit control, select all the text, copy it to the clipboard and press the add button.

7. The Edit control should now be empty. Paste the Clipboard, go to the and append “@domain.enterprise.com” so it looks like this: “E3514235-4B06-11D1-AB04-00C04FC2DCD2/

62d85225-76bf-4b46-b929-25a1bb295f51/domain.enterprise.com@domain.enterprise.com”

8. Copy the whole string to the clipboard and then press the add button and OK.

9. On the other DC, paste the string to the Edit control as well, press the Add button and OK.

10. Retry the replication

In some cases, the following problem can be met :

The replication partner has a different pair of GUIDs (the second one is different). This can happen when the DC has been un-promoted and then re-promoted. The solution in that case is to add both SPNs on both DCs.

One of the lists is virtually empty. This is often due to multi-mastered SPN updates; i.e., where the SPNs for a given machine are updated by two different services (e.g., DCPROMO and IIS) on two different DCs within a replication latency. One set of SPNs will lose to the other which will lead to this replication error. The solution, in that case, is to copy all missing ALL entries using the Remove-Copy-Add routine on the first DC and the Paste-Add routine on the second DC (similar to steps 5 to 9 above, but without modifying an entry).

Technorati tags: SPN, Target_Account_is_Incorrect, Event_ID:_1645

Active Directory replication partner spn target serverActive Directory replication partner spn target server