Microsoft KB Archive/308111

= A missing service principal name may prevent domain controllers from replicating =

Article ID: 308111

Article Last Modified on 2/21/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q308111



SYMPTOMS
In some Dcpromo.exe update situations, the replication service principal name (SPN) may be lost. This causes replication not to work.

One method to identify this problem is to examine the Directory Service event log. Look for an entry similar to:

Event Type: Error

Event Source: NTDS Replication

Event Category: Replication

Event ID: 1645

Date: 6/12/2001

Time: 11:12:15 AM

User: Everyone

Computer: DC2

Description:

The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com@mydomain.com.

Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.



CAUSE
The servicePrincipalName attribute is a multiple-valued, non-linked attribute. In some Dcpromo.exe update situations, the replication SPN may be lost because of a conflict with another write process on this attribute.

The domain controller that accepts the conflicting SPN value cannot replicate with the domain controller for which the SPN attribute is written. Because the domain controller cannot replicate, the domain controller never receives the correct updated SPN through replication.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

The English version of this fix should have the following file attributes or later:   Date         Time   Version        Size     File name 30-Nov-2001 14:40  5.0.2195.4685  123,664  Adsldp.dll 30-Nov-2001 14:40  5.0.2195.4628  130,320  Adsldpc.dll 30-Nov-2001 14:40  5.0.2195.4016   62,736  Adsmsext.dll 30-Nov-2001 14:40  5.0.2195.4653  356,112  Advapi32.dll 30-Nov-2001 14:40  5.0.2195.4571   82,704  Cmnquery.dll 30-Nov-2001 14:40  5.0.2195.4141  133,904  Dnsapi.dll 30-Nov-2001 14:40  5.0.2195.4379   91,408  Dnsrslvr.dll 30-Nov-2001 14:40  5.0.2195.4534   41,744  Dsfolder.dll 30-Nov-2001 14:40  5.0.2195.4534  156,944  Dsquery.dll 30-Nov-2001 14:40  5.0.2195.4574  110,352  Dsuiext.dll 30-Nov-2001 14:44  5.0.2195.4685  521,488  Instlsa5.dll 30-Nov-2001 14:40  5.0.2195.4630  145,680  Kdcsvc.dll 26-Nov-2001 16:33  5.0.2195.4680  199,440  Kerberos.dll 04-Sep-2001 08:32  5.0.2195.4276   71,024  Ksecdd.sys 26-Nov-2001 17:55  5.0.2195.4685  503,568  Lsasrv.dll 26-Nov-2001 15:55  5.0.2195.4685   33,552  Lsass.exe 26-Nov-2001 16:32  5.0.2195.4680  107,280  Msv1_0.dll 30-Nov-2001 14:40  5.0.2195.4594  306,960  Netapi32.dll 30-Nov-2001 14:40  5.0.2195.4686  359,184  Netlogon.dll 30-Nov-2001 14:40  5.0.2195.4703  913,680  Ntdsa.dll 30-Nov-2001 14:40  5.0.2195.4627  387,856  Samsrv.dll 30-Nov-2001 14:40  5.0.2195.4583  128,784  Scecli.dll 30-Nov-2001 14:40  5.0.2195.4600  299,792  Scesrv.dll 30-Nov-2001 14:40  5.0.2195.4600   48,400  W32time.dll 06-Nov-2001 11:43  5.0.2195.4600   56,592  W32tm.exe 30-Nov-2001 14:40  5.0.2195.4684  125,712  Wldap32.dll



WORKAROUND
You can use the following workaround to restore replication.

NOTE: This method may cause other SPN values that are not automatically regenerated by the computer to be lost. In some situations, it may be better to install the hotfix that is mentioned in this article.  Identify the domain controller that is missing the replication SPN. A simple method for doing this is to ping the DNS URL that is documented in event ID 1645. For example:

C:\>ping -a 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com

Pinging DC1.mydomain.com [xxx.xxx.xxx.189] with 32 bytes of data:

Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128

Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128

Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128

Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128

Ping statistics for xxx.xxx.xxx.189:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

 On the domain controller that logged event 1645, determine if the replication SPN entry is missing for the remote domain controller:

C:\>setspn DC1

Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=mydomain,DC=com:

In this example, you see a missing SPN entry for DC1 when you you run the command from DC2.

 Use Setspn to add the missing SPN for DC1. Add the replication SPN in the following form

setspn -A E3514235-4B06-11D1-AB04-00C04FC2DCD2/ /

where  is the GUID that is used to identify this domain controller (the domain controller that is documented in event 1645 and that you used with the ping command,   is the name of the domain, and   is the name of the domain controller that is missing the SPN.

This is an example of the form to use:

setspn -a E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com DC1

 After the replication GUID is in place, the domain controller can replicate with its partner. Note that updating this SPN value causes this less-complete version of the SPN to be replicated throughout the domain. Eventually, the owning domain controller will identify this change and update the domain-controller-specific SPN values automatically. At some point, running Setspn again on the domain controller will list the repopulated SPN values. For example:

setspn dc1

Registered ServicePrincipalNames for CN=dc1,OU=Domain

Controllers,DC=mydomain,DC=com:

HOST/dc1

HOST/dc1.mydomain.com

HOST/dc1.mydomain.com/mydomain.com

GC/dc1.mydomain.com/mydomain.com

LDAP/3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com

LDAP/dc1.mydomain.com/mydomain

LDAP/dc1

LDAP/dc1.mydomain.com

LDAP/dc1.mydomain.com/mydomain.com

HOST/dc1.mydomain.com/mydomain

E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com



This method resolves the replication problem by allowing replication to continue with computers that have a missing replication SPN after performing some special validation. This allows the true SPN list to be replicated.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Windows 2000 Service Pack 3.

<div class="moreinformation_section">

MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server product

For additional information about how to install multiple hotfixes with only one reboot, click the following article number to view the article in the Microsoft Knowledge Base:

296861 How to install multiple Windows updates or hotfixes with only one reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words: kbDirServices

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbdirservices kbhotfixserver KB308111

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.