Microsoft KB Archive/942304

= SPNs are not registered in an Active Directory site that includes only read-only domain controllers =

Article ID: 942304

Article Last Modified on 10/9/2007

-

APPLIES TO


 * Windows Vista Enterprise
 * Windows Vista Ultimate
 * Windows Vista Business
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional

-



SYMPTOMS
In an Active Directory site that includes only read-only domain controllers (RODCs), service principal names (SPNs) are not registered. Therefore, you may experience various problems on client computers that are running Windows Vista, Windows Server 2003, or Windows XP. For example, you cannot install Microsoft ISA Server. Or, mutual authentication fails.



CAUSE
These problems occur when account credentials are not cached on an RODC. If the account credentials are not cached, RODCs cannot write SPNs for client computer accounts on a writable domain controller.



WORKAROUND
To work around these problems, use one of the following methods:  In the Active Directory site, enable the Password Replication Policy to cache the credentials for all client computer accounts on the RODCs.

For more information about the Password Replication Policy, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true

 Use the Setspn command-line tool to manually register the SPN on the RODCs.

The Setspn command-line tool is included in the Windows Server 2003 Support Tools package. To install the Windows Support Tools package, double-click the Suptools.msi file in the Support\Tools folder on the Windows Server 2003 installation CD. For more information about the Setspn tool, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true

 Register the SPN on the writable domain controller, and force the replication on the RODC.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbtshoot kbprb kbpubtypekc kbexpertiseinter kbexpertisebeginner KB942304

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.