Article ID: 938704
Article Last Modified on 8/1/2007
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
SYMPTOMS
The following event is logged in the Directory Service event log on a domain controller that is running Microsoft Windows Server 2003 or Microsoft Windows 2000:
Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1411
Date: Date
Time: Time
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ComputerName
Description:
Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.
Domain controller:
Server_GUID._msdcs.DnsForestName
The call was denied. Communication with this domain controller might be affected.
Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
CAUSE
This problem may occur if the source domain controller cannot find the domain controllers that it requires to replicate changes. These domain controllers are listed in the repsTo attribute of the directory partition object. This situation may occur for the following reasons:
- A replication connection object to a domain controller in the same forest was not created. This situation may occur for one of the following reasons:
- Active Directory was removed from the remote domain controller.
- The remote domain controller is orphaned.
- The remote domain controller is missing service principal names (SPNs) on its computer object.
- The required NTDS Settings object does not appear for a server in Active Directory Sites and Services. Therefore, a replication connection was not automatically established between the local domain controller and a remote domain controller. The remote domain controller may be in the same domain or in another trusted domain.
When a domain controller sends change notifications to its replication partner domain controllers in the domain, the domain controller keeps a list of domain controllers in the repsTo attribute for the directory partition object. In Windows Server 2003, the Knowledge Consistency Checker (KCC) removes domain controllers from this list if they do not replicate for more than 24 hours. The removal process occurs at set intervals as one of the last steps in KCC processing.
RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To resolve this problem, reduce the time that the Knowledge Consistency Checker waits to remove unavailable domain controllers from the list of outgoing change notifications. Then, create replication links for the domain controllers that are missing from the list.
To reduce the time that KCC waits, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters - On the Edit menu, point to New, and then click DWORD Value.
- Type RepsTo Failure Time (sec) to name the new value, and then press ENTER.
- Right-click RepsTo Failure Time (sec), and then click Modify.
- In the Value data box, type 60, and then click OK.
- Exit Registry Editor.
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type repadmin /kcc, and then press ENTER.
This command removes the unavailable domain controller from the list of outgoing change notifications. This command also forces the KCC to recalculate the replication topology for the unavailable domain controller.
Next, open Active Directory Sites and Services on the root domain controller for the domain. Then, examine the following folder:
Active Directory Sites and Services\Sites\Site Name\Servers\Server Name\NTDS Settings
All the domain controllers that are involved in replication appear in this folder. Use the repadmin /add command to create a replication link for each domain controller that is not listed. To do this, follow these steps:
- On the root domain controller, add the Replicator Allow SPN Fallback registry entry. When two-way authentication cannot be performed because an SPN cannot be resolved to a computer account, this registry entry lets Active Directory use one-way authentication. To add the registry entry, follow these steps.
Note Perform steps a through f on the same root domain controller.- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters - On the Edit menu, point to New, and then click DWORD Value.
- Type Replicator Allow SPN Fallback to name the new entry, and then press ENTER.
- Double-click Replicator Allow SPN Fallback, type 1 in the Value data box, and then click OK.
- Restart the domain controller.
- At a command prompt, type the following:
repadmin /options
RootFQDN+DISABLE_NTDSCONN_XLATEIn this command, replace
RootFQDNwith the fully qualified domain name of the root domain controller.
Note The Repadmin.exe tool is included in Windows Support Tools for Windows Server 2003 and for Windows 2000. For more information about how to install Windows Support Tools, visit the following Microsoft Web site: - At the command prompt, type the following:
repadmin /add CN=Configuration,DC=
DomainName,DC=DomainNameRootFQDNSourceFQDN - At the command prompt, type repadmin /showreps, and then press ENTER.
A successful incoming connection appears for the configuration naming context. - Repeat steps 3 and 4 for other source domain controllers that are not listed in the NTDS Settings folder on the root domain controller.
- At the command prompt, type the following:
repadmin /options
RootFQDN-DISABLE_NTDSCONN_XLATE - Remove the Replicator Allow SPN Fallback registry entry. To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters - In the details pane, right-click Replicator Allow SPN Fallback, click Delete, and then click OK.
- Force replication between all domain controllers in the root domain. To do this, follow these steps:
- On a domain controller in the root domain, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
- Expand Sites, expand Servers, expand the
ServerNamefolder, and then click NTDS Settings. - Other domain controllers to replicate are listed in the details pane. Right-click the first domain controller in the list, click All Tasks, and then click Check Replication Topology to start the Knowledge Consistency Checker (KCC).
An incoming connection object from one or more of the source domain controllers appears. You may have to update the display by pressing F5.
Note You must follow these steps on each domain controller in the root domain.
- Let replication occur throughout the forest. Then, run the repadmin /showreps command on the root domain controller and on the other domain controllers in the domain. This step makes sure that Active Directory replication is successful.
MORE INFORMATION
For more information about the Active Directory replication model, visit the following Microsoft Web site:
How the Active Directory replication model works
http://technet2.microsoft.com/windowsserver/en/library/1465d773-b763-45ec-b971-c23cdc27400e1033.mspx?mfr=true
For more information about the Repadmin.exe tool, visit the following Microsoft Web site:
Repadmin syntax
http://technet2.microsoft.com/windowsserver/en/library/03b7fc47-e25c-4af8-822f-f856b565b76a1033.mspx?mfr=true
For more information about related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:
896722 Domain controllers receive a security descriptor for an object that does not match the security descriptor from the Windows Server 2003-based domain controller where the object was created
832851 Inbound replication fails on domain controllers with event ID: 1699, error 8451, or jet error -1601
914034 A new event error message is logged if you do not back up a Windows Server 2003 Service Pack 1-based domain controller in a given time period
911799 Error message in a Windows Server 2003-based domain or in a Windows 2000 Server-based domain: "The remote procedure call failed and did not run"
925633 You cannot replicate files from a Windows Server 2003-based domain controller and events are logged in the File Replication Service log
305476 Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders
887430 Orphaned child domain controller information may not be replicated to other Windows 2000 Server-based domain controllers
Keywords: kbnetwork kbactivedirectoryrepl kbtshoot kbexpertiseinter kbprb KB938704
