Server InfrastructureMicrosoftWindows

Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller…

Submitted by Jason Neurohr on Sun, 06/20/2010 - 15:00

Error

You Receive the following error in the Directory Server Event Log:

Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1645
Date: 8/05/2008
Time: 4:59:02 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Server1
Description:
Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination domain controller:
8cf4c0d9-d3c4-4a1f-b7a3-0510384407fb._msdcs.domain.net
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/8cf4c0d9-d3c4-4a1f-b7a3-0510384407fb/domain.net@domain.net

User Action
Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller’s computer account data to replicate to the KDC before this computer can be authenticated.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Explanation

When a domain controller creates a replication link with its replication partner, it looks in its Active Directory for the GUID of the NTDS Settings object of its replication partner. It then checks whether the GUID matches the replication SPN present in the ServicePrincipalName of the computer object of its replication partner. If they don’t match, the replication link cannot be established, and it logs an event in the Directory Services event log.

This can happen when a domain controller has been manually removed from the Active Directory and then Active Directory is reinstalled on the domain controller. After Active Directory is reinstalled, the domain controller gets a new GUID for its NTDS Settings object and creates a new replication SPN accordingly.

Troubleshooting/Fix

  1. Identify the GUID of the replication partner. If several entries are returned, this is the source of the error. One of entries results from the initial installation of Active Directory on the replication partner. If Active Directory was removed from the domain controller without running the Active Directory Installation Wizard, and then Active Directory was reinstalled on the domain controller, a new NTDS Settings object was created (with a new GUID) and was replicated to this domain controller. In that case, determine which NTDS Settings object has the correct GUID and delete the incorrect NTDS Settings object. To identify the GUID of a domain controller do the following:
    1. repadmin /showreps ServerName
    2. In the first section of the output, locate the objectGuid entry
  2. Verify that a DNS record for the bad NTDS Settings object has not been created on the root DNS server. Verify DNS records for <replication_partner_guid>._msdcs.<forest_root_domain_name>. Verify that only one DNS record for <replication_partner>.<regional_domain_name> is present with the right GUID. If several records are present, delete the incorrect records:
    1. Verify CNAME and A resource records. At a command prompt on the destination domain controller or through a terminal services connection, type the following command and press ENTER: dcdiag /test connectivity /s:<domain controller>
    2. If the CNAME and A resource records are missing, stop and start Net Logon on the source domain controller.
    3. Again, verify CNAME and A resource records.
  3. If the previous step revealed only one NTDS Settings object with the correct GUID, verify the SPN for the replication partner on the local domain controller. If the name does not exist or contains a GUID which does not match its replication partner, it must be created in the Active Directory of the local domain controller. If the name exists with a different GUID, it must be modified to match the correct GUID.
    1. At a command prompt on the local domain controller, type the following command and press ENTER: setspn -L <replication partner>. This displays the SPN names of the specified domain controller in the local Active Directory. In the output, search for the SPN name used for replication.
  4. To do this, run ADSI Edit or LDP on the local domain controller. Locate the SPN in the multivalued attribute ServicePrincipalName of the computer object of the replication partner (CN=<computer_name>,OU=Domain Controllers,DC=dom1,DC=company,DC=com) and change the replication SPN to the correct value.
  5. Verify that replication is functioning
    1. To check if replication is working, at a command prompt, type the following command and press ENTER: dcdiag /test:replications
    2. To verify that the proper permissions are set for replication, at a command prompt, type the following command and press ENTER: dcdiag /test:netlogons

 

Bookmark/Search this post with:
  • Delicious
  • Digg
  • Facebook
  • Google
  • Technorati
No votes yet

User login

Navigation

Similar entries