A missing service principal name may prevent domain controllers from replicating (308111)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
This article was previously published under Q308111 SYMPTOMS
In some Dcpromo.exe update situations, the replication service principal name (SPN) may be lost. This causes replication not to work.
One method to identify this problem is to examine the Directory Service event log. Look for an entry similar to:
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1645
Date: 6/12/2001
Time: 11:12:15 AM
User: Everyone
Computer: DC2
Description:
The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com@mydomain.com.
Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.
CAUSE
The servicePrincipalName attribute is a multiple-valued, non-linked attribute. In some Dcpromo.exe update situations, the replication SPN may be lost because of a conflict with another write process on this attribute.
The domain controller that accepts the conflicting SPN value cannot replicate with the domain controller for which the SPN attribute is written. Because the domain controller cannot replicate, the domain controller never receives the correct updated SPN through replication.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name
--------------------------------------------------------
30-Nov-2001 14:40 5.0.2195.4685 123,664 Adsldp.dll
30-Nov-2001 14:40 5.0.2195.4628 130,320 Adsldpc.dll
30-Nov-2001 14:40 5.0.2195.4016 62,736 Adsmsext.dll
30-Nov-2001 14:40 5.0.2195.4653 356,112 Advapi32.dll
30-Nov-2001 14:40 5.0.2195.4571 82,704 Cmnquery.dll
30-Nov-2001 14:40 5.0.2195.4141 133,904 Dnsapi.dll
30-Nov-2001 14:40 5.0.2195.4379 91,408 Dnsrslvr.dll
30-Nov-2001 14:40 5.0.2195.4534 41,744 Dsfolder.dll
30-Nov-2001 14:40 5.0.2195.4534 156,944 Dsquery.dll
30-Nov-2001 14:40 5.0.2195.4574 110,352 Dsuiext.dll
30-Nov-2001 14:44 5.0.2195.4685 521,488 Instlsa5.dll
30-Nov-2001 14:40 5.0.2195.4630 145,680 Kdcsvc.dll
26-Nov-2001 16:33 5.0.2195.4680 199,440 Kerberos.dll
04-Sep-2001 08:32 5.0.2195.4276 71,024 Ksecdd.sys
26-Nov-2001 17:55 5.0.2195.4685 503,568 Lsasrv.dll
26-Nov-2001 15:55 5.0.2195.4685 33,552 Lsass.exe
26-Nov-2001 16:32 5.0.2195.4680 107,280 Msv1_0.dll
30-Nov-2001 14:40 5.0.2195.4594 306,960 Netapi32.dll
30-Nov-2001 14:40 5.0.2195.4686 359,184 Netlogon.dll
30-Nov-2001 14:40 5.0.2195.4703 913,680 Ntdsa.dll
30-Nov-2001 14:40 5.0.2195.4627 387,856 Samsrv.dll
30-Nov-2001 14:40 5.0.2195.4583 128,784 Scecli.dll
30-Nov-2001 14:40 5.0.2195.4600 299,792 Scesrv.dll
30-Nov-2001 14:40 5.0.2195.4600 48,400 W32time.dll
06-Nov-2001 11:43 5.0.2195.4600 56,592 W32tm.exe
30-Nov-2001 14:40 5.0.2195.4684 125,712 Wldap32.dll
WORKAROUND
You can use the following workaround to restore replication. NOTE: This method may cause other SPN values that are not automatically regenerated by the computer to be lost. In some situations, it may be better to install the hotfix that is mentioned in this article.
- Identify the domain controller that is missing the replication SPN. A simple method for doing this is to ping the DNS URL that is documented in event ID 1645. For example:
C:\>ping -a 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com
Pinging DC1.mydomain.com [xxx.xxx.xxx.189] with 32 bytes of data:
Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
Ping statistics for xxx.xxx.xxx.189:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
- On the domain controller that logged event 1645, determine if the replication SPN entry is missing for the remote domain controller:
C:\>setspn DC1
Registered ServicePrincipalNames for CN=DC1,OU=Domain
Controllers,DC=mydomain,DC=com:
In this example, you see a missing SPN entry for DC1 when you you run the command from DC2.
- Use Setspn to add the missing SPN for DC1. Add the replication SPN in the following form
setspn -A E3514235-4B06-11D1-AB04-00C04FC2DCD2/GUID_of_the_NTDS_settings_object/DNS_name_of_the_domain Name_of_the_domain_controller
where GUID_of_the_NTDS_settings_object is the GUID that is used to identify this domain controller (the domain controller that is documented in event 1645 and that you used with the ping command, DNS_name_of_the_domain is the name of the domain, and Name_of_the_domain_controller is the name of the domain controller that is missing the SPN.
This is an example of the form to use:
setspn -a E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com DC1
- After the replication GUID is in place, the domain controller can replicate with its partner. Note that updating this SPN value causes this less-complete version of the SPN to be replicated throughout the domain. Eventually, the owning domain controller will identify this change and update the domain-controller-specific SPN values automatically. At some point, running Setspn again on the domain controller will list the repopulated SPN values. For example:
setspn dc1
Registered ServicePrincipalNames for CN=dc1,OU=Domain Controllers,DC=mydomain,DC=com:
HOST/dc1
HOST/dc1.mydomain.com
HOST/dc1.mydomain.com/mydomain.com
GC/dc1.mydomain.com/mydomain.com
LDAP/3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com
LDAP/dc1.mydomain.com/mydomain
LDAP/dc1
LDAP/dc1.mydomain.com
LDAP/dc1.mydomain.com/mydomain.com
HOST/dc1.mydomain.com/mydomain
E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com
This method resolves the replication problem by allowing replication to continue with computers that have a missing replication SPN after performing some special validation. This allows the true SPN list to be replicated.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 3.
Modification Type: | Minor | Last Reviewed: | 9/26/2005 |
---|
Keywords: | kbHotfixServer kbQFE kbbug kbDirServices kbfix kbWin2000PreSP3Fix kbWin2000sp3fix KB308111 |
---|
|