You receive a "Directory Service failed to replicate the partition" error message when you try to promote a member server to a domain controller over a VPN connection (295582)


The information in this article applies to:

  • Microsoft Windows 2000 Server
This article was previously published under Q295582
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you try to use the Active Directory Installation Wizard to promote a member server to a domain controller through a virtual private network (VPN), you may receive an error message similar to the following during the replication of the Schema container:
The operation failed because: The directory service failed to replicate the partition CN=Schema,CN=Configuration,DC=domainname,DC=com from remote server servername.domainname.com.
Could not find the domain controller for this domain.
You may also receive the following error message:
The specified network name is no longer available.

CAUSE

This issue may be caused by fragmentation of User Datagram Protocol (UDP) Kerberos traffic.

WORKAROUND

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To work around this issue, force Kerberos to communicate over TCP instead of by UDP. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then press ENTER.
  2. Expand the following registry key:

    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Kerberos/Parameters

    If the Parameters key does not exist, create it now. To do this, follow these steps:
    1. Click Edit, point to New, and then click Key.
    2. Type Parameters, and then press ENTER.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. For the value name, type MaxPacketSize, and then press ENTER.
  5. Double-click MaxPacketSize, type 1 in the Value Data box, and then click OK.
  6. Quit Registry Editor, and then restart the computer.

STATUS

Microsoft has confirmed this to be a problem in Microsoft Windows 2000.

MORE INFORMATION

For additional information about this Kerboros registry entry, click the following article number to view the article in the Microsoft Knowledge Base:

244474 How to force Kerberos to use TCP instead of UDP

To confirm the mtu size, use ping with the -l and -f switches.
Modification Type:MinorLast Reviewed:10/13/2004
Keywords:kberrmsg kbprb KB295582 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.