Orphaned child domain controller information may not be replicated to other Windows 2000 Server-based domain controllers (887430)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

A Microsoft Windows 2000 Server-based child domain is orphaned from the rest of the forest. This child domain can replicate in changes from domain controllers in the parent (root) domain, but no domain controllers in the root domain or any other child domains have knowledge of the domain controllers in the affected child domain. When an administrator tries to view the domain controllers in the orphaned child domain, no domain controllers are displayed. For example, no domain controllers are displayed in the following configuration naming context:

CN=Servers,CN=Site_Name,CN=Sites,CN=Configuration,DC=Domain_Name,DC=com

CAUSE

This issue may occur because the child domain was orphaned from the parent domain.

RESOLUTION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this issue, you must create a replication link, and you must enable one-way authentication instead of two-way authentication. To do this, follow these steps:
  1. On a domain controller in the root domain, add the Replicator Allow SPN Fallback registry value. To do this, follow these steps.

    Note Perform steps 1 through 6 on this same domain controller.
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type Replicator Allow SPN Fallback, and then press ENTER.
    5. Double-click Replicator Allow SPN Fallback in the right-pane, type 1 in the Value data box, and then click OK.
    6. Restart the domain controller.
  2. At a command prompt, type the following:

    repadmin /options fully_qualified_domain_name_(FQDN)_of_the_root_domain_controller +DISABLE_NTDSCONN_XLATE



    Note The Repadmin.exe tool is located in the Windows 2000 Support Tools.

    For additional information about how to install the Windows 2000 Support Tools, click the following article number to view the article in the Microsoft Knowledge Base:

    301423 How to install the Windows 2000 support tools to a Windows 2000 Server-based computer

  3. At a command prompt, type the following:

    repadmin /add CN=Configuration,DC=Domain_Name,DC=Domain_Name FQDN_of_the_root_domain_controller FQDN_of_the_child_domain_controller



  4. At a command prompt, type repadmin /showreps. A successful incoming connection should be displayed for the configuration naming context from the child domain controller.
  5. At a command prompt, type the following:

    repadmin /options FQDN_of_the_root_domain_controller -DISABLE_NTDSCONN_XLATE

  6. Remove the Replicator Allow SPN Fallback registry entry. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

    3. Right-click Replicator Allow SPN Fallback, click Delete, and then click OK.
  7. Force replication between all domain controllers in the root domain. To do this, follow these steps:
    1. On a domain controller in the root domain, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
    2. Expand Sites, expand Servers, expand your Server_Name folder, and then click NTDS Settings.
    3. If there are other domain controllers in your environment to replicate, they will be listed in the right pane. Right-click the first domain controller in the list, click All Tasks, and then click Check Replication Topology to start the Knowledge Consistency Checker (KCC).

      An incoming connection object from one or more of the child domain controllers is displayed. You may have to update the display by pressing F5.

      Note You must perform this step for each domain controller in the root domain.
  8. Allow replication to occur throughout the forest. Then, run the repadmin /showreps command on the root domain controller and on the child domain controllers. This step makes sure that Active Directory directory service replication is successful.

    Note The "Replication Allow SPN Fallback" registry entry enables the Active Directory to use one-way authentication if two-way authentication cannot be performed because of a failure to resolve a Service Principle Name (SPN) to a computer account.

REFERENCES

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

244368 How to optimize Active Directory replication in a large network

262561 Replication not working properly between domain controllers after deleting one from Sites and Services

232538 Unsuccessful replication without partner listed

Modification Type:MinorLast Reviewed:5/15/2006
Keywords:kbnetwork kbActiveDirectoryRepl kbtshoot kbprb KB887430 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.