SPNs are not registered in an Active Directory site that includes only read-only domain controllers

Article translations Article translations
Article ID: 942304 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In an Active Directory site that includes only read-only domain controllers (RODCs), service principal names (SPNs) are not registered. Therefore, you may experience various problems on client computers that are running Windows Vista, Windows Server 2003, or Windows XP. For example, you cannot install Microsoft ISA Server. Or, mutual authentication fails.

CAUSE

These problems occur when account credentials are not cached on an RODC. If the account credentials are not cached, RODCs cannot write SPNs for client computer accounts on a writable domain controller.

WORKAROUND

To work around these problems, use one of the following methods:
  • In the Active Directory site, enable the Password Replication Policy to cache the credentials for all client computer accounts on the RODCs.

    For more information about the Password Replication Policy, visit the following Microsoft Web site:
    http://technet2.microsoft.com/windowsserver2008/en/library/ea8d253e-0646-490c-93d3-b78c5e1d9db71033.mspx?mfr=true
  • Use the Setspn command-line tool to manually register the SPN on the RODCs.

    The Setspn command-line tool is included in the Windows Server 2003 Support Tools package. To install the Windows Support Tools package, double-click the Suptools.msi file in the Support\Tools folder on the Windows Server 2003 installation CD. For more information about the Setspn tool, visit the following Microsoft Web site:
    http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true
  • Register the SPN on the writable domain controller, and force the replication on the RODC.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 942304 - Last Review: October 9, 2007 - Revision: 2.2
APPLIES TO
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Vista Business
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
Keywords: 
kbtshoot kbprb kbpubtypekc kbexpertiseinter kbexpertisebeginner KB942304

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com