In an Active Directory site that includes only read-only domain controllers (RODCs), service principal names (SPNs) are not registered. Therefore, you may experience various problems on client computers that are running Windows Vista, Windows Server 2003, or Windows XP. For example, you cannot install Microsoft ISA Server. Or, mutual authentication fails.
These problems occur when account credentials are not cached on an RODC. If the account credentials are not cached, RODCs cannot write SPNs for client computer accounts on a writable domain controller.
To work around these problems, use one of the following methods:
- In the Active Directory site, enable the Password Replication Policy to cache the credentials for all client computer accounts on the RODCs.
For more information about the Password Replication Policy, visit the following Microsoft Web site: - Use the Setspn command-line tool to manually register the SPN on the RODCs.
The Setspn command-line tool is included in the Windows Server 2003 Support Tools package. To install the Windows Support Tools package, double-click the Suptools.msi file in the Support\Tools folder on the Windows Server 2003 installation CD. For more information about the Setspn tool, visit the following Microsoft Web site: - Register the SPN on the writable domain controller, and force the replication on the RODC.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
