Troubleshooting AD Replication error 8589: The DS cannot derive a service principal name (SPN)

Applies to: Windows Server 2019, all versionsWindows Server 2016 StandardWindows Server 2012 R2 Standard More

Symptoms


This article describes symptoms, cause and resolution steps for cases where AD operations fail with Win32 error 8589.


Error 8589: "The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute. 

Symbolic error: ERROR_DS_CANT_DERIVE_SPN_WITHOUT_SERVER_REF

You will see any of the following errors/warning when troubleshooting Active Directory replication.

  1. DCDIAG reports that the Active Directory Replications test has failed with error status (8589): The DS cannot derive a service principal name (SPN) ith which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

    Sample error text from DCDIAG is shown below:  

    Testing server: <site>\<DC name>

    Starting test: Replications

    * Replications Check

    [Replications Check,<DC name>] A recent replication attempt failed:

    From <source DC> to <destination DC>

    Naming Context: DC=<DN path>

    The replication generated an error (8589):


    The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

    The failure occurred at <date> <time>.

    The last success occurred at (never)| <date>.

  2. DCDiag.exe shows the following warning:   

    An Warning Event occurred. EventID: 0x80000785

    Time Generated: 07/21/2010 18:25:37

    Event String: The attempt to establish a replication link for the following writable directory partition failed.
    Directory partition:
    DC=ForestDnsZones,DC=contoso,DC=com
    Source domain controller:
    CN=NTDS Settings,CN=DCSRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contosoDC=com
    Source domain controller address:
    <source DC NTDS Settings Obejct GUID>._msdcs.contoso.com
    Intersite transport (if any):
    This domain controller will be unable to replicate with the source domain controller until this problem is corrected.

    User Action
    Verify if the source domain controller is accessible or network connectivity is available.

    Additional Data
    Error value:
    8589

    The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

  3. REPADMIN.EXE reports that the last replication attempt has failed with status 8589

    REPADMIN commands that commonly cite the 8589 status include but are not limited to:
    • REPADMIN /SHOWREPL REPADMIN /SHOWREPS
    • REPADMIN /REPLSUM REPADMIN /SYNCALL

    Repadmin /showrepl returns the following error:

    Source: <Site Name>\<DC Name>

    ******* <n> CONSECUTIVE FAILURES since <Date & Time>

    Last error: 8589 (0x218d):

    The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

  4. Events in the Directory Services event log that cite the error status 8589

    Events, which commonly cite the 8589 status, include but are not limited to:
    Event Source and Event IDMessage String
    NTDS Replication / ActiveDirectory_DomainService 1411Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.
    NTDS Replication 2023The local domain controller was unable to replicate changes to the following remote domain controller for the following directory partition.
    NTDS KCC 1925The attempt to establish a replication link for the following writable directory partition failed.

Cause


The event most commonly occurs on a DC after a replication partner has been forcefully demoted and re-promoted prior to allowing end-to-end replication to complete. This can also happen when you rename a domain controller and the serverReference attribute is not updated.  The serverReference attribute in this instance is the Server object viewable in the Active Directory Sites and Services MMC (adsiedit.msc).  The server object is the parent object of the domain controller's NTDS Settings object.

Resolution


Verify the serverReference attribute is not missing or set to an incorrect value and update it to the correct value.

  1. Find the domain controller that is referenced in the event ID 1411. There are a few options we can use to find this. The simples is to use ping (option A). If ping fails, use PowerShell (option B). If PowerShell is not an option then you can use ldp.exe (option C). (Note: if your DCs are 2003 and you are not able to install PowerShell on it , you may use PowerShell from a Windows 7 domain joined client or a Windows 2008 or Windows 2008 R2 server)     


    Option A
    Use NSLookup or ping to find the DC listed in <source DC NTDS Settings Obejct GUID>._msdcs.contoso.com

    Example :

     Ping 3dab7f9b-92e7-4391-b8db-71df532c1493._msdcs.contoso.com

    Pinging DCSRV02.contoso.com [IP] with 32 bytes of data :

    Reply from [IP]: bytes=32 time<1ms TTL=128
    Reply from [IP]: bytes=32 time<1ms TTL=128
    Reply from [IP]: bytes=32 time<1ms TTL=128
    Reply from [IP]: bytes=32 time<1ms TTL=128

    Option B
    Use PowerShell to find the DC referenced. There are two PowerShell methods you can use. To do this open the “Active Directory Module for Windows PowerShell”

    Method 1:
    Run the following two PowerShell cmdlets. In the first cmdlet replace the partition name "CN=Configuration,DC=contoso,DC=com" with the DN of your Configuration partition. Replace the server name "DCSRV01.contoso.com" with the name of your domain controller. In the second cmdlet replace the GUID 3dab7f9b-92e7-4391-b8db-71df532c1493 with the GUID in your event ID 1411.

    $list = Get-ADObject -Filter 'ObjectClass -eq "ntdsdsa"' -SearchBase 'CN=Configuration,DC=contoso,Dc=com' -Server DCSRV01.contoso.com
    -includedeletedobjects -Properties *

    foreach ($dc in $list) {if ($dc.ObjectGUID -match "3dab7f9b-92e7-4391-b8db-71df532c1493") {Echo $dc.DistinguishedName}}


    Method 2:
    Another PowerShell option is to run the following and then search the output text file. Replace the DCSRV01.contoso.com  with a DC in your environment.

    Get-ADObject -Filter 'ObjectClass -eq "ntdsdsa"' -SearchBase 'CN=Configuration,DC=contoso,Dc=com' -Server DCSRV01.contoso.com -includedeletedobjects > C:\NTDSDSA.txt

    Then search NTDSA.txt for the GUID referenced in event ID 141

    Option C

    Use Ldp.exe

    1. Click Start, and then click Run
    2. Type LDP.exe and then press ENTER.
    3. On the Connections menu, click Bind and click OK.
    4. On the View menu, click Tree.
    5. In BaseDN, click the drop-down list arrow, click the distinguished name of your Configuration partition and click OK.
    6. In the Options menu, click Controls.
    7. In the Controls dialog box, expand the Load Predefined menu, click Return deleted objects and click OK.
       (Note that the 1.2.840.113556.1.4.417 control will show in the Active Controls list)
    8. On the Browse menu, click Search
    9. In the Base DN box, type :
    CN=Sites, CN=Configuration,DC=contoso,DC=com
       (Replace contoso and com with the appropriate domain name.)
    11.In the Filter box, type
    (objectClass=ntdsdsa)
    12.In the Scope box, select Subtree
    13.In the Attributes box type an * (asterisk)
    14.Click Run
    15.On the right side search for the GUID in objectGUID attribute to find the server it is referencing.



    Option D

    1. Obtain repadmin /showrepl output from the destination DC reporting the 8589 status. 
    2. Using the repadmin /showrepl output obtained from the previous step, identify the 8589 replication status within the output and document the date and time-stamp following the Last Attempt message. 
    3. Using the date and timestamp from the previous step, locate the corresponding event ID 1411 in the Directory Services event log on the destination DC.  Take note that the DSA object GUID listed in the repadmin /showrepl output is different from what is reported in the event ID 1411.(see example senario below)
    4. Then find the domain controller listed in the event ID 1411, by either checking the NTDS Settings Properties General Tab or by pinging the GUID in the event ID.
    5. Bind to the Source DC using ADSIEDIT or Active Directory Users and Computers and open up the Attribute Editor and copy the value in serverReference. Paste in the value of this attribute on the destination DCs copy of the object. (Step 2)


      
  2. Once you have located the server being referenced using one of the above methods, do the following:

    1) Click Start, and then click Run
    2) Type ADSIEDIT.msc and press ENTER
    3) Right click “ADSI Edit” and select “Connect to…
    4) In “Connection Point” under “Select a well known Naming Context:” select “Configuration” and click OK.
    3) On left pane, expand “Configuration
    4) Next expand “CN=Configuration,DC=contoso,DC=com
    5) Next expand “CN=Sites
    6) Under CN=Sites, expand the site in which the server is located.
      Example: Default-First-Site-Name
    7) Under that site expand CN=Servers.
      Example: If DCSRV02 is in the Default-First-Site-Name site in Contoso.com you should be in:
      CN=DCSRV02, CN=Servers, CN=Default-First-Site-Name, CN=Sites, CN=Configuration, DC=contoso, DC=com
    8) Right click on the domain controller (found using Option A, B or C) and select Properties.
    9) In the “Attribute Editor” tab scroll down to serverReference attribute.
    10) The serverReference should be similar to
      CN=DCSRV02,OU=Domain Controllers,DC=Contoso,DC=com
              If it’s missing or incorrect then change it to the correct value.
     11) Close ADSIEDIT.msc

More Information


Example Scenario

1. Obtain repadmin /showrepl output from the destination DC reporting the 8589 status. 
2. Using the repadmin /showrepl output obtained from the previous step, identify the 8589 replication status within the output and document the date and time-stamp following the Last Attempt message. 

Repadmin /showrepl output

Liverpool\LIVCONTOSODCDSA Options: IS_GC 
Site Options: (none)
DSA object GUID: 139af056-538d-4bea-a78d-9ba81d9a0403

DSA invocationID: e166f5b7-5adc-4670-b147-783ae1850263



==== INBOUND NEIGHBORS ======================================



DC=Contoso,DC=com



    Charlotte\CONTOSOROOTDC1 via RPC

        DSA object GUID: bd630d6d-f6c1-4958-971d-7e4671c3f93a

        Last attempt @ 2012-03-08 12:43:05 was successful.



CN=Configuration,DC=Contoso,DC=com



    Houston\5THWARDCORPDC via RPC

        DSA object GUID: 1eb475f2-1265-46af-a04c-be48aea706b0

        Last attempt @ 2012-03-08 12:31:21 failed, result 8589 (0x218d):



            The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.



        1700 consecutive failure(s).



        Last success @ (never).

Using the date and timestamp from the previous step, locate the corresponding event ID 1411 in the Directory Services event log on the destination DC.  Take note that the DSA object GUID listed in the repadmin /showrepl output is different from what is reported in the event ID 1411.

Directory Services Event Log

Log Name:      Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 3/8/2012 12:31:21 PM
Event ID: 1411
Task Category: DS RPC Client
Level: Error
Keywords: Classic
User: ANONYMOUS LOGON
Computer: LIVCONTOSODC.Contoso.com
Description:
Active Directory Domain Services failed to construct a mutual authentication service principal name (SPN) for the following directory service.

Directory service:
3dab7f9b-92e7-4391-b8db-71df532c1493._msdcs.Contoso.com

The call was denied. Communication with this directory service might be affected.

Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.
NTDS Settings Properties


Click Cancel and then view the properties for the server object (5thWardCorpDC in this example) select the Attribute Editor tab (Server 2008 and later) or use ADSIEDIT to edit the object on Server 2003

Notice that the serverReference attribute is not set in the following image


Domain Controller Attributes


Bind to the Source DC using ADSIEDIT or Active Directory Users and Computers and open up the Attribute Editor and copy the value in serverReference.  Paste in the value of this attribute on the destination DCs copy of the object.


Attribute Editor


After the serverReference attribute is set correctly for the domain controller is shows as follows :

Correct serverReference