In some Dcpromo.exe update situations, the replication service principal name (SPN) may be lost. This causes replication not to work.
One method to identify this problem is to examine the Directory Service event log. Look for an entry similar to:
Event Type: Error Event Source: NTDS Replication Event Category: Replication Event ID: 1645 Date: 6/12/2001 Time: 11:12:15 AM User: Everyone Computer: DC2 Description: The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2email@example.com.
Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.
The servicePrincipalName attribute is a multiple-valued, non-linked attribute. In some Dcpromo.exe update situations, the replication SPN may be lost because of a conflict with another write process on this attribute.
The domain controller that accepts the conflicting SPN value cannot replicate with the domain controller for which the SPN attribute is written. Because the domain controller cannot replicate, the domain controller never receives the correct updated SPN through replication.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
The English version of this fix should have the following file attributes or later:
You can use the following workaround to restore replication.
NOTE: This method may cause other SPN values that are not automatically regenerated by the computer to be lost. In some situations, it may be better to install the hotfix that is mentioned in this article.
Identify the domain controller that is missing the replication SPN. A simple method for doing this is to ping the DNS URL that is documented in event ID 1645. For example:
C:\>ping -a 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com
Pinging DC1.mydomain.com [xxx.xxx.xxx.189] with 32 bytes of data:
Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128 Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128 Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128 Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
Ping statistics for xxx.xxx.xxx.189: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
On the domain controller that logged event 1645, determine if the replication SPN entry is missing for the remote domain controller:
C:\>setspn DC1 Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=mydomain,DC=com:
In this example, you see a missing SPN entry for DC1 when you you run the command from DC2.
Use Setspn to add the missing SPN for DC1. Add the replication SPN in the following form
setspn -A E3514235-4B06-11D1-AB04-00C04FC2DCD2/GUID_of_the_NTDS_settings_object/DNS_name_of_the_domain Name_of_the_domain_controller
where GUID_of_the_NTDS_settings_object is the GUID that is used to identify this domain controller (the domain controller that is documented in event 1645 and that you used with the ping command, DNS_name_of_the_domain is the name of the domain, and Name_of_the_domain_controller is the name of the domain controller that is missing the SPN.
This is an example of the form to use:
setspn -a E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com DC1
After the replication GUID is in place, the domain controller can replicate with its partner. Note that updating this SPN value causes this less-complete version of the SPN to be replicated throughout the domain. Eventually, the owning domain controller will identify this change and update the domain-controller-specific SPN values automatically. At some point, running Setspn again on the domain controller will list the repopulated SPN values. For example:
This method resolves the replication problem by allowing replication to continue with computers that have a missing replication SPN after performing some special validation. This allows the true SPN list to be replicated.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 3.
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server product
For additional information about how to install multiple hotfixes with only one reboot, click the following article number to view the article in the Microsoft Knowledge Base:
296861 How to install multiple Windows updates or hotfixes with only one reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes