A missing service principal name may prevent domain controllers from replicating

In some Dcpromo.exe update situations, the replication service principal name (SPN) may be lost. This causes replication not to work.

One method to identify this problem is to examine the Directory Service event log. Look for an entry similar to:
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1645
Date: 6/12/2001
Time: 11:12:15 AM
User: Everyone
Computer: DC2
The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com@mydomain.com.

Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.
The servicePrincipalName attribute is a multiple-valued, non-linked attribute. In some Dcpromo.exe update situations, the replication SPN may be lost because of a conflict with another write process on this attribute.

The domain controller that accepts the conflicting SPN value cannot replicate with the domain controller for which the SPN attribute is written. Because the domain controller cannot replicate, the domain controller never receives the correct updated SPN through replication.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
The English version of this fix should have the following file attributes or later:
   Date         Time   Version        Size     File name   --------------------------------------------------------   30-Nov-2001  14:40  5.0.2195.4685  123,664  Adsldp.dll   30-Nov-2001  14:40  5.0.2195.4628  130,320  Adsldpc.dll   30-Nov-2001  14:40  5.0.2195.4016   62,736  Adsmsext.dll   30-Nov-2001  14:40  5.0.2195.4653  356,112  Advapi32.dll   30-Nov-2001  14:40  5.0.2195.4571   82,704  Cmnquery.dll   30-Nov-2001  14:40  5.0.2195.4141  133,904  Dnsapi.dll   30-Nov-2001  14:40  5.0.2195.4379   91,408  Dnsrslvr.dll   30-Nov-2001  14:40  5.0.2195.4534   41,744  Dsfolder.dll   30-Nov-2001  14:40  5.0.2195.4534  156,944  Dsquery.dll   30-Nov-2001  14:40  5.0.2195.4574  110,352  Dsuiext.dll   30-Nov-2001  14:44  5.0.2195.4685  521,488  Instlsa5.dll   30-Nov-2001  14:40  5.0.2195.4630  145,680  Kdcsvc.dll   26-Nov-2001  16:33  5.0.2195.4680  199,440  Kerberos.dll   04-Sep-2001  08:32  5.0.2195.4276   71,024  Ksecdd.sys   26-Nov-2001  17:55  5.0.2195.4685  503,568  Lsasrv.dll   26-Nov-2001  15:55  5.0.2195.4685   33,552  Lsass.exe   26-Nov-2001  16:32  5.0.2195.4680  107,280  Msv1_0.dll   30-Nov-2001  14:40  5.0.2195.4594  306,960  Netapi32.dll   30-Nov-2001  14:40  5.0.2195.4686  359,184  Netlogon.dll   30-Nov-2001  14:40  5.0.2195.4703  913,680  Ntdsa.dll   30-Nov-2001  14:40  5.0.2195.4627  387,856  Samsrv.dll   30-Nov-2001  14:40  5.0.2195.4583  128,784  Scecli.dll   30-Nov-2001  14:40  5.0.2195.4600  299,792  Scesrv.dll   30-Nov-2001  14:40  5.0.2195.4600   48,400  W32time.dll   06-Nov-2001  11:43  5.0.2195.4600   56,592  W32tm.exe   30-Nov-2001  14:40  5.0.2195.4684  125,712  Wldap32.dll				

You can use the following workaround to restore replication.

NOTE: This method may cause other SPN values that are not automatically regenerated by the computer to be lost. In some situations, it may be better to install the hotfix that is mentioned in this article.
  1. Identify the domain controller that is missing the replication SPN. A simple method for doing this is to ping the DNS URL that is documented in event ID 1645. For example:
    C:\>ping -a 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com

    Pinging DC1.mydomain.com [xxx.xxx.xxx.189] with 32 bytes of data:

    Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
    Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
    Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128
    Reply from xxx.xxx.xxx.189: bytes=32 time<10ms TTL=128

    Ping statistics for xxx.xxx.xxx.189:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
  2. On the domain controller that logged event 1645, determine if the replication SPN entry is missing for the remote domain controller:
    C:\>setspn DC1
    Registered ServicePrincipalNames for CN=DC1,OU=Domain Controllers,DC=mydomain,DC=com:
    In this example, you see a missing SPN entry for DC1 when you you run the command from DC2.

  3. Use Setspn to add the missing SPN for DC1. Add the replication SPN in the following form
    setspn -A E3514235-4B06-11D1-AB04-00C04FC2DCD2/GUID_of_the_NTDS_settings_object/DNS_name_of_the_domain Name_of_the_domain_controller
    where GUID_of_the_NTDS_settings_object is the GUID that is used to identify this domain controller (the domain controller that is documented in event 1645 and that you used with the ping command, DNS_name_of_the_domain is the name of the domain, and Name_of_the_domain_controller is the name of the domain controller that is missing the SPN.

    This is an example of the form to use:
    setspn -a E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/mydomain.com DC1
  4. After the replication GUID is in place, the domain controller can replicate with its partner. Note that updating this SPN value causes this less-complete version of the SPN to be replicated throughout the domain. Eventually, the owning domain controller will identify this change and update the domain-controller-specific SPN values automatically. At some point, running Setspn again on the domain controller will list the repopulated SPN values. For example:
    setspn dc1

    Registered ServicePrincipalNames for CN=dc1,OU=Domain

This method resolves the replication problem by allowing replication to continue with computers that have a missing replication SPN after performing some special validation. This allows the true SPN list to be replicated.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 3.
More information
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server product
For additional information about how to install multiple hotfixes with only one reboot, click the following article number to view the article in the Microsoft Knowledge Base:
296861 How to install multiple Windows updates or hotfixes with only one reboot
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes


Article ID: 308111 - Last Review: 06/19/2014 13:49:00 - Revision: 4.0

  • kbhotfixserver kbqfe kbbug kbdirservices kbfix kbwin2000presp3fix kbwin2000sp3fix KB308111