SPNs are not registered in an Active Directory site that includes only read-only domain controllers

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
In an Active Directory site that includes only read-only domain controllers (RODCs), service principal names (SPNs) are not registered. Therefore, you may experience various problems on client computers that are running Windows Vista, Windows Server 2003, or Windows XP. For example, you cannot install Microsoft ISA Server. Or, mutual authentication fails.
CAUSE
These problems occur when account credentials are not cached on an RODC. If the account credentials are not cached, RODCs cannot write SPNs for client computer accounts on a writable domain controller.
WORKAROUND
To work around these problems, use one of the following methods:
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Properties

Article ID: 942304 - Last Review: 01/16/2015 09:49:19 - Revision: 2.2

Windows Vista Enterprise, Windows Vista Ultimate, Windows Vista Business, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition, Microsoft Windows XP Home Edition, Microsoft Windows XP Professional

  • kbnosurvey kbarchive kbtshoot kbprb kbpubtypekc kbexpertiseinter kbexpertisebeginner KB942304
Feedback