I was recently working on adding some 2008 R2 DCs to a 2003-only AD environment as part of a wider plan to upgrade them all in the next 12 months or so. As soon as I added the first DC I noticed something was up, replication wasn’t working. The Event log on the new 2008 R2 DC was filled with Event ID 1645:
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. Destination directory server: vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz._msdcs.domain.com SPN: firstname.lastname@example.org User Action Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.
And Event ID 1925:
The attempt to establish a replication link for the following writable directory partition failed. Directory partition: DC=DOMAIN,DC=com Source directory service: CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=MORDOR,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com Source directory service address: vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz._msdcs.domain.com Intersite transport (if any): This directory service will be unable to replicate with the source directory service until this problem is corrected. User Action Verify if the source directory service is accessible or network connectivity is available. Additional Data Error value: 1396 Logon Failure: The target account name is incorrect.
I’m not ashamed to admit it, this had me stumped, until I spotted the following entry in the event log:
The Security System could not establish a secured connection with the server LDAP/DCNAME.DOMAIN.com/DOMAIN.com@DOMAIN.COM. No authentication protocol was available.
Sure enough, checking with repadmin showed that the version attribute on the krbTgT account was about 100,000. Applying the KB939820 to the 2003 DCs and installing SP1 on the 2008 R2 DCs resolved the issue.