Replication errors after adding a 2008 R2 DC

I was recently working on adding some 2008 R2 DCs to a 2003-only AD environment as part of a wider plan to upgrade them all in the next 12 months or so. As soon as I added the first DC I noticed something was up, replication wasn’t working. The Event log on the new 2008 R2 DC was filled with Event ID 1645:

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

Destination directory server:

vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz._msdcs.domain.com

SPN:

aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz/domain.com@domain.com

User Action

Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.


And Event ID 1925:

The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:

DC=DOMAIN,DC=com

Source directory service:

CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=MORDOR,CN=Sites,CN=Configuration,DC=DOMAIN,DC=com

Source directory service address:

vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz._msdcs.domain.com

Intersite transport (if any):


This directory service will be unable to replicate with the source directory service until this problem is corrected.


User Action

Verify if the source directory service is accessible or network connectivity is available.


Additional Data

Error value:

1396 Logon Failure: The target account name is incorrect.

I’m not ashamed to admit it, this had me stumped, until I spotted the following entry in the event log:

The Security System could not establish a secured connection with the server LDAP/DCNAME.DOMAIN.com/DOMAIN.com@DOMAIN.COM. No authentication protocol was available.

That lead me to Microsoft KB939820, which seemed somewhat related. Some more research and I located a post from 2007 talking about another issue located on the TechNet ActiveDirectory blog.

Sure enough, checking with repadmin showed that the version attribute on the krbTgT account was about 100,000. Applying the KB939820 to the 2003 DCs and installing SP1 on the 2008 R2 DCs resolved the issue.

Published by

Dave Hope

Dave is a Principal Software Analyst for a UK based retirement developer, in his spare time he enjoys digital photography and rock climbing.

Leave a Reply

Your email address will not be published. Required fields are marked *