Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1411 Source: NTDSReplication

Level
Description
The Directory Service failed to construct a mutual authentication Service
Principal Name (SPN) for server SERVERNAME.  The call is denied. The error was:

A Service Principal Name (SPN) could not be constructed because the provided hostname is not in the necessary format.

The record data is the status code. Data: 0000: 6a 21 00 00
Comments
 
See the "Event ID: 1411 after demoting domain controllers article" at EV100159.
This problem may occur if the source domain controller cannot find the domain controllers that it requires to replicate changes. These domain controllers are listed in the repsTo attribute of the directory partition object. See ME938704 for details on solving this problem.
In one case, this occurred on a domain that was created by restoring an image of a domain controller and then promoting two other domain controllers with DCPROMO. It was found that AD replication was not working. It is believed that the original image may have contained Active Directory objects that were older than the tombstone lifetime interval or some other corruption. This was fixed by using DCPROMO to demote/promote one domain controller at a time, and seizing the FSMO roles.
See the link to "EventID 1411 from source Active Directory" for details on this problem.
Promoted the first DC in a new domain and it couldn't connect to the global catalog.  Event IDs were 1411 and 1655. Netdiag also failed the LDAP test citing SPN not registered on a DC. Couldn't find specific info on the IDs, but did notice my new DC's suffix didn't match the domain name. See JSI FAQ (www.jsiinc.com) number 2701, apparently I had forgotten to check the change primary DNS suffix when domain membership changes box before running dcpromo. Demoted the DC. Checked the box. Promoted it back to DC. Problem gone.


I got this with a DC for a branch office that was set up 2/3 months before installation. The time between servers differed by an hour by the time it was taken out of the box. Trying to set off a manual replication gives msgbox "the target principal name is incorrect". Following ME288167 sorted problem.
Use "repadmin /add CN=Configuration, DC=mydomain, DC=com targetdc.mydomain.com sourcedc.mydomain.com" as per ME232538
Haven't found a Q article on this but here is the basic problem. You will receive this error when you try to promote a machine and it is pointing to a DC that is not replicating correctly. If you go to the command prompt and type "set" you can see what your logon server is. This is the server that logged you onto the domain. This server probably is the one that is not replicating. Here is how it would happen in most scenarios:
You build a new W2K box, you join it to the domain, at which point it contacts a DC, the object for the new computer account is created on that DC. If this DC is having replication problems then the object will not replicate out to other DCs that hold the FSMO roles. So when you try to promote the new server to a DC, it checks with the RID master and it has no idea of that object. Henceforth it errors out.
Resolution:
Make sure that the server in "set" as logon server can communicate with all other DCs especially the FSMO role holders, once the object replicates throughout the forest you should be able to promote it.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...