Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1645 Source: ActiveDirectory

Level
Description
The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is <server>. The SPN being used is <SPN>. Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted- it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.
Comments
 
As per Microsoft: "Wait for the SPNs to be updated

This problem is most likely caused by a recent status change in a domain controller, such as a recent promotion. Another possibility is that a domain controller has a transient link error. Both of these situations should resolve themselves automatically in approximately 15 minutes. If the event appears after another 15 minutes, check the Service Principal Names (SPNs) on the domain controller that is reporting the event. Perform the following procedure on the domain controllers that are hosting the partition that cannot be replicated. To ensure that the SPNs are updated:

1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
2. Run the command setspn -l hostname, where hostname is the actual host name of the domain controller. This command displays the SPNs that the domain controller has registered.
3. Ensure that the domain name in each SPN listing is correct.
4. If the SPNs are not correct, run the command repadmin /syncall domainname, where domainname is the name of the domain of the domain controller.
5. Wait 15 minutes, and then run the setspn -l hostname command again and review the registered SPNs.

If the SPNs not corrected automatically after the domain has fully replicated, correct the SPNs manually". See "TechNet Event ID 1645 - Replication Changes" for more information.
As per Microsoft: "Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN". See MSW2KDB for information on this event.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...