Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Source: NTDS Replication|
The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is afb720fd-38c7-4505-aa9f-b658ca124773._msdcs.MyDomain.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2email@example.com.
Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is the role of the KDC?
What is NTDS and what are the roles of its components?
What is a directory service?
See ME810089, ME939820 and the link to "EventID 1645 from source Active Directory" for information about this event.
In one case, this Event ID appeared when an attempt to transfer a FSMO role (the PDC role) by running NTDSUTIL on another domain controller failed. This was fixed by using DCPROMO to demote/promote the domain controller.
See ME830379 and ME838400 for two hotfixes applicable to Microsoft Windows 2000.
As per Microsoft: "The servicePrincipalName attribute is a multiple-valued, non-linked attribute. In some Dcpromo.exe update situations, the replication SPN may be lost because of a conflict with another write process on this attribute". See ME308111 and ME305591 for more details.
If this error is being reported for Active Directory replication between two domain controllers of different domains which have a parent/child or tree root trust relationship, this error may be due to an absent critical object that represents the trust relationship between the two domains. This object is known as a "trustedDomain" object (TDO) and is found in the System container in the Active Directory Users and computers tool. This type of object directly relates to the trust relationships displayed in the Active Directory Domains and Trusts administrative tool. If this object is not present in the Active Directory, cross-domain authentication will not be able to succeed contributing to the errors described above.
You may receive this error if you have multiple Service Principal Name (SPN) records for an individual domain controller in DNS under xyz.com/_msdcs. For instance:
I have domain controllers A, B, and C in domain XYZ.COM. In my scenario, I added and removed domain controller C three times. In DNS I ended up with three different SPN records under xyz.com/_msdcs for Domain Controller C. This then confused DC A when it tried to replicate to DC C.
SOLUTION: Delete all the records for DC C. Restart NETLOGON service on DC C so it will reregister DNS records.
|Private comment: Subscribers only. See example of private comment|
|Links: EventID 1645 from source Active Directory|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated