Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1645 Source: NTDSReplication

Level
Description
The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is afb720fd-38c7-4505-aa9f-b658ca124773._msdcs.MyDomain.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/afb720fd-38c7-4505-aa9f-b658ca124773/mydomain.com@mydomain.com.

Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated.
Comments
 
See ME810089, ME939820 and the link to "EventID 1645 from source Active Directory" for information about this event.
In one case, this Event ID appeared when an attempt to transfer a FSMO role (the PDC role) by running NTDSUTIL on another domain controller failed. This was fixed by using DCPROMO to demote/promote the domain controller.
See ME830379 and ME838400 for two hotfixes applicable to Microsoft Windows 2000.

As per Microsoft: "The servicePrincipalName attribute is a multiple-valued, non-linked attribute. In some Dcpromo.exe update situations, the replication SPN may be lost because of a conflict with another write process on this attribute". See ME308111 and ME305591 for more details.
If this error is being reported for Active Directory replication between two domain controllers of different domains which have a parent/child or tree root trust relationship, this error may be due to an absent critical object that represents the trust relationship between the two domains. This object is known as a "trustedDomain" object (TDO) and is found in the System container in the Active Directory Users and computers tool. This type of object directly relates to the trust relationships displayed in the Active Directory Domains and Trusts administrative tool. If this object is not present in the Active Directory, cross-domain authentication will not be able to succeed contributing to the errors described above.
You may receive this error if you have multiple Service Principal Name (SPN) records for an individual domain controller in DNS under xyz.com/_msdcs. For instance:
I have domain controllers A, B, and C in domain XYZ.COM. In my scenario, I added and removed domain controller C three times. In DNS I ended up with three different SPN records under xyz.com/_msdcs for Domain Controller C. This then confused DC A when it tried to replicate to DC C.
SOLUTION: Delete all the records for DC C. Restart NETLOGON service on DC C so it will reregister DNS records.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...