Event ID 1645 Source NTDS Replication
| Event ID | 1645 |
| Source | NTDS Replication |
| Type | Error |
| Description | The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. The server being contacted is afb720fd-38c7-4505-aa9f-b658ca124773._msdcs.MyDomain.com. The SPN being used is E3514235-4B06-11D1-AB04-00C04FC2DCD2/afb720fd-38c7-4505-aa9f-b658ca124773/mydomain.com@mydomain.com. Please verify that the names of the target server and domain are correct. Please also verify that the SPN is registered on the computer account object for the target server on the KDC servicing the request. If the target server has been recently promoted, it will be necessary for knowledge of this computer's identity to replicate to the KDC before this computer can be authenticated. |
| English, please! | Request a translation of the event description in plain English. |
| Concepts to understand |
What is the role of the KDC? What is NTDS and what are the roles of its components? What is a directory service? |
| Comments |
Mihai Andrei
See M810089, M939820 and the link to "EventID 1645 from source Active Directory" for information about this event. Peter Hayden In one case, this Event ID appeared when an attempt to transfer a FSMO role (the PDC role) by running NTDSUTIL on another domain controller failed. This was fixed by using DCPROMO to demote/promote the domain controller. Ionut Marin See M830379 and M838400 for two hotfixes applicable to Microsoft Windows 2000. As per Microsoft: "The servicePrincipalName attribute is a multiple-valued, non-linked attribute. In some Dcpromo.exe update situations, the replication SPN may be lost because of a conflict with another write process on this attribute". See M308111 and M305591 for more details. Adrian Grigorof If this error is being reported for Active Directory replication between two domain controllers of different domains which have a parent/child or tree root trust relationship, this error may be due to an absent critical object that represents the trust relationship between the two domains. This object is known as a "trustedDomain" object (TDO) and is found in the System container in the Active Directory Users and computers tool. This type of object directly relates to the trust relationships displayed in the Active Directory Domains and Trusts administrative tool. If this object is not present in the Active Directory, cross-domain authentication will not be able to succeed contributing to the errors described above. Craig Strait You may receive this error if you have multiple Service Principal Name (SPN) records for an individual domain controller in DNS under xyz.com/_msdcs. For instance: I have domain controllers A, B, and C in domain XYZ.COM. In my scenario, I added and removed domain controller C three times. In DNS I ended up with three different SPN records under xyz.com/_msdcs for Domain Controller C. This then confused DC A when it tried to replicate to DC C. SOLUTION: Delete all the records for DC C. Restart NETLOGON service on DC C so it will reregister DNS records. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! |
| Links | M257844, M305591, M308111, M810089, M830379, M838400, M939820, EventID 1645 from source Active Directory |
| Search | Google Web - Microsoft Support - Bing - EventID.Net Queue - More links... |
| Feedback | Send comments - Notify me when updated |
| Print version |