The issue is well described in the text of the event, this is indeed an SPN issue
Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination directory server:
13c89be0-ba93-4648-9255-07c2bacfac0a._msdcs.MyDomain.Com
SPN:
E3514235-4B06-11D1-AB04-00C04EC2DCD2/13c89be0-ba93-4648-9255-07c2bacfac0a/MyServer.MyDomain.Com@MyDomain.Com
User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.
Here is what you can do to fix it:
- First, you need to identify the server that is missing from the SPN records. You can do this by simply pinging the GUID in the message, using the above example:
Ping 13c89be0-ba93-4648-9255-07c2bacfac0a._msdcs.MyDomain.Com
- This should provide you with the IP address that you can use to identify the server. Let's pretend you find ServerOne.Mydomain.Com
- Then, go to the server that is recording the error and register it's SPN thus (again using our example)
setspn -a E3514235-4B06-11D1-AB04-00C04EC2DCD2/13c89be0-ba93-4648-9255-07c2bacfac0a/MyServer.MyDomain.Com@MyDomain.Com
This should fix you up, now as to why the DCPROMO process missed the SPN creation - I have no idea, in 15 years I have only seen this once. Perhaps a new bug in Server 2012 R2?
Cheers
No comments:
Post a Comment