Monday, December 22, 2014

Event ID 1645 ActiveDirectory_DomainService log prevents replication, after promoting a new domain controller

OK, confess, who looks in the Directory Services Log regularly? Well of course if you have a monitoring tool like SCOM then you will see these alerts anyway.

The issue is well described in the text of the event, this is indeed an SPN issue

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. 

Destination directory server:

User Action 
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.

Here is what you can do to fix it:

  • First, you need to identify the server that is missing from the SPN records. You can do this by simply pinging the GUID in the message, using the above example:
Ping 13c89be0-ba93-4648-9255-07c2bacfac0a._msdcs.MyDomain.Com
  • This should provide you with the IP address that you can use to identify the server. Let's pretend you find ServerOne.Mydomain.Com
  • Then, go to the server that is recording the error and register it's SPN thus (again using our example)

setspn -a E3514235-4B06-11D1-AB04-00C04EC2DCD2/13c89be0-ba93-4648-9255-07c2bacfac0a/MyServer.MyDomain.Com@MyDomain.Com

This should fix you up, now as to why the DCPROMO process missed the SPN creation - I have no idea, in 15 years I have only seen this once. Perhaps a new bug in Server 2012 R2?


No comments:

Post a Comment