Solved

NTDS Replication Error

Posted on 2007-03-25
5
1,304 Views
Last Modified: 2011-08-18
Long story short, one of my two DC's crashed. I used metadata cleanup on the other DC to manually remove the crashed DC. After rebuilding the machine, I DCpromoed it back into the domain, and everything appears to be functioning correctly, except for the following that it popping up on one of the DCs (The one that didn't crash)

Event Type:      Error
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      1411
Date:            3/24/2007
Time:            10:17:45 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      WSCPDC
Description:
Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.
 
Domain controller:
50266e59-dfa6-4d1f-882b-6e65c5482bee._msdcs.domain.com
 
The call was denied. Communication with this domain controller might be affected.
 
Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

If I look at the GUID that the error is reporting, I'm pretty sure that this GUID is the old identifier for the DC that crashed. If I look in the _msdcd folder in DNS, there is no reference to this GUID anywhere. This is why despite the error, the directory seems to be working fine.

How can I clean this up?
0
Comment
Question by:jschweg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 11

Expert Comment

by:Zenith63
ID: 18788096
You could use ADSIEdit to have a look at the lower level of the Active Directory database and do a search from there for the SID.  If the reference is in AD you'll find it.  However as you obviously guessed it looks more like the kind of error you'd see if the reference to the old SID was in DNS somewhere.  Did you go through the entire DNS tree looking for the record?
0
 
LVL 4

Author Comment

by:jschweg
ID: 18788100
I thought that I went though all the DNS records, but it was pretty late at that point. I will re-check them.
0
 
LVL 11

Accepted Solution

by:
AnthonyP9618 earned 500 total points
ID: 18788245
Did you remove the connection information to the old DC from AD Sites and Services?  My guess is that it's trying to replicate and still shows the old connection information with which to replicate.

If you promoted the new DC with the same name, go ahead and delete that DC anyway.  Windows (moreover, the KCC) will rebuild those connections based upon what it needs.  In this case, I would probably force the KCC to kick off manually (Do this from your working DC):

repadmin /kcc <DCservernameyoujustremoved>
repadmin /showreps

I would run the /showreps command until you see the KCC rebuild the links.  Once that's complete, go back into AD Sites and Services and manually replicate your connections.  Any errors?
0
 
LVL 4

Author Comment

by:jschweg
ID: 18788616
To answer your questions...

During my removal process, I ran the metadata cleanup, removed all the DNS records, and removed the DC from Sites and Services. I DID rejoin the crashed DC back with the same name after rebuilding it.

Both DC's appear to be happy, if I run repadmin /showreps now, everything is successful on both. I'm only getting the error on of the DC's (the one that didn't crash), and so far it only pops up if I reboot the DC.

0
 
LVL 4

Author Comment

by:jschweg
ID: 18851058
Sorry for the huge delay, time got away with me. Thanks for the help.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question