Solved

NTDS Replication Error

Posted on 2007-03-25
5
1,297 Views
Last Modified: 2011-08-18
Long story short, one of my two DC's crashed. I used metadata cleanup on the other DC to manually remove the crashed DC. After rebuilding the machine, I DCpromoed it back into the domain, and everything appears to be functioning correctly, except for the following that it popping up on one of the DCs (The one that didn't crash)

Event Type:      Error
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      1411
Date:            3/24/2007
Time:            10:17:45 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      WSCPDC
Description:
Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.
 
Domain controller:
50266e59-dfa6-4d1f-882b-6e65c5482bee._msdcs.domain.com
 
The call was denied. Communication with this domain controller might be affected.
 
Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

If I look at the GUID that the error is reporting, I'm pretty sure that this GUID is the old identifier for the DC that crashed. If I look in the _msdcd folder in DNS, there is no reference to this GUID anywhere. This is why despite the error, the directory seems to be working fine.

How can I clean this up?
0
Comment
Question by:jschweg
  • 3
5 Comments
 
LVL 11

Expert Comment

by:Zenith63
ID: 18788096
You could use ADSIEdit to have a look at the lower level of the Active Directory database and do a search from there for the SID.  If the reference is in AD you'll find it.  However as you obviously guessed it looks more like the kind of error you'd see if the reference to the old SID was in DNS somewhere.  Did you go through the entire DNS tree looking for the record?
0
 
LVL 4

Author Comment

by:jschweg
ID: 18788100
I thought that I went though all the DNS records, but it was pretty late at that point. I will re-check them.
0
 
LVL 11

Accepted Solution

by:
AnthonyP9618 earned 500 total points
ID: 18788245
Did you remove the connection information to the old DC from AD Sites and Services?  My guess is that it's trying to replicate and still shows the old connection information with which to replicate.

If you promoted the new DC with the same name, go ahead and delete that DC anyway.  Windows (moreover, the KCC) will rebuild those connections based upon what it needs.  In this case, I would probably force the KCC to kick off manually (Do this from your working DC):

repadmin /kcc <DCservernameyoujustremoved>
repadmin /showreps

I would run the /showreps command until you see the KCC rebuild the links.  Once that's complete, go back into AD Sites and Services and manually replicate your connections.  Any errors?
0
 
LVL 4

Author Comment

by:jschweg
ID: 18788616
To answer your questions...

During my removal process, I ran the metadata cleanup, removed all the DNS records, and removed the DC from Sites and Services. I DID rejoin the crashed DC back with the same name after rebuilding it.

Both DC's appear to be happy, if I run repadmin /showreps now, everything is successful on both. I'm only getting the error on of the DC's (the one that didn't crash), and so far it only pops up if I reboot the DC.

0
 
LVL 4

Author Comment

by:jschweg
ID: 18851058
Sorry for the huge delay, time got away with me. Thanks for the help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question