Solved

NTDS Replication Error

Posted on 2007-03-25
5
1,299 Views
Last Modified: 2011-08-18
Long story short, one of my two DC's crashed. I used metadata cleanup on the other DC to manually remove the crashed DC. After rebuilding the machine, I DCpromoed it back into the domain, and everything appears to be functioning correctly, except for the following that it popping up on one of the DCs (The one that didn't crash)

Event Type:      Error
Event Source:      NTDS Replication
Event Category:      DS RPC Client
Event ID:      1411
Date:            3/24/2007
Time:            10:17:45 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      WSCPDC
Description:
Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.
 
Domain controller:
50266e59-dfa6-4d1f-882b-6e65c5482bee._msdcs.domain.com
 
The call was denied. Communication with this domain controller might be affected.
 
Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

If I look at the GUID that the error is reporting, I'm pretty sure that this GUID is the old identifier for the DC that crashed. If I look in the _msdcd folder in DNS, there is no reference to this GUID anywhere. This is why despite the error, the directory seems to be working fine.

How can I clean this up?
0
Comment
Question by:jschweg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 11

Expert Comment

by:Zenith63
ID: 18788096
You could use ADSIEdit to have a look at the lower level of the Active Directory database and do a search from there for the SID.  If the reference is in AD you'll find it.  However as you obviously guessed it looks more like the kind of error you'd see if the reference to the old SID was in DNS somewhere.  Did you go through the entire DNS tree looking for the record?
0
 
LVL 4

Author Comment

by:jschweg
ID: 18788100
I thought that I went though all the DNS records, but it was pretty late at that point. I will re-check them.
0
 
LVL 11

Accepted Solution

by:
AnthonyP9618 earned 500 total points
ID: 18788245
Did you remove the connection information to the old DC from AD Sites and Services?  My guess is that it's trying to replicate and still shows the old connection information with which to replicate.

If you promoted the new DC with the same name, go ahead and delete that DC anyway.  Windows (moreover, the KCC) will rebuild those connections based upon what it needs.  In this case, I would probably force the KCC to kick off manually (Do this from your working DC):

repadmin /kcc <DCservernameyoujustremoved>
repadmin /showreps

I would run the /showreps command until you see the KCC rebuild the links.  Once that's complete, go back into AD Sites and Services and manually replicate your connections.  Any errors?
0
 
LVL 4

Author Comment

by:jschweg
ID: 18788616
To answer your questions...

During my removal process, I ran the metadata cleanup, removed all the DNS records, and removed the DC from Sites and Services. I DID rejoin the crashed DC back with the same name after rebuilding it.

Both DC's appear to be happy, if I run repadmin /showreps now, everything is successful on both. I'm only getting the error on of the DC's (the one that didn't crash), and so far it only pops up if I reboot the DC.

0
 
LVL 4

Author Comment

by:jschweg
ID: 18851058
Sorry for the huge delay, time got away with me. Thanks for the help.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question