event ID 1411

after setting up an 08 server and active directory in an 03 enviorment, i started getting spn errors:


Active Directory Domain Services failed to construct a mutual authentication service principal name (SPN) for the following directory service.
 
Directory service:
7c7b44cb-fc89-4492-9983-ebe9fda9f157._msdcs.achl.int
 
The call was denied. Communication with this directory service might be affected.
 
Additional Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.




I followed this:


http://technet.microsoft.com/en-us/library/cc733207.aspx


and got this:

C:\Program Files\Support Tools>repadmin /showreps
Las-Vegas\S-DC-01
DC Options: IS_GC
Site Options: (none)
DC object GUID: 02ce0f24-cc18-41fa-8114-cb2f39ef341f
DC invocationID: 02ce0f24-cc18-41fa-8114-cb2f39ef341f

==== INBOUND NEIGHBORS ======================================

DC=achl,DC=int
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 09:16:20 was successful.
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 09:18:04 was successful.

CN=Configuration,DC=achl,DC=int
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 08:45:18 was successful.
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 09:05:54 was successful.

CN=Schema,CN=Configuration,DC=achl,DC=int
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 08:45:18 was successful.
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 08:45:18 was successful.

DC=DomainDnsZones,DC=achl,DC=int
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 09:13:49 was successful.
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 09:14:02 was successful.

DC=ForestDnsZones,DC=achl,DC=int
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 08:49:02 was successful.
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 08:49:08 was successful.

C:\Program Files\Support Tools>dcdiag /fix

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Las-Vegas\S-DC-01
      Starting test: Connectivity
         ......................... S-DC-01 passed test Connectivity

Doing primary tests

   Testing server: Las-Vegas\S-DC-01
      Starting test: Replications
         ......................... S-DC-01 passed test Replications
      Starting test: NCSecDesc
         ......................... S-DC-01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... S-DC-01 passed test NetLogons
      Starting test: Advertising
         ......................... S-DC-01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... S-DC-01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... S-DC-01 passed test RidManager
      Starting test: MachineAccount
         * The current DC is not in the domain controller's OU
         ......................... S-DC-01 failed test MachineAccount
      Starting test: Services
         ......................... S-DC-01 passed test Services
      Starting test: ObjectsReplicated
         ......................... S-DC-01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... S-DC-01 passed test frssysvol
      Starting test: frsevent
         ......................... S-DC-01 passed test frsevent
      Starting test: kccevent
         ......................... S-DC-01 passed test kccevent
      Starting test: systemlog
         ......................... S-DC-01 passed test systemlog
      Starting test: VerifyReferences
         ......................... S-DC-01 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : achl
      Starting test: CrossRefValidation
         ......................... achl passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... achl passed test CheckSDRefDom

   Running enterprise tests on : achl.int
      Starting test: Intersite
         ......................... achl.int passed test Intersite
      Starting test: FsmoCheck
         ......................... achl.int passed test FsmoCheck

C:\Program Files\Support Tools>dcdiag /test:outboundsecurechannels /testdomain:a
chl.int

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Las-Vegas\S-DC-01
      Starting test: Connectivity
         ......................... S-DC-01 passed test Connectivity

Doing primary tests

   Testing server: Las-Vegas\S-DC-01
      Starting test: OutboundSecureChannels
         Could not Check secure channel from S-DC-01 to achl.int: The specified
domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... S-DC-01 failed test OutboundSecureChannels

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : achl

   Running enterprise tests on : achl.int


Am I doing something wrong?

C:\Program Files\Support Tools>repadmin /showreps
Las-Vegas\S-DC-01
DC Options: IS_GC
Site Options: (none)
DC object GUID: 02ce0f24-cc18-41fa-8114-cb2f39ef341f
DC invocationID: 02ce0f24-cc18-41fa-8114-cb2f39ef341f
 
==== INBOUND NEIGHBORS ======================================
 
DC=achl,DC=int
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 09:16:20 was successful.
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 09:18:04 was successful.
 
CN=Configuration,DC=achl,DC=int
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 08:45:18 was successful.
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 09:05:54 was successful.
 
CN=Schema,CN=Configuration,DC=achl,DC=int
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 08:45:18 was successful.
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 08:45:18 was successful.
 
DC=DomainDnsZones,DC=achl,DC=int
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 09:13:49 was successful.
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 09:14:02 was successful.
 
DC=ForestDnsZones,DC=achl,DC=int
    Las-Vegas\S-DC-04 via RPC
        DC object GUID: b53a97fb-049d-4d1a-bbfe-acc7bdd5c2be
        Last attempt @ 2008-10-12 08:49:02 was successful.
    Las-Vegas\S-DC-03 via RPC
        DC object GUID: 424ca5cf-be1e-409b-8f22-ed33f158f990
        Last attempt @ 2008-10-12 08:49:08 was successful.
 
C:\Program Files\Support Tools>dcdiag /fix
 
Domain Controller Diagnosis
 
Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Las-Vegas\S-DC-01
      Starting test: Connectivity
         ......................... S-DC-01 passed test Connectivity
 
Doing primary tests
 
   Testing server: Las-Vegas\S-DC-01
      Starting test: Replications
         ......................... S-DC-01 passed test Replications
      Starting test: NCSecDesc
         ......................... S-DC-01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... S-DC-01 passed test NetLogons
      Starting test: Advertising
         ......................... S-DC-01 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... S-DC-01 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... S-DC-01 passed test RidManager
      Starting test: MachineAccount
         * The current DC is not in the domain controller's OU
         ......................... S-DC-01 failed test MachineAccount
      Starting test: Services
         ......................... S-DC-01 passed test Services
      Starting test: ObjectsReplicated
         ......................... S-DC-01 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... S-DC-01 passed test frssysvol
      Starting test: frsevent
         ......................... S-DC-01 passed test frsevent
      Starting test: kccevent
         ......................... S-DC-01 passed test kccevent
      Starting test: systemlog
         ......................... S-DC-01 passed test systemlog
      Starting test: VerifyReferences
         ......................... S-DC-01 passed test VerifyReferences
 
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
 
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
 
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
 
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
 
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
 
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
 
   Running partition tests on : achl
      Starting test: CrossRefValidation
         ......................... achl passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... achl passed test CheckSDRefDom
 
   Running enterprise tests on : achl.int
      Starting test: Intersite
         ......................... achl.int passed test Intersite
      Starting test: FsmoCheck
         ......................... achl.int passed test FsmoCheck
 
C:\Program Files\Support Tools>dcdiag /test:outboundsecurechannels /testdomain:a
chl.int
 
Domain Controller Diagnosis
 
Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Las-Vegas\S-DC-01
      Starting test: Connectivity
         ......................... S-DC-01 passed test Connectivity
 
Doing primary tests
 
   Testing server: Las-Vegas\S-DC-01
      Starting test: OutboundSecureChannels
         Could not Check secure channel from S-DC-01 to achl.int: The specified
domain either does not exist or could not be contacted.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         Could not Query Trusted Domain :The system cannot find the file specifi
ed.
         ......................... S-DC-01 failed test OutboundSecureChannels
 
   Running partition tests on : ForestDnsZones
 
   Running partition tests on : DomainDnsZones
 
   Running partition tests on : Schema
 
   Running partition tests on : Configuration
 
   Running partition tests on : achl
 
   Running enterprise tests on : achl.int
 
C:\Program Files\Support Tools>

Open in new window

funkyp56Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
arnoldConnect With a Mentor Commented:
Check the Domain controllers OU to make sure the server: S-DC-01 is there rather then in the computer.
I.e. active directory computer and users administrative tool.  Make sure that the server S-DC-01 is in the domain controllers rather than in the computer group.
Based on the line:
Starting test: MachineAccount
         * The current DC is not in the domain controller's OU
         ......................... S-DC-01 failed test MachineAccount
0
 
funkyp56Author Commented:
An old IT guy for the company made a different OU for domain controllers (for use with scripts and GP, not sure if they were ever used that way.). I have been moving the DC's there. I will move them to the original location and see if I get errors.
0
All Courses

From novice to tech pro — start learning today.