Directory Service Event Log Errors 1925 & 1645 On Win 2003 x32 Server

Hello All -

Another member of my team set up a new DC for a domain that we support which is located off site on a different subnet than the other ones.  From what I hear, it worked fine for a couple of days, but today, users could not authenticate or retrieve profiles from it.  I'm receiving the two errors below every few minutes (attached screen shot #3):


NTDS Replication - Category = DS RPC Client (attached screenshot #1)
Error 1645
Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination domain controller:
User Action
Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller’s computer account data to replicate to the KDC before this computer can be authenticated.


NTDS Replication - Category = Knowledge Consistancy (attached screenshot #2)
Error 1925
The attempt to establish a replication link for the following writable directory partition failed.
Directory partition:
Source domain controller:
CN=NTDS Settings,CN=OPS-DC,CN=Servers,CN=RemoteSite1,CN=Sites,CN=Configuration,DC=DOMAINABC,DC=LOCAL
Source domain controller address:
Intersite transport (if any):
This domain controller will be unable to replicate with the source domain controller until this problem is corrected.  


Also, I don't know if it's related, but am getting this error in the DNS Server event log:

Source = DNS - Category = None
Event ID 4515
The zone PSBOC.LOCAL was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.PSBOC.LOCAL. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this


I've done a bit of research and so far have tried to:
- Flush, then register DNS then restarting NETLOGON.  
- Restart
- Verify that system time is correct
- Created an InterSite Transport from one of the existing servers to the remote site one.  I really don't know much about this so may have done it wrong.

Please help! - Thanks!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

check the following things
  have you checked that healthy DC's are accessible from this DC, turn off the firewall if on.
  Open DNS console on its replication partner and check its NameServer record on "Name Servers" tab
  run dcdiag /test:DNS   //what is the result
  open command prompt and run "net share" does it show NETLOGON and SYSVOL shares

have you created the entry RPC Replication Timeout (mins) in registry of new DC to extend its DC replication timeout
BzowKAuthor Commented:
Thanks for your reply -

To answer your questions...

- Windows firewall is and has been Off.  The service (ICS) isn't even running.

- The DCDIAG for DNS (the string you specified) results are in screenshot #1 below.

- The results for NET SHARE are in screenshot #2 below.

- Don't know if this makes a difference, but when looking at Sites & Services, I found that under the Site we are having trouble with, there are two DCs listed - OPS-DC and OPSDC.  OPS-DC doesn't exist - can't ping it and isn't in AD.  I assume it was put there by mistake.  I tried to delete it, but Windows won't let me.  (Screenshot #3)

- I connected to it's partner (i think) and opened DNS.  i don't see a "Name Servers" tab.  However, I was able to ping the troublesome server from that server successfully.

- I haven't done anything in the registry - especially with RPC

- I've also attached a full dcdiag from the troublesome server (DCDIAG.txt)  

Thanks again!
about your sites and services record of OPS-DC it is a record having meta data of an old DC which have either been disconnected or promoted incorrectly you can delete it by using meta data cleanup process
here it is
NTDSUTIL: metadata cleanup
metadata cleanup: connections
connections: connect to sever localhost (or the name of server from where you are removing dc's meta data)
metadata cleanup: select operation target
select operation target: list domains
select operation target:select domain #( by no 0,1,2(no on the left))
select operation target:list sites
select operation target: select site #( by no 0,1,2(no on the left))
select operation target: list servers in site
select operation target: select server #( by no 0,1,2(no on the left))
select operation target:q
metadata cleanup: remove selected server
at this point confirm the selected server from the popup window and press "yes"
then open sites and services open the desired site and remove the DC object

this is the DC metadata cleanup from forest (Sites and services)

then you have to delete its "nameserver" records from DNS. open console and select DNS zone and right click it and select properties go to "name servers" tab here find the deleted server entry and remove it .Now you can re-promote the same DC with same name and same IP


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Check on the new DC that someone has not created a DNS zone as a primary zone (not ad integrated) that is the same as your ad DNS zone. If therre is delete it and restart DNS.  If it is ad integrated do not delete it.
BzowKAuthor Commented:
Thanks Guys!

I went through all the steps to delete the metadata.  I can't believe that I've never seen that in all of my experience.

eridzone:  I followed your instructions to the letter which were perfect, but I do have a question.

Before, I mentioned that my manager who created the server did something wrong or decided to change the name - anyways - as you know by now, the hostname of the troublesome server is "OPSDC."  In everything including DNS and AD Sites & Services, there is an "OPSDC" & an "OPS-DC." "OPS-DC" does not exist as I cannot ping it or even find a record for it as a computer in AD.

When I followed your metadata instructions, I removed all of the "OPS-DC" references, but left the "OPSDC" (correct name) ones.  After re-reading your post, should I go ahead and remove BOTH "OPS-DC" and "OPSDC," to basically start all over and then repromote as you mentioned at the end?

Either way, please suggest the best way to re-promote given the scenario.

Thanks again for your help -
BzowKAuthor Commented:
After deleting the OPS-DC, I still had trouble so I went ahead and dleted the OPSDC too with plans to re-promote.  Followed your instructions as well as the similar ones from:

I restarted OPSDC and ran "dcpromo."  After clicking the first "Next", the next  prompts I get is asking me to Remove Active Directory. (Screenshot #1)

I didn't go any further.

Did I miss s step while doing all of this?  Thanks!
how many DC's do you have ?

if you want to do it from the scratch then it's fine you are on right track just dont tick the checkbox "This server is the last domain controller in the domain"  or to play safe try to run dcpromo /forceremoval and after that repeat the same meta data cleanup excercise as you did for previous DC.

after that wait until your all DC's update this change then try to promote using same name or if you are in hurry just rename the machine and promote it using a new name.

Before promotion of a new  DC always check the machine dont have any viruses or corrupted system files if possible do it by re-installation of OS, Patches and updated antivirus.
don t tick the box and just continue on.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Project Management

From novice to tech pro — start learning today.