Event ID: 1411 is logged on a domain controller that is running Microsoft Windows Server 2003 or Microsoft Windows 2000

The following event is logged in the Directory Service event log on a domain controller that is running Microsoft Windows Server 2003 or Microsoft Windows 2000:

Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1411
Date: Date
Time: Time
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ComputerName
Description:
Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.

Domain controller:
Server_GUID._msdcs.DnsForestName

The call was denied. Communication with this domain controller might be affected.

Additional Data

Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

This problem may occur if the source domain controller cannot find the domain controllers that it requires to replicate changes. These domain controllers are listed in the repsTo attribute of the directory partition object. This situation may occur for the following reasons:

• A replication connection object to a domain controller in the same forest was not created. This situation may occur for one of the following reasons:
  • Active Directory was removed from the remote domain controller.
  • The remote domain controller is orphaned.
  • The remote domain controller is missing service principal names (SPNs) on its computer object.
• The required NTDS Settings object does not appear for a server in Active Directory Sites and Services. Therefore, a replication connection was not automatically established between the local domain controller and a remote domain controller. The remote domain controller may be in the same domain or in another trusted domain.

When a domain controller sends change notifications to its replication partner domain controllers in the domain, the domain controller keeps a list of domain controllers in the repsTo attribute for the directory partition object. In Windows Server 2003, the Knowledge Consistency Checker (KCC) removes domain controllers from this list if they do not replicate for more than 24 hours. The removal process occurs at set intervals as one of the last steps in KCC processing.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this problem, reduce the time that the Knowledge Consistency Checker waits to remove unavailable domain controllers from the list of outgoing change notifications. Then, create replication links for the domain controllers that are missing from the list.

To reduce the time that KCC waits, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type RepsTo Failure Time (sec) to name the new value, and then press ENTER.
5. Right-click RepsTo Failure Time (sec), and then click Modify.
6. In the Value data box, type 60, and then click OK.
7. Exit Registry Editor.
8. Click Start, click Run, type cmd, and then click OK.
9. At the command prompt, type repadmin /kcc, and then press ENTER.
   
   This command removes the unavailable domain controller from the list of outgoing change notifications. This command also forces the KCC to recalculate the replication topology for the unavailable domain controller.

Next, open Active Directory Sites and Services on the root domain controller for the domain. Then, examine the following folder: All the domain controllers that are involved in replication appear in this folder. Use the repadmin /add command to create a replication link for each domain controller that is not listed. To do this, follow these steps:

1. On the root domain controller, add the Replicator Allow SPN Fallback registry entry. When two-way authentication cannot be performed because an SPN cannot be resolved to a computer account, this registry entry lets Active Directory use one-way authentication. To add the registry entry, follow these steps.
   
   Note Perform steps a through f on the same root domain controller.
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type Replicator Allow SPN Fallback to name the new entry, and then press ENTER.
   5. Double-click Replicator Allow SPN Fallback, type 1 in the Value data box, and then click OK.
   6. Restart the domain controller.
2. At a command prompt, type the following:
   repadmin /options RootFQDN +DISABLE_NTDSCONN_XLATE
   In this command, replace RootFQDN with the fully qualified domain name of the root domain controller.
   
   Note The Repadmin.exe tool is included in Windows Support Tools for Windows Server 2003 and for Windows 2000. For more information about how to install Windows Support Tools, visit the following Microsoft Web site:
   http://technet2.microsoft.com/windowsserver/en/library/baa79cdd-83b0-4f10-9356-b2d14462d5b21033.mspx?mfr=true
3. At the command prompt, type the following:
   repadmin /add CN=Configuration,DC=DomainName,DC=DomainName RootFQDN SourceFQDN
4. At the command prompt, type repadmin /showreps, and then press ENTER.
   
   A successful incoming connection appears for the configuration naming context.
5. Repeat steps 3 and 4 for other source domain controllers that are not listed in the NTDS Settings folder on the root domain controller.
6. At the command prompt, type the following:
   repadmin /options RootFQDN -DISABLE_NTDSCONN_XLATE
7. Remove the Replicator Allow SPN Fallback registry entry. To do this, follow these steps:
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
   3. In the details pane, right-click Replicator Allow SPN Fallback, click Delete, and then click OK.
8. Force replication between all domain controllers in the root domain. To do this, follow these steps:
   1. On a domain controller in the root domain, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
   2. Expand Sites, expand Servers, expand the ServerName folder, and then click NTDS Settings.
   3. Other domain controllers to replicate are listed in the details pane. Right-click the first domain controller in the list, click All Tasks, and then click Check Replication Topology to start the Knowledge Consistency Checker (KCC).
      
      An incoming connection object from one or more of the source domain controllers appears. You may have to update the display by pressing F5.
      
      Note You must follow these steps on each domain controller in the root domain.
9. Let replication occur throughout the forest. Then, run the repadmin /showreps command on the root domain controller and on the other domain controllers in the domain. This step makes sure that Active Directory replication is successful.

For more information about the Active Directory replication model, visit the following Microsoft Web site:For more information about the Repadmin.exe tool, visit the following Microsoft Web site: For more information about related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base: