Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Event ID: 1411 is logged on a domain controller that is running Microsoft Windows Server 2003 or Microsoft Windows 2000


View products that this article applies to.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows registry

↑ Back to the top


Symptoms

The following event is logged in the Directory Service event log on a domain controller that is running Microsoft Windows Server 2003 or Microsoft Windows 2000:

Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1411
Date: Date
Time: Time
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ComputerName
Description:
Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller.

Domain controller:
Server_GUID._msdcs.DnsForestName

The call was denied. Communication with this domain controller might be affected.

Additional Data

Error value:
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

↑ Back to the top


Cause

This problem may occur if the source domain controller cannot find the domain controllers that it requires to replicate changes. These domain controllers are listed in the repsTo attribute of the directory partition object. This situation may occur for the following reasons:
  • A replication connection object to a domain controller in the same forest was not created. This situation may occur for one of the following reasons:
    • Active Directory was removed from the remote domain controller.
    • The remote domain controller is orphaned.
    • The remote domain controller is missing service principal names (SPNs) on its computer object.
  • The required NTDS Settings object does not appear for a server in Active Directory Sites and Services. Therefore, a replication connection was not automatically established between the local domain controller and a remote domain controller. The remote domain controller may be in the same domain or in another trusted domain.
When a domain controller sends change notifications to its replication partner domain controllers in the domain, the domain controller keeps a list of domain controllers in the repsTo attribute for the directory partition object. In Windows Server 2003, the Knowledge Consistency Checker (KCC) removes domain controllers from this list if they do not replicate for more than 24 hours. The removal process occurs at set intervals as one of the last steps in KCC processing.

↑ Back to the top


Resolution

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this problem, reduce the time that the Knowledge Consistency Checker waits to remove unavailable domain controllers from the list of outgoing change notifications. Then, create replication links for the domain controllers that are missing from the list.

To reduce the time that KCC waits, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type RepsTo Failure Time (sec) to name the new value, and then press ENTER.
  5. Right-click RepsTo Failure Time (sec), and then click Modify.
  6. In the Value data box, type 60, and then click OK.
  7. Exit Registry Editor.
  8. Click Start, click Run, type cmd, and then click OK.
  9. At the command prompt, type repadmin /kcc, and then press ENTER.

    This command removes the unavailable domain controller from the list of outgoing change notifications. This command also forces the KCC to recalculate the replication topology for the unavailable domain controller.
Next, open Active Directory Sites and Services on the root domain controller for the domain. Then, examine the following folder:
Active Directory Sites and Services\Sites\Site Name\Servers\Server Name\NTDS Settings
All the domain controllers that are involved in replication appear in this folder. Use the repadmin /add command to create a replication link for each domain controller that is not listed. To do this, follow these steps:
  1. On the root domain controller, add the Replicator Allow SPN Fallback registry entry. When two-way authentication cannot be performed because an SPN cannot be resolved to a computer account, this registry entry lets Active Directory use one-way authentication. To add the registry entry, follow these steps.

    Note Perform steps a through f on the same root domain controller.
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type Replicator Allow SPN Fallback to name the new entry, and then press ENTER.
    5. Double-click Replicator Allow SPN Fallback, type 1 in the Value data box, and then click OK.
    6. Restart the domain controller.
  2. At a command prompt, type the following:
    repadmin /options RootFQDN +DISABLE_NTDSCONN_XLATE
    In this command, replace RootFQDN with the fully qualified domain name of the root domain controller.

    Note The Repadmin.exe tool is included in Windows Support Tools for Windows Server 2003 and for Windows 2000. For more information about how to install Windows Support Tools, visit the following Microsoft Web site:
  3. At the command prompt, type the following:
    repadmin /add CN=Configuration,DC=DomainName,DC=DomainName RootFQDN SourceFQDN
  4. At the command prompt, type repadmin /showreps, and then press ENTER.

    A successful incoming connection appears for the configuration naming context.
  5. Repeat steps 3 and 4 for other source domain controllers that are not listed in the NTDS Settings folder on the root domain controller.
  6. At the command prompt, type the following:
    repadmin /options RootFQDN -DISABLE_NTDSCONN_XLATE
  7. Remove the Replicator Allow SPN Fallback registry entry. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    3. In the details pane, right-click Replicator Allow SPN Fallback, click Delete, and then click OK.
  8. Force replication between all domain controllers in the root domain. To do this, follow these steps:
    1. On a domain controller in the root domain, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
    2. Expand Sites, expand Servers, expand the ServerName folder, and then click NTDS Settings.
    3. Other domain controllers to replicate are listed in the details pane. Right-click the first domain controller in the list, click All Tasks, and then click Check Replication Topology to start the Knowledge Consistency Checker (KCC).

      An incoming connection object from one or more of the source domain controllers appears. You may have to update the display by pressing F5.

      Note You must follow these steps on each domain controller in the root domain.
  9. Let replication occur throughout the forest. Then, run the repadmin /showreps command on the root domain controller and on the other domain controllers in the domain. This step makes sure that Active Directory replication is successful.

↑ Back to the top


More information

For more information about the Active Directory replication model, visit the following Microsoft Web site:For more information about the Repadmin.exe tool, visit the following Microsoft Web site: For more information about related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base:
896722� Domain controllers receive a security descriptor for an object that does not match the security descriptor from the Windows Server 2003-based domain controller where the object was created
832851� Inbound replication fails on domain controllers with event ID: 1699, error 8451, or jet error -1601
914034� A new event error message is logged if you do not back up a Windows Server 2003 Service Pack 1-based domain controller in a given time period
911799� Error message in a Windows Server 2003-based domain or in a Windows 2000 Server-based domain: "The remote procedure call failed and did not run"
925633� You cannot replicate files from a Windows Server 2003-based domain controller and events are logged in the File Replication Service log
305476� Initial synchronization requirements for Windows 2000 Server and Windows Server 2003 operations master role holders
887430� Orphaned child domain controller information may not be replicated to other Windows 2000 Server-based domain controllers

↑ Back to the top


Keywords: kbnetwork, kbactivedirectoryrepl, kbtshoot, kbexpertiseinter, kbprb, KB938704

↑ Back to the top

Article Info
Article ID : 938704
Revision : 4
Created on : 8/1/2007
Published on : 8/1/2007
Exists online : False
Views : 352