AD Replication issue - NTDS Replication - error 1645
Hello All,
I would need some assistance with my following problem. Two of my domain controllers
are registering error NTDS REPLICATION 1645. (Active Directory did not perform an authenticated
remote procedure call (RPC) to another domain controller because the desired
service principal name (SPN) for the destination domain controller is not
registered on the Key Distribution Center (KDC) domain controller that resolves
the SPN.)
The configuration is as follows. I have one domain forest, one parent and four
child domains on multiple sites.
The problem begun when I added parent domain RODC to remote site (actual AD site), that hosts
child domain with two WRDC (Server 2003) for child domain. (I have added the RODC
because this is the only domain controller that will remain in the future.
Child domain will be migrated to parent domain and domain controllers will be
demoted.)
All replications and authentications seem to work fine. RepAdmin /SyncAll on all
involved DC are completed without errors. RepAdmin /ShowRepl is completed on
all without errors. DcDiag is completed on RODC without errors. DcDiag on WRDCs
for child domain is completed successfully for all but kccevent.
I would be grateful for any suggestions on how to solve this problem (remove errors).
My guess for this problem is that RWDCs are not allowed to sync/replicate from RODC and
are constantly trying to sync from RODC because they are in the same AD SITE.
Thanks.
BR, Luka
February 29th, 2012 4:20am
NTDS Replication Error
Event Type: Error
Event Source: NTDS Replication
Event Category: DS RPC Client
Event ID: 1645
Date: 11/29/2010
Time: 10:04:26 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Server Name
Description:
Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller
that resolves the SPN.
-The event is caused when W2K8 RODCs ask (full) W2K3 DCs to provide change notification.
-This event may indicate that full DCs and RODCs are in the same AD site.
-Do not add the e351 AD replication SPN for the RODC as implied by the message text for the 1645 event. RODC's do not register the replication SPN.
-If the existence of the full DC in the same AD site as the RODC is temporary, ignore this event. Otherwise, place full DCs and RODCs in different AD sites.
technet:
http://technet.microsoft.com/de-de/library/cc742416(WS.10).aspx (event id 1645)
then
have you read this
http://ng.networkfoo.org/server-infrastructure/microsoft/windows/active-directory-did-not-perform-authenticated-remote-proced ?
Hi,
Marc
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 8:37am
OK. Thanks. My thoughts exactly. I just needed some sort of confirmation.
-The event is caused when W2K8 RODCs ask (full) W2K3 DCs to provide change notification.
-This event may indicate that full DCs and RODCs are in the same AD site.
-Do not add the e351 AD replication SPN for the RODC as implied by the message text for the 1645 event. RODC's do not register the replication SPN.
-If the existence of the full DC in the same AD site as the RODC is temporary, ignore this event. Otherwise, place full DCs and RODCs in different AD sites.
-It is caused by W2K8 RODCs request.
-They are in the same AD site.
-Found this post and procedures but didn't want to follow it (didn't seem right)
-It is a temporary status. I have decided to ignore this event until the full DC's wouldn't be demoted. Thought of that also and it is a good idea, but is followed with a lot of client configuration (diverting clients to separate subnet)
Thanks for this post. I was looking for it but missed it somehow.
technet:
http://technet.microsoft.com/de-de/library/cc742416(WS.10).aspx (event id 1645)
Just a warning to other post readers.
This event is logged on a domain controller that runs Windows Server 2003, if the domain controller is a global catalog server and an RODC is in the same site. This configuration is not recommended but could be a temporary situation during an upgrade of
a site.
February 29th, 2012 9:45am