AD Replication issue - NTDS Replication - error 1645
Hello All, I would need some assistance with my following problem. Two of my domain controllers are registering error NTDS REPLICATION 1645. (Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.) The configuration is as follows. I have one domain forest, one parent and four child domains on multiple sites. The problem begun when I added parent domain RODC to remote site (actual AD site), that hosts child domain with two WRDC (Server 2003) for child domain. (I have added the RODC because this is the only domain controller that will remain in the future. Child domain will be migrated to parent domain and domain controllers will be demoted.) All replications and authentications seem to work fine. RepAdmin /SyncAll on all involved DC are completed without errors. RepAdmin /ShowRepl is completed on all without errors. DcDiag is completed on RODC without errors. DcDiag on WRDCs for child domain is completed successfully for all but kccevent. I would be grateful for any suggestions on how to solve this problem (remove errors). My guess for this problem is that RWDCs are not allowed to sync/replicate from RODC and are constantly trying to sync from RODC because they are in the same AD SITE. Thanks. BR, Luka
February 29th, 2012 4:20am

NTDS Replication Error Event Type: Error Event Source: NTDS Replication Event Category: DS RPC Client Event ID: 1645 Date: 11/29/2010 Time: 10:04:26 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: Server Name Description: Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. -The event is caused when W2K8 RODCs ask (full) W2K3 DCs to provide change notification. -This event may indicate that full DCs and RODCs are in the same AD site. -Do not add the e351 AD replication SPN for the RODC as implied by the message text for the 1645 event. RODC's do not register the replication SPN. -If the existence of the full DC in the same AD site as the RODC is temporary, ignore this event. Otherwise, place full DCs and RODCs in different AD sites. technet: http://technet.microsoft.com/de-de/library/cc742416(WS.10).aspx (event id 1645) then have you read this http://ng.networkfoo.org/server-infrastructure/microsoft/windows/active-directory-did-not-perform-authenticated-remote-proced ? Hi, Marc
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 8:37am

OK. Thanks. My thoughts exactly. I just needed some sort of confirmation. -The event is caused when W2K8 RODCs ask (full) W2K3 DCs to provide change notification. -This event may indicate that full DCs and RODCs are in the same AD site. -Do not add the e351 AD replication SPN for the RODC as implied by the message text for the 1645 event. RODC's do not register the replication SPN. -If the existence of the full DC in the same AD site as the RODC is temporary, ignore this event. Otherwise, place full DCs and RODCs in different AD sites. -It is caused by W2K8 RODCs request. -They are in the same AD site. -Found this post and procedures but didn't want to follow it (didn't seem right) -It is a temporary status. I have decided to ignore this event until the full DC's wouldn't be demoted. Thought of that also and it is a good idea, but is followed with a lot of client configuration (diverting clients to separate subnet) Thanks for this post. I was looking for it but missed it somehow. technet: http://technet.microsoft.com/de-de/library/cc742416(WS.10).aspx (event id 1645) Just a warning to other post readers. This event is logged on a domain controller that runs Windows Server 2003, if the domain controller is a global catalog server and an RODC is in the same site. This configuration is not recommended but could be a temporary situation during an upgrade of a site.
February 29th, 2012 9:45am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics