DCDiag Error KDC-SPN

[Tom]

I have the following error when running dcdiag on one of my Domain Controller
(server B2).

Kerberos error. The KDC could not find the SPN for the server (server A1).

The source domain controller (server A1) is on different domain but on the
same forest.

Ping both way and nslookup is working. Netdiag also shows no error.

I got event id:1645, category: DS RPC Client which i think it related.
Active directory did not perform an authenticated remote procedure call (RPC)
to another domain controller because the desired service principal name (SPN)
fro the destination domain controller is not registered on the Key
Distribution center (KDC) domain controller that resolves the SPN.

I believe my replication is not working well.
What can I do to troubleshoot this?

Regards,
Tom

[admp.team@gmail.com]

Hi,

Please look into this KB

http://support.microsoft.com/kb/q257844/

Adam,
ADManager Plus Team.

On Feb 27, 10:17 am, Tom <T...@discussions.microsoft.com> wrote:
> I have the following error when running dcdiag on one of my Domain Controller
> (server B2).
>
> Kerberos error. The KDC could not find the SPN for the server (server A1).
>
> The source domain controller (server A1) is on different domain but on the
> same forest.
>
> Ping both way and nslookup is working. Netdiag also shows no error.
>
> I got event id:1645, category: DS RPC Client which i think it related.
> Active directory did not perform an authenticated remote procedure call (RPC)
> to another domain controller because the desired service principal name (SPN)
> fro the destination domain controller is not registered on the Key
> Distribution center (KDC) domain controller that resolves the SPN.
>
> I believe my replication is not working well.
> What can I do to troubleshoot this?
>
> Regards,
> Tom

[Tom]

Hi,

I am using windows 2003 sp1 as domain controller, is it still apply?

"admp.team@gmail.com" wrote:

> Hi,
>
> Please look into this KB
>
> http://support.microsoft.com/kb/q257844/
>
> Adam,
> ADManager Plus Team.
>
> On Feb 27, 10:17 am, Tom <T...@discussions.microsoft.com> wrote:
> > I have the following error when running dcdiag on one of my Domain Controller
> > (server B2).
> >
> > Kerberos error. The KDC could not find the SPN for the server (server A1).
> >
> > The source domain controller (server A1) is on different domain but on the
> > same forest.
> >
> > Ping both way and nslookup is working. Netdiag also shows no error.
> >
> > I got event id:1645, category: DS RPC Client which i think it related.
> > Active directory did not perform an authenticated remote procedure call (RPC)
> > to another domain controller because the desired service principal name (SPN)
> > fro the destination domain controller is not registered on the Key
> > Distribution center (KDC) domain controller that resolves the SPN.
> >
> > I believe my replication is not working well.
> > What can I do to troubleshoot this?
> >
> > Regards,
> > Tom
>
>
>

[admp.team@gmail.com]

Did you migrate it from 2K or Do you have any 2K DCs in your
environment.

Adam,
ADManager Plus Team.

On Feb 27, 1:27 pm, Tom <T...@discussions.microsoft.com> wrote:
> Hi,
>
> I am using windows 2003 sp1 as domain controller, is it still apply?
>
> "admp.t...@gmail.com" wrote:
> > Hi,
>
> > Please look into this KB
>
> >http://support.microsoft.com/kb/q257844/
>
> > Adam,
> > ADManager Plus Team.
>
> > On Feb 27, 10:17 am, Tom <T...@discussions.microsoft.com> wrote:
> > > I have the following error when running dcdiag on one of my Domain Controller
> > > (server B2).
>
> > > Kerberos error. The KDC could not find the SPN for the server (server A1).
>
> > > The source domain controller (server A1) is on different domain but on the
> > > same forest.
>
> > > Ping both way and nslookup is working. Netdiag also shows no error.
>
> > > I got event id:1645, category: DS RPC Client which i think it related.
> > > Active directory did not perform an authenticated remote procedure call (RPC)
> > > to another domain controller because the desired service principal name (SPN)
> > > fro the destination domain controller is not registered on the Key
> > > Distribution center (KDC) domain controller that resolves the SPN.
>
> > > I believe my replication is not working well.
> > > What can I do to troubleshoot this?
>
> > > Regards,
> > > Tom

[Paul Williams [MVP]]

What SPN is missing? The error should be more specific than that. If the
SPN is missing, you can usually recreate using SETSPN or script or ADSIEDIT
or whatever.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

[Tom]

The problematic DC is a new 2003 DC, all DC seems to be 2003.

"admp.team@gmail.com" wrote:

> Did you migrate it from 2K or Do you have any 2K DCs in your
> environment.
>
> Adam,
> ADManager Plus Team.
>
> On Feb 27, 1:27 pm, Tom <T...@discussions.microsoft.com> wrote:
> > Hi,
> >
> > I am using windows 2003 sp1 as domain controller, is it still apply?
> >
> > "admp.t...@gmail.com" wrote:
> > > Hi,
> >
> > > Please look into this KB
> >
> > >http://support.microsoft.com/kb/q257844/
> >
> > > Adam,
> > > ADManager Plus Team.
> >
> > > On Feb 27, 10:17 am, Tom <T...@discussions.microsoft.com> wrote:
> > > > I have the following error when running dcdiag on one of my Domain Controller
> > > > (server B2).
> >
> > > > Kerberos error. The KDC could not find the SPN for the server (server A1).
> >
> > > > The source domain controller (server A1) is on different domain but on the
> > > > same forest.
> >
> > > > Ping both way and nslookup is working. Netdiag also shows no error.
> >
> > > > I got event id:1645, category: DS RPC Client which i think it related.
> > > > Active directory did not perform an authenticated remote procedure call (RPC)
> > > > to another domain controller because the desired service principal name (SPN)
> > > > fro the destination domain controller is not registered on the Key
> > > > Distribution center (KDC) domain controller that resolves the SPN.
> >
> > > > I believe my replication is not working well.
> > > > What can I do to troubleshoot this?
> >
> > > > Regards,
> > > > Tom
>
>
>

[Tom]

The DCdiag error said that the SPN for serverA1 that was missing.

Could you tell me how to do it?
When i run setspn -l domain\serverA1 it shows a list figures and numbers

Looks normal as if i run setspn -l serverB2

Regards,
Tommy

"Paul Williams [MVP]" wrote:

> What SPN is missing? The error should be more specific than that. If the
> SPN is missing, you can usually recreate using SETSPN or script or ADSIEDIT
> or whatever.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>

[Paul Williams [MVP]]

Have a look at this for more info.:
--
http://technet2.microsoft.com/Window....mspx?mfr=true


Compare one DC against another DC to see what you need.

Come back if you need more help. I don't have SETSPN (or any of the tools I
like and need on Vista so will need to fire up some VMs).

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

[Tom]

The error happens to synchronization between DC in different domain. Both
domain are actually child domain (first Level)

From server B2 when i run setspn domain\serverA1 it shows registered
serviceprincipalNames for cn=serverA1,Ou=domain
controller,dc=domain,dc=main,dc=com:
..........................................................etc
..........................................................etc

The same result i got when running setspn serverA1 from serverA1 itself.

It shows around 17 line.

The last successful replications is over 2 months ago, could it be related?

Regards,
Tom

"Paul Williams [MVP]" wrote:

> Have a look at this for more info.:
> --
> http://technet2.microsoft.com/Window....mspx?mfr=true
>
>
> Compare one DC against another DC to see what you need.
>
> Come back if you need more help. I don't have SETSPN (or any of the tools I
> like and need on Vista so will need to fire up some VMs).
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>