Event ID 1645 — Replication Changes
Applies To: Windows Server 2008
The replication process in Active Directory Domain Services (AD DS) ensures that domain controllers are able to maintain a consistent and updated Active Directory database. Because the Active Directory database holds essential information about user, group, and computer accounts, as well as other resources and services and the network configuration, keeping this information consistent on all the domain controllers is important. Failure of the Active Directory replication process can result in the following problems:
- Failure of applications that rely on consistent Active Directory information to function properly
- Logon rejections
- Password change failures
- Network service failures
- Incorrect or outdated information retrieval
For more information, see How Active Directory Replication Topology Works (https://go.microsoft.com/fwlink/?LinkID=93526).
Event Details
Product: | Windows Operating System |
ID: | 1645 |
Source: | Microsoft-Windows-ActiveDirectory_DomainService |
Version: | 6.0 |
Symbolic Name: | DIRLOG_DRA_SPN_WRONG_TARGET_NAME |
Message: | AD_TERM did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN. Destination directory server: %1 SPN: %2 User Action Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated. . |
Resolve
Wait for the SPNs to be updated
This problem is most likely caused by a recent status change in a domain controller, such as a recent promotion. Another possibility is that a domain controller has a transient link error. Both of these situations should resolve themselves automatically in approximately 15 minutes. If the event appears after another 15 minutes, check the Service Principal Names (SPNs) on the domain controller that is reporting the event.
Perform the following procedure on the domain controllers that are hosting the partition that cannot be replicated.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To ensure that the SPNs are updated:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Run the command setspn -l hostname, where hostname is the actual host name of the domain controller. This command displays the SPNs that the domain controller has registered.
- Ensure that the domain name in each SPN listing is correct.
- If the SPNs are not correct, run the command repadmin /syncall domainname, where domainname is the name of the domain of the domain controller.
- Wait 15 minutes, and then run the setspn -l hostname command again and review the registered SPNs.
If the SPNs not corrected automatically after the domain has fully replicated, correct the SPNs manually. For instructions for correcting the SPNs manually, see Setspn Overview (https://go.microsoft.com/fwlink/?LinkId=104232).
Verify
Perform the following tasks using the domain controller from which you want to verify that Active Directory replication is functioning properly.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To verify that Active Directory replication is functioning properly:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Run the command repadmin /showrepl. This command displays the status reports on all replication links for the domain controller. Active Directory replication is functioning properly on this domain controller if all status messages report that the last replication attempt was successful.
If there are any indications of failure or error in the status report following the last replication attempt, Active Directory replication on the domain controller is not functioning properly. If the repadmin command reports that replication was delayed for a normal reason, wait and try repadmin again in a few minutes.