Join Log in
Score:0
POr avatar Server

New DC - AD Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired (SPN) f

fo flag
POr

I recently added a Windows Serevr 2019 DC to my domain which already has three DCs across two sites. The three existing DCs are Server 2012 R2 and the Domain and Forest levels are 2008 R2. The new DC is a a different site to the primary DC

When I run dcdiag /v on the primary DC I see the following error in the output

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination directory server:
5BF411A7-E02F-419D-9B7E-FF82B1054046._msdcs.my_domain.local
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/5BF411A7-E02F-419D-9B7E-FF82B1054046/my_domain.local@my_domain.local
User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server's account data to replicate to the KDC before this directory server can be authenticated.

When I run repadmin /sowrelp on the primary DC I get the following in relation to the new DC

Source: site2\new_dc
******* 1 CONSECUTIVE FAILURES since 2023-08-31 15:45:49
Last error: 1396 (0x574):
           The target account name is incorrect.
Naming Context: CN=Configuration,DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DomainDnsZones,DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ForestDnsZones,DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.

I tried to add the SPN by running the following command on the primary DC

   C:\Windows\system32>setspn -a E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local new_dc

And it returned the following

Checking domain DC=my_domain,DC=local
Registering ServicePrincipalNames for CN=new_dc,OU=Domain Controllers,DC=my_domain,DC=local
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local
Updated object

However when I run repadmin /showrepl and dcdiag /v again on the primary DC I got the same errors as before.

When I ran setspn -l new_dc on the primary DC I got the following

C:\Windows\system32>setspn -l new_dc
Registered ServicePrincipalNames for CN=new_dc,OU=Domain Controllers,DC=my_domain,DC=local:
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/new_dc.my_domain.local
        WSMAN/new_dc
        WSMAN/new_dc.my_domain.local
        TERMSRV/new_dc
        TERMSRV/new_dc.my_domain.local
        RestrictedKrbHost/new_dc
        HOST/new_dc
        RestrictedKrbHost/new_dc.my_domain.local
        HOST/new_dc.my_domain.local

When I run the same command on the primary DC and refence the other DC (Server 2012 R2) in the same site as my new DC I get far more information, for example

C:\Windows\system32>setspn -l other_dc
Registered ServicePrincipalNames for CN=other_dc,OU=Domain Controllers,DC=my_domain,DC=local:
      NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/other_dc.my_domain.local
       exchangeAB/other_dc.my_domain.local
      GC/other_dc.my_domain.local/my_domain.local
      HOST/other_dc.my_domain.local/my_domain
      HOST/other_dc/my_domain
      RPC/0933d3c4-faa2-41ee-bca2-618d2295b503._msdcs.my_domain.local
      DNS/other_dc.my_domain.local
      exchangeAB/other_dc
      HOST/other_dc.my_domain.local/my_domain.local
      ldap/0933d3c4-faa2-41ee-bca2-618d2295b503._msdcs.my_domain.local
      ldap/other_dc/my_domain
      ldap/other_dc.my_domain.local/my_domain.local
      ldap/other_dc.my_domain.local/ForestDnsZones.my_domain.local
      ldap/other_dc.my_domain.local/DomainDnsZones.my_domain.local
      ldap/other_dc.my_domain.local
       ldap/other_dc
      ldap/other_dc.my_domain.local/my_domain
      E3514235-4B06-11D1-AB04-00C04FC2DCD2/0933d3c4-faa2-41ee-bca2-618d2295b503/my_domain.local
      Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/other_dc.my_domain.local
      WSMAN/other_dc.my_domain.local
      WSMAN/other_dc
      TERMSRV/other_dc
      TERMSRV/other_dc.my_domain.local
      RestrictedKrbHost/other_dc
       HOST/other_dc
      RestrictedKrbHost/other_dc.my_domain.local
      HOST/other_dc.my_domain.local

Also why is there far more details in the setspn -l for the other DC and not my new DC ? Why are all the ldap reference missing in the setspn -l output for the new DC ?

And why am I getting the replication and dcdiag errors

Thanks in advance POR

35
0 + 4
rpc
spn
cn flag
Greg Askew
It sounds like the promotion failed? What date was it promoted, and what date did the replication errors begin?
0
Reply
POr avatar
fo flag
POr
Promoted on 2023-08-29. I'm not sure when the errors began, for the first few days I was only looking at readmin /replsummary and that was all error free. If it was a failed promotion what would the solution be ?.
0
Reply
cn flag
Greg Askew
If you don't know if a promotion was successful it failed. Delete it in dssite.msc and wipe/promote another. You should also check the obvious. Full network connectivity/all ports to all the other DC's. Run `nltest /dsgetdc: domain.com /server:dcname` against each DC from the new member server.
0
Reply
POr avatar
fo flag
POr
Ok, I'll demote the new DC via dssite.msc and metadata cleanup if necessary. I'll delete the VM also and build a new one and promote that and see what happens.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.