Event ID 1411 — SPN Generation
Applies To: Windows Server 2008 R2
The client and the server verify their respective identities before replication occurs. This verification process is known as mutual authentication. The client verifies (that is, authenticates) the server's service by composing a Service Principal Name (SPN) using known data or data that is retrieved from sources other than the service itself.
When a domain controller sends change notifications to its replication-partner domain controllers in the domain, the domain controller keeps a list of domain controllers in the repsTo attribute for the directory partition object. The Knowledge Consistency Checker (KCC) typically removes domain controllers from this list if they do not replicate for more than 24 hours. The removal process occurs at set intervals as one of the last steps in KCC processing.
Event Details
Product: | Windows Operating System |
ID: | 1411 |
Source: | Microsoft-Windows-ActiveDirectory_DomainService |
Version: | 6.0 |
Symbolic Name: | DIRLOG_BUILD_SPN_FAILURE |
Message: | Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller. Domain controller:%1 The call was denied. Communication with this domain controller might be affected. Additional Data Error value:%3 %2 |
Resolve
Ensure that replication partners are accessible
Perform the following tasks using the domain controller that reported the issue.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To ensure that replication partners are accessible:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Run the command repadmin /showreps. This command displays the currect replication partners of the domain controller.
- On each domain controller that is identified as a replication partner, run the command dcdiag /fix. This command registers the appropriate service principal names (SPNs) for that domain controller.
- On each domain controller that is identified as a replication partner, run **dcdiag /test:OutboundSecureChannels /testdomain:**domain,where domain is the actual domain name of the domain controller that is reporting the error message. This command tests all secure channels for the domain controller.
- On the domain controller that is reporting this error, run repadmin /syncall domain, where domain is the actual domain name of the domain controller that is reporting the error message.
If the event message continues to appear in Event Viewer, see article 938704 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=104549) for additional troubleshooting steps.
Verify
Perform the following procedure using the domain controller from which you want to verify that Active Directory replication is functioning properly.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To verify that the appropriate Service Principal Names (SPNs) are generated:
- Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Run the command **dcdiag /test:outboundsecurechannels /s:computername, /testdomain:**domainname. Substitute the actual names of the computer and the domain for computername and domainname, respectively. The command runs a series of tests. If all tests indicate success, the appropriate SPNs are registered.