AD Replication problem

Microsoft Windows
Hi, Any idea of the following error ? I demoted an old server and turned it off and then promoted a new server with the same name/IP as the original in SITE1. Error message in popping up on a DC in SITE2. The GUID (below) belong to the server which is turned off. Intersite replication in SITE1 seems to work OK. Any help appreciated. Rgds Bab Event Type: Error Event Source: NTDS Replication Event Category: DS RPC Client Event ID: 1411 Date: 10/10/2006 Time: 10:16:10 AM User: NT AUTHORITYANONYMOUS LOGON Computer: MASTER Description: Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller. Domain controller: be787d0a-ee7e-5f5e-4585-3e247cb4ccaa._msdcs.b.local The call was denied. Communication with this domain controller might be affected. Additional Data Error value: 8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute. For more information, see Help and Support Center at

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes I have a few ideas …

You cannot take a server offline and bring a new server on-line using the same name. The SID and GUID will not match in AD. You can do the following.

1. Demote the new server
2. Remove the new server from the domain.
3. Take the new server offline.
4. Reset the machine account in AD.
5. Bring the new server online.
6. Join the new server to the domain using the reset account.
7. DCPromo the machine again.

Follow these steps and it should work. If not repeat 1-3 then delete the machine account. Use ADSI edit to manually remove any metadata left from the old account. Wait for replication and the contimue with steps 5-7.

Let us know how it turns out.


Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • BB11MAI
    Marcola, Thx for your reply, but the procedure I followed almost most as you outlined. Here is the followed procedure: 1. Made the new server ready (installed W2k3, named NEWDC, joined domain)business hours. 2. Yesterday night (in off business hour) Ran DCpromo and depromoted the old server (which was named DC2). 3. Turned it off. 4. Deleted the Computer object(DC2)from AD and let 30 min for replication. 5. Now, Renamed NEWDC to DC2 and restarted. 6. Reconfigured IP setting as DC2 had and restarted. 7. Verified the DNS registration. 8. Ran DCPromo and promoted the new server 9. Verified the DNS registration of NewGUID._msdcs.b.local 10. Verified the server replication in inter and intra site replication. (Checked the USN and dateness vector)Looked OK. (still OK!) There is NO error reported on the new server (DC2) Hoverver on three other DCs (two intersite and one intrasite) the refered error is being reported. My question is how can I get rid of this error being reported. How & Where I do the cleanup ? Would be greateful if you/someone put me in the correct direction. Babu
    0 pointsBadges:
  • Spadasoe
    try the following link:;en-us;232538
    5,130 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: