"Service Principal Name" Errors

  • Thread starter Thread starter Ryan
  • Start date Start date
R

Ryan

Can anyone tell me what this error means and what can I do
to fix it?
I'm trying to upgrade a W2K member server to ADC only. But
I just get this error.
 
In
Ryan said:
Can anyone tell me what this error means and what can I do
to fix it?
I'm trying to upgrade a W2K member server to ADC only. But
I just get this error.
Click to expand...

What's the actual error? I am going to guess Event ID 1411?
If so, see this:
http://www.eventid.net/display.asp?eventid=1411&source=

FYI an SPN is based on the FQDN (DNS name) of the machine. If your DNS
client settings or DNS does not have the proper SRVs registered for the
domain, SPN errors and other errors are guaranteed to occur. Here's more
info on it below:

Service Principal Names:
http://msdn.microsoft.com/library/d...etdir/ad/how_a_service_registers_its_spns.asp

How Clients Compose a Service's SPN:
http://msdn.microsoft.com/library/d...how_clients_compose_a_serviceampaposs_spn.asp

How a Service Registers its SPNs:
http://msdn.microsoft.com/library/d...etdir/ad/how_a_service_registers_its_spns.asp

How a Client Authenticates an SCP-based Windows Sockets Service:
http://msdn.microsoft.com/library/d...ates_an_scp-based_windows_sockets_service.asp

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Ace,

Thank you for your post.

I recommend to upgrade your Windows 2000 install and domain controllers to
Service Pack 4. Majority of Windows SPN issues dealing with registration
are corrected and prevented in Service Pack 4.

More Information:
==============
The most common problem with SPNs occur with replication. During the
Dcpromo process the machine will do a initial AD replication with a partner
DC. Each Domain Controller within Windows 2000 as a NTDS CNAME Record with
in DNS (example 3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com)
When a domain controller is promoted it will query DNS for this record to
locate a replication partner. Once the partner is found the machine will
use Kerberos authentication to connect to the service by locating a service
principal name (SPN) on the partner domain controller machine account. (In
this case the service is AD Replication so the SPN will look like
E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/my
(e-mail address removed))

308111 A Missing Service Principal Name May Prevent Domain Controllers from
http://support.microsoft.com/?id=308111

296993 "Logon Failure: The Target Account Name Is Incorrect" Error When
http://support.microsoft.com/?id=296993

Best Regards,

Ben Ybarra, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
In
Ben Ybarra said:
Hello Ace,

Thank you for your post.

I recommend to upgrade your Windows 2000 install and domain
controllers to Service Pack 4. Majority of Windows SPN issues dealing
with registration are corrected and prevented in Service Pack 4.

More Information:
==============
The most common problem with SPNs occur with replication. During the
Dcpromo process the machine will do a initial AD replication with a
partner DC. Each Domain Controller within Windows 2000 as a NTDS
CNAME Record with in DNS (example
3cb25b0f-3809-48fb-8571-59f4a2253846._msdcs.mydomain.com) When a
domain controller is promoted it will query DNS for this record to
locate a replication partner. Once the partner is found the machine
will use Kerberos authentication to connect to the service by
locating a service principal name (SPN) on the partner domain
controller machine account. (In this case the service is AD
Replication so the SPN will look like
E3514235-4B06-11D1-AB04-00C04FC2DCD2/3cb25b0f-3809-48fb-8571-59f4a2253846/my
(e-mail address removed))

308111 A Missing Service Principal Name May Prevent Domain
Controllers from http://support.microsoft.com/?id=308111

296993 "Logon Failure: The Target Account Name Is Incorrect" Error
When http://support.microsoft.com/?id=296993

Best Regards,

Ben Ybarra, Microsoft

Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
rights.
Click to expand...

Hi Ben,

Thanks for responding. I hope the problems that Ryan is having is as simple
as needing the latest service pack. If it's not, can you recommend or
comment on the probably causes of his SPN problem?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top