| Event Id | 1411 |
| Source | NTDS Replication |
| Description | The Directory Service failed to construct a mutual authentication Service Principal Name (SPN) for server SERVERNAME. The call is denied. The error was: A Service Principal Name (SPN) could not be constructed because the provided hostname is not in the necessary format. The record data is the status code. Data: 0000: 6a 21 00 00 |
| Event Information | This information from some newsgroups may help you: ------------------------------------------------------------------------------ While the DNS server has only a single label name, all zones created will have default records (SOA and NS) created using only this single label name for the servers hostname. This can lead to incorrect and failed referrals when clients and other DNS servers use these records to locate this server by name. To correct this problem: 1. open ControlPanel 2. open System applet 3. select NetworkIdentification tab 4. click the "Properties" button and enter a domain name or workgroup name; this name will be used as your DNS domain name 5. reboot to initialize with new domain name. After reboot, the DNS server will attempt to fix up default records, substituting new DNS name of this server, for old single label name. However, you should review to make sure zones SOA and NS records now properly use correct domain name of this server. Havent found a Q article on this but here is the basic problem. You will receive this error when you try to promote a machine and it is pointing to a DC that is not replicating correctly. If you go to the command prompt and type "set" you can see what your logon server is. This is the server that logged you onto the domain. This server probably is the one that is not replicating. Here is how it would happen in most scenarios: You build a new W2K box, you join it to the domain, at which point it contacts a DC, the object for the new computer account is created on that DC. If this DC is having replication problems then the object will not replicate out to other DCs that hold the FSMO roles. So when you try to promote the new server to a DC, it checks with the RID master and it has no idea of that object. Henceforth it errors out. Resolution: Make sure that the server in "set" as logon server can communicate with all other DCs especially the FSMO role holders, o |
| Reference Links |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.