AD not replicating with Child Domain




We have a multi Domain Structure with Windows 2000 and
2003 Servers. The problem is that we accidentaly deleted
the DSA Object in Sites and Services for one Domain
Controller in the child Domain called xy.tld.local.
I continuosly receive errors in the event log under the
Replication category with an Event ID of 1411. The error
message is "The Directory Service failed to construct a
mutual authentication Service Principal Name for server
GUID The call denied The error was DSA
object not found.
Because there is no DSA Object we cannot add a
replication link manually from the TLD.local Domain to
the xy.TLD.local Domain with repadmin.
My question is: Is there a possibility to add the deleted
DSA Object in the Configuration Context of the AD?
I already tried to install an additional DC for the Child
Domain. This Domain Controller is visible only in the
child Domain, when I view the Sites and Services
Configuration from any other Domain i cannot see it.
I already tried to search the MS KB,, JSIQ
and Google Groups - but with no sucess.

Thank you very much for your help!


No i havent tried this.
It's because we dont have one - the backup was the night
before the new child-domain was installed. when the child
domain was installed, the dsa object for the domain
controller of the subdomain replicated to the site
configuration information in the TLD. After that the
object was deleted (all happened within 2 hours).
is there no possibility (adsi-edit, ldp.exe, ldifde,...)
to create or import this object. it would be a heavy bug
in the ad if you can easily delete a DSA Object but have
no chance to reimport it ...
hope there is an answer for the problem, to rebuild the
child domain is almost not possible because auf many
dependencies (exchange 2000, 250 users in the subdomain,
and many decentralized locations)
thanks in advance for your help!

a-davew [MSFT]

If you have an additional DC in the domain, you can DCPromo the "missing"
server down from being a DC (forcefully if necessary), perform metadata
cleanup and then re-promote the machine to be a DC again. The KB articles
for forceful demotion and metadata cleanup are here:

298450 Deletion of Critical Objects in Active Directory in Windows 2000 and

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of

216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain

David Waldron
Microsoft Enterprise Support
EPS Directory Services Team
(e-mail address removed)


i found the solution:
this registry key should be available since sp3 for
windows 2000. before you would have had to install an nt4
bdc (if you are in mixed mode only!), take the ad 2 dc's
offline, promote the bdc to a pdc, start dcpromo to
remove ad from the offline dc's (need to have the dns
locally installed on one of the dc's), do an upgrade to
win2000 on the nt4 pdc, take the two old dc's online
(should now be member servers), and start dcpromo to make
dc's of them again.

1. On a DC in the root domain add the registry
value "Replicator Allow SPN

Fallback" (without quotes) to the registry value

HKLM\System\CurrentControlSet\Services\NTDS\Parameters as
a REG_DWORD with a data value of 1.

2. From a command prompt on the root DC run:
repadmin /options <fqdn of root DC>


3. From a command prompt still on the root DC run:
repadmin /add

CN=Configuration,DC=<domain name>,DC=<Domain name> <fqdn
of root DC> <fqdn of child DC>.

4. On the root DC run repadmin /showreps and you should
now see a succesful inbound connection for the
Configuration NC from the child DC.

5. Still on the root DC run: repadmin /options <fqdn of
root DC>


6. In the registry remove the "Replicator Allow SPN
Fallback" registry value.

7. Open AD Sites and Services on the root DC and force
replication between all DCs in the root domain.

8. Then go the NTDS Settings for all DCs in the root
domain and right click on it and go to "All Tasks" and
perform a "Check Replication Topology" to kick off the


9. After refreshing one or more of the DCs in the root
domain shold now have an inbound connection object from
one or more of the DCs in the child domain.

10. Allow replication to occur throughout the forest and
then run repadmin /showreps from root and child DCs to
verify proper AD replication configuration.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question