SPN Generation

Applies To: Windows Server 2008 R2

The client and the server verify their respective identities before replication occurs. This verification process is known as mutual authentication. The client verifies (that is, authenticates) the server's service by composing a Service Principal Name (SPN) using known data or data that is retrieved from sources other than the service itself.

When a domain controller sends change notifications to its replication-partner domain controllers in the domain, the domain controller keeps a list of domain controllers in the repsTo attribute for the directory partition object. The Knowledge Consistency Checker (KCC) typically removes domain controllers from this list if they do not replicate for more than 24 hours. The removal process occurs at set intervals as one of the last steps in KCC processing.


Event ID Source Message



Active Directory failed to construct a mutual authentication service principal name (SPN) for the following domain controller. Domain controller:%1 The call was denied. Communication with this domain controller might be affected. Additional Data Error value:%3 %2

Partition Replication

Active Directory