Server 2019 Domain Controller Replication – Unlucky Timing

Take a domain running multiple versions of Windows domain controllers across multiple AD sites and replicating just fine, add Server 2019 as a DC to the mix, and what do you get? Say it with me now “DCs mostly replicating just fine but KCC re-evaluated connections and one DC is now spamming event 1645 and 1925 every 15 minutes!”

To be fair, it is not exactly a 2019 specific issue but most likely a timing issue if KCC has updated links in the configuration partition prior to the domain partition update and leaves one of the replication partners on an island since it is unaware of the new DC’s service principal name.  However, that Microsoft article left out an important detail – which DC should you run setspn -A on?  The source or destination DC?

Welp, let’s  pinpoint the problem by finding which domain controller is missing the Directory Replication Service principal name of the partner DC:

#requires -modules activedirectory
$DRSguid = 'E3514235-4B06-11D1-AB04-00C04FC2DCD2'

$allDCs = Get-ADDomainController -Filter * | sort name

$columns = @()
$columns += @{n='SourceServer';e={$dc}}
$columns += 'Name','OperatingSystem'
$columns += @{n='DSAguid';e={(get-adobject $_.NTDSSettingsObjectDN -prop objectguid -server $dc).objectguid}}
$columns += @{n='DRSguid';e={(get-adcomputer $_.name -prop serviceprincipalname -server $dc).serviceprincipalname | ? {$_ -match "^$($DRSguid.replace('-','\-'))"}}}

$report = @()
$allDCs | % {
  $dc=$_.name
  write-host "[$((get-date).tostring('s'))] $dc" -f Green
  $report += $allDCs | select $columns
  $report | ? {$_.SourceServer -eq $dc} | ft -a -wr
}
$report | ft -a -wr

Look for a blank DRSguid value in the table output, correlate back to the SourceServer column, connect to that domain controller and then if repadmin /showrepl is returning KCC errors run:

setspn -A E3514235-4B06-11D1-AB04-00C04FC2DCD2/$(DSA GUID of partner server missing DRS GUID)/yourdomain.com partnerDCnetbiosname
setspn -L partnerDCnetbiosname

After 20 minutes run repadmin /showrepl from the DC that was unable to reach it’s partner and you should see that everything is back in order.