Novo DC - AD Domain Services não executou uma chamada de procedimento remoto (RPC) autenticada para outro servidor de diretório porque o f desejado (SPN)

tag-icon tag-icon active-directory windows-server-2012-r2 windows-server-2019 rpc spn
Novo DC - AD Domain Services não executou uma chamada de procedimento remoto (RPC) autenticada para outro servidor de diretório porque o f desejado (SPN)

Recentemente, adicionei um DC do Windows Serevr 2019 ao meu domínio, que já possui três DCs em dois sites. Os três DCs existentes são Server 2012 R2 e os níveis Domínio e Floresta são 2008 R2. O novo DC é um site diferente do DC primário

Quando executo dcdiag /v no DC primário, vejo o seguinte erro na saída

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
Destination directory server:
5BF411A7-E02F-419D-9B7E-FF82B1054046._msdcs.my_domain.local
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/5BF411A7-E02F-419D-9B7E-FF82B1054046/my_domain.local@my_domain.local
User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server's account data to replicate to the KDC before this directory server can be authenticated.

Quando executo repadmin /sowrelp no DC primário, recebo o seguinte em relação ao novo DC

Source: site2\new_dc
******* 1 CONSECUTIVE FAILURES since 2023-08-31 15:45:49
Last error: 1396 (0x574):
           The target account name is incorrect.
Naming Context: CN=Configuration,DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=DomainDnsZones,DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ForestDnsZones,DC=my_domain,DC=local

Source: site2\new_dc
******* WARNING: KCC could not add this REPLICA LINK due to error.

Tentei adicionar o SPN executando o seguinte comando no DC primário

   C:\Windows\system32>setspn -a E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local new_dc

E retornou o seguinte

Checking domain DC=my_domain,DC=local
Registering ServicePrincipalNames for CN=new_dc,OU=Domain Controllers,DC=my_domain,DC=local
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local
Updated object

No entanto, quando executo repadmin /showrepl e dcdiag /v novamente no DC primário, recebo os mesmos erros de antes.

Quando executei setspn -l new_dcno DC primário, obtive o seguinte

C:\Windows\system32>setspn -l new_dc
Registered ServicePrincipalNames for CN=new_dc,OU=Domain Controllers,DC=my_domain,DC=local:
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bf411a7-e02f-419d-9b7e-ff82b1054046/new_dc.my_domain.local@my_domain.local
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/new_dc.my_domain.local
        WSMAN/new_dc
        WSMAN/new_dc.my_domain.local
        TERMSRV/new_dc
        TERMSRV/new_dc.my_domain.local
        RestrictedKrbHost/new_dc
        HOST/new_dc
        RestrictedKrbHost/new_dc.my_domain.local
        HOST/new_dc.my_domain.local

Quando executo o mesmo comando no controlador de domínio primário e faço referência ao outro controlador de domínio (Servidor 2012 R2) no mesmo site do meu novo controlador de domínio, obtenho muito mais informações, por exemplo

C:\Windows\system32>setspn -l other_dc
Registered ServicePrincipalNames for CN=other_dc,OU=Domain Controllers,DC=my_domain,DC=local:
      NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/other_dc.my_domain.local
       exchangeAB/other_dc.my_domain.local
      GC/other_dc.my_domain.local/my_domain.local
      HOST/other_dc.my_domain.local/my_domain
      HOST/other_dc/my_domain
      RPC/0933d3c4-faa2-41ee-bca2-618d2295b503._msdcs.my_domain.local
      DNS/other_dc.my_domain.local
      exchangeAB/other_dc
      HOST/other_dc.my_domain.local/my_domain.local
      ldap/0933d3c4-faa2-41ee-bca2-618d2295b503._msdcs.my_domain.local
      ldap/other_dc/my_domain
      ldap/other_dc.my_domain.local/my_domain.local
      ldap/other_dc.my_domain.local/ForestDnsZones.my_domain.local
      ldap/other_dc.my_domain.local/DomainDnsZones.my_domain.local
      ldap/other_dc.my_domain.local
       ldap/other_dc
      ldap/other_dc.my_domain.local/my_domain
      E3514235-4B06-11D1-AB04-00C04FC2DCD2/0933d3c4-faa2-41ee-bca2-618d2295b503/my_domain.local
      Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/other_dc.my_domain.local
      WSMAN/other_dc.my_domain.local
      WSMAN/other_dc
      TERMSRV/other_dc
      TERMSRV/other_dc.my_domain.local
      RestrictedKrbHost/other_dc
       HOST/other_dc
      RestrictedKrbHost/other_dc.my_domain.local
      HOST/other_dc.my_domain.local

Além disso, por que há muito mais detalhes no setspn -l para o outro DC e não para o meu novo DC? Por que todas as referências ldap estão faltando na saída setspn -l do novo DC?

E por que estou recebendo erros de replicação e dcdiag

Desde já obrigado POR

informação relacionada