Windows Server 2003 ADAM to Windows Server 2008 AD LDS replication fails when using NTLM (negotiate)
AD LDS can use “negotiated” as the replication security level within a configuration set
(http://technet.microsoft.com/en-us/library/cc770465(WS.10).aspx). This may happen on AD LDS
servers that are domain-joined if there is a problem with Kerberos (e.g. a service principal
name issue) but will also happen for ADAM or AD LDS instances that are only members of a workgroup.
There is a known issue with mixed configuration sets, that is configuration sets containing
both Windows Server 2003 ADAM instances and Windows Server 2008 AD LDS instances, on attempting
to form a configuration set when the replication security level is Negotiate replication may
fail to complete.
The signature of the problem is seen when using repadmin to try and force a replication
of a naming context hosted on the (originating) Windows Server 2003 ADAM instance so e.g.
for a naming context “dc=mycompany,dc=com”
repadmin /syncall w2k3server.mycompany.com:389 “dc=mycompany,dc=com”
results in the following errors
To : W2K8Server.mycompany.com:389
Error issuing replication: –2146893008 (0x80090330):
The specified data could not be decrypted.
If the servers are domain-joined then diagnosing the reason that kerberos is not being
used for replication security is the thing to do and will circumvent this issue. In pure
workgroup configurations there is currently no workaround for this problem.
Update 12 August 2010:
Microsoft have now released a fix for this problem:
as ever test this in a non-production environment and note that in existing configurations sets of ADAM instances on Windows Server 2003 replication will fail between instances that are mixed (where some do and some do not have the patch applied).
Subscribe to comments with RSS.