Re: Duplicate SPN - but unsure how to fix!

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Austin,

Thanks again for your reply. Corrected the command and it ran fine (as you
said! :-) but there was no output..! Re-ran the VBS and still showing it so
not sure as to why ldife isn't showing anything.

As you say, it appears that the SPN's are set correctly, and performance of
the systems is fine. However ideally I do want to remove this error from the
event logs.

How do I go about forcing the servers in question to use FQDN instead of the
netbios name when requesting a ticket from the KDC?

Thanks again,


Steve.


"Austin Osuide" wrote:

Hi Steve,
you got the error probably because you copied and pasted my text? :-)
There needs to be a space between the -d and "".
To address your issue though, I dont think you should have a problem if the
FQDN of the SQL servers is used.
Make sure the DNS search suffixes are setup correctly on worksations in the
parent and child domains.
As you can see, the SPNs are registered correctly and the errors or event
id: 11 are generated when the netbios name is used to request the service
ticket. if the FQDN is used, these errors will not occur.

Regards,

Austin

"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D396AEA4-806F-44BD-A9AA-8CC6041D1464@xxxxxxxxxxxxxxxx
Hi Austin,

I was unable to run the command - getting a servicePrincipleName parameter
error / bad argument returned.

I can see that both servers share HOST/SQL01 which i'm guessing is where
the
problem is. However I honestly have no idea how to change the SPN or
exactly
what to change it too. (The FQDN?)

Here is the output from the assoicated VB script from the same KB:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

CN=SQL01,CN=Computers,DC=child,DC=domain,DC=net
Class: computer
Computer DNS: SQL01.child.domain.net
-- MSSQLSvc/SQL01.child.domain.net:1118
-- MSSQLSvc/SQL01.child.domain.net:1152
-- MSSQLSvc/SQL01.child.domain.net:1140
-- MSSQLSvc/SQL01.child.domain.net:1089
-- HOST/SQL01
-- HOST/SQL01.child.domain.net

CN=SQL01,OU=Development,OU=Servers,DC=domain,DC=net
Class: computer
Computer DNS: sql01.domain.net
-- MSSQLSvc/sql01.domain.net:1435
-- MSSQLSvc/sql01.domain.net:1433
-- MSSQLSvc/sql01.domain.net:1434
-- MSSQLSvc/sql01.domain.net:1385
-- MSSQLSvc/sql01.domain.net:1453
-- MSSQLSvc/sql01.domain.net:1449
-- SMTPSVC/sql01.domain.net
-- HOST/sql01.domain.net
-- SMTPSVC/SQL01
-- HOST/SQL01



"Austin Osuide" wrote:

Hi Steve,
not sure why you are in this situation in the first place. an SPN is
usually
registered for the servername and the FQDN of the server.
Both your SQL01 servers should have SPNs registered in their FQDNs.
Can you please run the following and post the results?

ldifde -f SQL_SPN.txt -t 3268 -d"" -l servicePrincipalName -r
"(servicePrincipalName=*sql01*)" -p subtree

Regards,

Austin


"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:50994C1D-B0E8-4019-8726-FC84C8A305F5@xxxxxxxxxxxxxxxx
Hi all,

Getting KDC error 11 on our DC (GC and FSMO roles on it too):

There are multiple accounts with name RPCSS/sql01 of type
DS_SERVICE_PRINCIPAL_NAME.

Looked up the relevant KB article KB321044. Used the VBS to get the
results.

The result is that I have SQL01.Domain.Net, and SQL01.Child.Domain.Net.
However the DN of these are obviously different as they are in
different
domains. (Child-Parent)

So my query is how to do resolve this issue? To my knowledge I thought
you
could have 2 machines called the same in a forest as long as they are
in
different domains. Is this not the case?

If I should be able to have both machines called SQL01 but in different
domains, can someone possibly help me out as to how to resolve this
issue?

Cheers,


Steve.


.

Relevant Pages

  • Re: Duplicate SPN - but unsure how to fix!
    ... I dont think you should have a problem if the FQDN of the SQL servers is used. ... the SPNs are registered correctly and the errors or event id: 11 are generated when the netbios name is used to request the service ticket. ... Computer DNS: SQL01.child.domain.net ...
    (microsoft.public.windows.server.active_directory)
  • Re: Duplicate SPN - but unsure how to fix!
    ... However I honestly have no idea how to change the SPN or exactly ... Computer DNS: SQL01.child.domain.net ... registered for the servername and the FQDN of the server. ... Both your SQL01 servers should have SPNs registered in their FQDNs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Duplicate SPN - but unsure how to fix!
    ... The * preceding sql01 made the regex wrong. ... FQDN of the SQL servers is used. ... Make sure the DNS search suffixes are setup correctly on worksations in the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Exchange probs sending mail
    ... We don't have a FQDN pointing to us. ... Web servers are hosted elsewhere and ... we've been sending and receiving emails via ISP. ... > Did you run the internet and email wizard and specify your internet domain ...
    (microsoft.public.windows.server.sbs)
  • Re: help
    ... SPNs to a text file. ... Windows 2000 Directory Services ... > I have some problems with my servers, ... > domain.com returned an incorrectly signed time stamp. ...
    (microsoft.public.win2000.active_directory)