Re: Duplicate SPN - but unsure how to fix!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Sat, 29 Dec 2007 00:55:50 +0100

you get that error because two different servers, which have the same sAMAccountName (although in different AD domains, but in the AD forest), are registering the same SPN (because of the same sAMAccountName)

solution: rename one of the servers. In an AD forest all sAMAccountNames should be unique to prevent issues like these

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:D396AEA4-806F-44BD-A9AA-8CC6041D1464@xxxxxxxxxxxxxxxx

Hi Austin,

I was unable to run the command - getting a servicePrincipleName parameter
error / bad argument returned.

I can see that both servers share HOST/SQL01 which i'm guessing is where the
problem is. However I honestly have no idea how to change the SPN or exactly
what to change it too. (The FQDN?)

Here is the output from the assoicated VB script from the same KB:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

CN=SQL01,CN=Computers,DC=child,DC=domain,DC=net
Class: computer
Computer DNS: SQL01.child.domain.net
-- MSSQLSvc/SQL01.child.domain.net:1118
-- MSSQLSvc/SQL01.child.domain.net:1152
-- MSSQLSvc/SQL01.child.domain.net:1140
-- MSSQLSvc/SQL01.child.domain.net:1089
-- HOST/SQL01
-- HOST/SQL01.child.domain.net

CN=SQL01,OU=Development,OU=Servers,DC=domain,DC=net
Class: computer
Computer DNS: sql01.domain.net
-- MSSQLSvc/sql01.domain.net:1435
-- MSSQLSvc/sql01.domain.net:1433
-- MSSQLSvc/sql01.domain.net:1434
-- MSSQLSvc/sql01.domain.net:1385
-- MSSQLSvc/sql01.domain.net:1453
-- MSSQLSvc/sql01.domain.net:1449
-- SMTPSVC/sql01.domain.net
-- HOST/sql01.domain.net
-- SMTPSVC/SQL01
-- HOST/SQL01

"Austin Osuide" wrote:

Hi Steve,
not sure why you are in this situation in the first place. an SPN is usually
registered for the servername and the FQDN of the server.
Both your SQL01 servers should have SPNs registered in their FQDNs.
Can you please run the following and post the results?

ldifde -f SQL_SPN.txt -t 3268 -d"" -l servicePrincipalName -r
"(servicePrincipalName=*sql01*)" -p subtree

Regards,

Austin

"Steve" <Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:50994C1D-B0E8-4019-8726-FC84C8A305F5@xxxxxxxxxxxxxxxx
> Hi all,
>
> Getting KDC error 11 on our DC (GC and FSMO roles on it too):
>
> There are multiple accounts with name RPCSS/sql01 of type
> DS_SERVICE_PRINCIPAL_NAME.
>
> Looked up the relevant KB article KB321044. Used the VBS to get the
> results.
>
> The result is that I have SQL01.Domain.Net, and SQL01.Child.Domain.Net.
> However the DN of these are obviously different as they are in > different
> domains. (Child-Parent)
>
> So my query is how to do resolve this issue? To my knowledge I thought > you
> could have 2 machines called the same in a forest as long as they are > in
> different domains. Is this not the case?
>
> If I should be able to have both machines called SQL01 but in different
> domains, can someone possibly help me out as to how to resolve this > issue?
>
> Cheers,
>
>
> Steve.

Prev by Date: Re: To trust or not to trust???
Next by Date: Re: Creating a Single-IP Site for Disaster Recovery
Previous by thread: Re: To trust or not to trust???
Next by thread: Re: Creating a Single-IP Site for Disaster Recovery
Index(es):
- Date
- Thread

Relevant Pages

Re: Protected Forest with One Child domain
... All servers are Win2K3. ... The forest is in native mode. ... I have setup my child domains to conditionally forward to the forest domain ... I can click on the root of the forest (in dns) and then ...
(microsoft.public.windows.server.dns)
RE: Microsoft Active Directory security concerns
... for your DMZwith no trusts between it and your internal forest. ... limit the traffic from your DMZ web servers into the internal network. ... shuffling existing accounts into your new domain anyway. ... I have spent most of my time in network security and IDS/IPS technology ...
(Security-Basics)
Re: Active Directory Restructure Question
... If you are building a new forest you can use the Active Directory ... To start would have to establish dns connectivity both ways, ... Once established you can then go and create your external trust, ... domains for your UNIX/LINUX servers, ...
(microsoft.public.windows.server.active_directory)
Re: Forward Lookup Zone missing when new tree added to forest
... I have a forest with three domains that are in separate trees: ... DNS is Active Directory-Integrated. ... to 'only to servers listed on the Name Servers tab'. ... shell.company domain forward lookup zone. ...
(microsoft.public.windows.server.dns)
Re: Trust relationships between sites.
... add the users to the forest they are trying to contact. ... problem of "No logon servers currently available to meet your request" ... the ad01 has entries for domain ad02 and it's domain ...
(microsoft.public.win2000.active_directory)