Which account should I delete after finding duplicate SPN of MSSQLSvc/LPZ-Tickets.LowryParkZoo.com:1433

Based on others I used the following command to export 2 entries:

ldifde -d dc=lowryparkzoo,dc=com -r "(serviceprincipalname=mssqlsvc/lpz-tickets*)" -l dn,serviceprincipalname -f CG.txt

Here are the results:

dn: CN=Administrator,CN=Users,DC=LowryParkZoo,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/lpz-backup1.LowryParkZoo.com:1137
servicePrincipalName: MSSQLSvc/lpz-accounting.LowryParkZoo.com:1433
servicePrincipalName: MSSQLSvc/lpz-backup.LowryParkZoo.com:1511
servicePrincipalName: MSSQLSvc/lpz-tickets.LowryParkZoo.com:1433

dn: CN=LPZ-TICKETS,CN=Computers,DC=LowryParkZoo,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/lpz-tickets.LowryParkZoo.com:1433
servicePrincipalName: DNS/lpz-tickets.LowryParkZoo.com
servicePrincipalName: HOST/lpz-tickets.LowryParkZoo.com/LowryParkZoo.com
servicePrincipalName: HOST/lpz-tickets.LowryParkZoo.com/LOWRYPARKZOO
servicePrincipalName: HOST/LPZ-TICKETS
servicePrincipalName: HOST/lpz-tickets.LowryParkZoo.com

I looked at the  MSSQLSERVER service in LPZ-Tickets and it uses the Local System Account to Log On.

I noted that the CN=Administrator and CN=LPZ-Tickets both have the same MSSQLSvc serviceprincipalname.  

In MS article http://support.microsoft.com/kb/321044 it has as the resolution:
To resolve this problem, locate the computer accounts that have the duplicate SPNs. When you have located the computers that have the duplicate SPNs, you can either delete the computer account from the domain, disjoin and rejoin the computer to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN.

So I need to figure out which one to remove and how to use adsiedit to remove or fix the incorrect entry, so the SQL service stays running and the Event Error 11 in Source KDC is eliminated.

Thanks in advance.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tfcmartyAuthor Commented:
I have ADSI edit working and can highlight servicePrincipalName = MSSQLSvc in both the Administrator account and LPZ-Tickets, I'm still struggling as to which one to remove.
Henrik JohanssonSystems engineerCommented:
You nead to remove the SPN that isn't used. As you've found that SQL is running as Local System and is by that reason using SPN on computer account, you shall remove the SPN from Administrator account.

To increase security, you should create a dedicated service account instead of running SQL as LocalSystem or Administrator (both gives to much permissions).

Instead of using ADSIedit, you can use setspn-command to delete the SPNs.

C:\>setspn -D MSSQLSvc/lpz-tickets.LowryParkZoo.com:1433 Administrator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tfcmartyAuthor Commented:
Thanks for both recommendations.  That helped me to understand what I was doing.
tfcmartyAuthor Commented:
Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.