Which account should I delete after finding duplicate SPN of MSSQLSvc/LPZ-Tickets.LowryParkZoo.com:1433

Based on others I used the following command to export 2 entries:

ldifde -d dc=lowryparkzoo,dc=com -r "(serviceprincipalname=mssqlsvc/lpz-tickets*)" -l dn,serviceprincipalname -f CG.txt

Here are the results:

dn: CN=Administrator,CN=Users,DC=LowryParkZoo,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/lpz-backup1.LowryParkZoo.com:1137
servicePrincipalName: MSSQLSvc/lpz-accounting.LowryParkZoo.com:1433
servicePrincipalName: MSSQLSvc/lpz-backup.LowryParkZoo.com:1511
servicePrincipalName: MSSQLSvc/lpz-tickets.LowryParkZoo.com:1433

dn: CN=LPZ-TICKETS,CN=Computers,DC=LowryParkZoo,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/lpz-tickets.LowryParkZoo.com:1433
servicePrincipalName: DNS/lpz-tickets.LowryParkZoo.com
servicePrincipalName: HOST/lpz-tickets.LowryParkZoo.com/LowryParkZoo.com
servicePrincipalName: HOST/lpz-tickets.LowryParkZoo.com/LOWRYPARKZOO
servicePrincipalName: HOST/LPZ-TICKETS
servicePrincipalName: HOST/lpz-tickets.LowryParkZoo.com

I looked at the  MSSQLSERVER service in LPZ-Tickets and it uses the Local System Account to Log On.

I noted that the CN=Administrator and CN=LPZ-Tickets both have the same MSSQLSvc serviceprincipalname.  

In MS article http://support.microsoft.com/kb/321044 it has as the resolution:
To resolve this problem, locate the computer accounts that have the duplicate SPNs. When you have located the computers that have the duplicate SPNs, you can either delete the computer account from the domain, disjoin and rejoin the computer to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN.

So I need to figure out which one to remove and how to use adsiedit to remove or fix the incorrect entry, so the SQL service stays running and the Event Error 11 in Source KDC is eliminated.

Thanks in advance.

Who is Participating?
Henrik JohanssonConnect With a Mentor Systems engineerCommented:
You nead to remove the SPN that isn't used. As you've found that SQL is running as Local System and is by that reason using SPN on computer account, you shall remove the SPN from Administrator account.

To increase security, you should create a dedicated service account instead of running SQL as LocalSystem or Administrator (both gives to much permissions).

Instead of using ADSIedit, you can use setspn-command to delete the SPNs.

C:\>setspn -D MSSQLSvc/lpz-tickets.LowryParkZoo.com:1433 Administrator
tfcmartyAuthor Commented:
I have ADSI edit working and can highlight servicePrincipalName = MSSQLSvc in both the Administrator account and LPZ-Tickets, I'm still struggling as to which one to remove.
tfcmartyAuthor Commented:
Thanks for both recommendations.  That helped me to understand what I was doing.
tfcmartyAuthor Commented:
Thanks again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.