Duplicate service Principal Name (SPN) in SBS 2003 server, How do you remove the duplicate (the right) entry?

Posted on 2009-04-15
Medium Priority
Last Modified: 2012-08-14
Hi guys / ...girls

I have a duplicate SPN entry in active directory that is interfering with Backup Exec / Maybe?
The reason I say that is because with in Backup Exec, under the "Alerts" tab, it complains about the duplicate SPN names, and with in Event Viewer of Windows SBS it gives you a the following event ID:

Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      11
Date:            2009/04/15
Time:            11:56:12 AM
User:            N/A
Computer:      SERVER
There are multiple accounts with name MSSQLSvc/server.domainname.com:1433 of type DS_SERVICE_PRINCIPAL_NAME.

Now, I have two questions:
1) Would backup Exec stop working / not backing up because of a duplicate SPN's seeing that it has the exact error message with in Backup Exec alerts. (Because it aint working, Backup Exec that is, but what is new)
2) How do I get rid of the duplicate SPNs, and if you do find the duplicate SPN, which one is the right one to remove?

What I have done:
- I have research the problem and some white papers say it is as simple as duplicate computer names on the network, and that you have to take them of the domain and rejoin them as a different name, but what happens if it is your domain controller that is being mentioned in the error / duplicate name being mentioned in the error message?
- I have cleared all DNS's, scavanged stale records, cleared Wins, re-did DHCP and cleared all ARP caches.
- I downloaded Windows 2003 tools and installed it, ran LDP, connected to the active directory data base, and queried the duplicate SPN name, I really dont see duplicate SPN names.
- I tried the Microsoft solution just by restarting the server that did not work.
- Found a script to query duplicate SPN names, opend the output in Wordpad, searched for the exacp SPN and it found the following exact name entry twice:

servicePrincipalName: MSSQLSvc/server.domainname.com:1433

So, if you find a way to remove it, which one do you remove?

Thanks for all the reading, any help would greatly be appreciated,
Question by:wimpie_asg
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 23

Expert Comment

by:Rahul Misra
ID: 24146981
This is purely cosmetic and should not cause any issues with the backups or BEWS performance
You will  need to use ADSIEDIT MMC to edit the Active Directory and remove the duplicate SPN
LVL 23

Assisted Solution

by:Rahul Misra
Rahul Misra earned 1000 total points
ID: 24147024
You can also use the SETSPN command with - D (setspn -D )
Remove the duplicate service prinicipal name
... we see duplicate Service Principal Name issues quite frequently. Usually this is when the Administrator has used the SetSPN on different accounts in an effort to get Kerberos Authentication to work. One great example of this is MS SQL. If you install MS SQL as an Administrator of the domain, it will add the MSSQLSVC SPN to the SQL Servers computer account; later an Administrator changes the SQL Service startup account from Local System to a domain account and Kerberos Authentication starts to fail. Usually we will find that the MSSQLSVC SPN is configured on both the computer account as well as the domain user account that is used to run the service.

Since you should remove only the duplicate servicePrincipalName, you must do that manually by using ADSIEDIT.msc

To do this, follow these steps:
Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.
Note The ADSI Edit tool is included with the Windows Server 2003 Support Tools (register the dll: regsvr32 adsiedit.dll ).
Connect to a domain controller if ADSI Edit is not already connected to a domain controller.
Expand Domain [domainControllerName.example.com], expand DC=milrose-ny,DC=com, and then expand CN=System Accounts.
Note If the account for which you want to modify the SPN is located in a different container, modify this path as appropriate.
Right-click CN=Administrator, and then click Properties.
On the Attribute Editor tab, click to select both the following check boxes:
"Show mandatory attributes
"Show optional attributes
In the Attributes list, click servicePrincipalName, and then click Edit
In the Multi-valued String Editor dialog box, click MSSQLSvc/mrcsql2k.milrose-ny.com:1433, and then click Remove.
Click OK x times, and then exit the ADSI Edit tool.
However, there is also a tool called AdMod.exe that can do that,
ttp://www.joeware.net/freetools/tools/admod/index.htm (http://www.joeware.net/freetools/tools/admod/index.htm)
AdMod.exe -b CN=Administrator,OU=System Accounts,DC=milrose-ny,DC=com "ServicePrincipalName:-:MSSQLSvc/mrcsql2k.milrose-ny.com"


Author Comment

ID: 24148265
I am sorry to do this, yet, thank-you for the prompt reply!

This is the output when I run " ldifde -f SQL_SPN.txt -t 3268 -d"" -l servicePrincipalName -r
"(servicePrincipalName=*MSSQLSvc*)" -p subtree :

dn: CN=Administrator,CN=Users,DC=mydomain,DC=co,DC=za
changetype: add
servicePrincipalName: MSSQLSvc/server.mydomain.com:2773
servicePrincipalName: {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/SERVER

dn: CN=SERVER,OU=Domain Controllers,DC=mydomain,DC=co,DC=za
changetype: add
servicePrincipalName: MSSQLSvc/server.mydomain.com:1433
servicePrincipalName: {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/SERVER
servicePrincipalName: MSSQLSvc/server.mydomain.com
servicePrincipalName: exchangeMDB/server.mydomain.com
servicePrincipalName: exchangeMDB/SERVER
servicePrincipalName: exchangeRFR/server.mydomain.com
servicePrincipalName: exchangeRFR/SERVER
servicePrincipalName: exchangeAB/SERVER
servicePrincipalName: exchangeAB/server.mydomain.com
servicePrincipalName: SMTPSVC/SERVER
servicePrincipalName: SMTPSVC/server.mydomain.com
servicePrincipalName: ldap/server.mydomain.com/ForestDnsZones.mydomain.com
servicePrincipalName: ldap/server.mydomain.com/DomainDnsZones.mydomain.com
servicePrincipalName: GC/server.mydomain.com/mydomain.com
servicePrincipalName: HOST/server.mydomain.com/mydomain
servicePrincipalName: HOST/SERVER
servicePrincipalName: HOST/server.mydomain.com
servicePrincipalName: HOST/server.mydomain.com/mydomain.com
servicePrincipalName: ldap/server.mydomain.com/mydomain
servicePrincipalName: ldap/SERVER
servicePrincipalName: ldap/server.mydomain.com
servicePrincipalName: ldap/server.mydomain.com/mydomain.com
servicePrincipalName: DNS/server.mydomain.com

dn: CN=SQL,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mydomain,DC=co,DC=za
changetype: add
servicePrincipalName: MSSQLSvc/server.mydomain.co.za:1433

dn: CN=STORESCLERK01,CN=Computers,DC=mydomain,DC=co,DC=za
changetype: add
servicePrincipalName: MSSQLSvc/STORESCLERK01.mydomain.com
servicePrincipalName: HOST/STORESCLERK01
servicePrincipalName: HOST/STORESCLERK01.mydomain.com

dn: CN=SERVICEMAN01,CN=Computers,DC=mydomain,DC=co,DC=za
changetype: add
servicePrincipalName: MSSQLSvc/SERVICEMAN01.mydomain.com:1433
servicePrincipalName: HOST/SERVICEMAN01
servicePrincipalName: HOST/SERVICEMAN01.mydomain.com

dn: CN=ENGINEER,CN=Computers,DC=mydomain,DC=co,DC=za
changetype: add
servicePrincipalName: MSSQLSvc/Engineer.mydomain.com:1485
servicePrincipalName: HOST/ENGINEER
servicePrincipalName: HOST/Engineer.mydomain.com

I have just change my real domain to "mydomain.com", otherwise this whole document is as is. The duplicate SPN name in question is:

servicePrincipalName: MSSQLSvc/SERVICEMAN01.mydomain.com:1433

And I see it s listen twice, please confirm if this is correct in saying that, that is the actual duplicate SPN name.

Again, thanks for the quick reply...


Author Comment

ID: 24148317
My appolegies, the SPN in question is:


and not


And I see it is listed twice, is it supose to be like that, or is that the real duplicate SPN in question related to the following EventID:

Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      11
Date:            2009/04/15
Time:            04:07:31 PM
User:            N/A
Computer:      SERVER
There are multiple accounts with name MSSQLSvc/server.mydomain.com:1433 of type DS_SERVICE_PRINCIPAL_NAME.

For more information, see Help and Support Center at http://

Accepted Solution

wimpie_asg earned 0 total points
ID: 24193129

It seems like it was BackupExec that caused the duplicate SPN name. I have uninstalled Backup Exec, restarted teh server. and the Duplicate SPN was removed.

Thanks for your help, realy appreciated!

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question