Multiple SPN Error (Event ID 11) on Domain Controller

Hi folks!

We are running several Windows Server 2003 R2 x64 SP2 servers. On our domain controller, I am periodically seeing event ID 11 in the system log, stating the following:

Event Type:	Error
Event Source:	KDC
Event Category:	None
Event ID:	11
Date:		2/18/2011
Time:		10:01:14 AM
User:		N/A
Computer:       [SERVER]
Description:
There are multiple accounts with name MSSQLSvc/[SERVER].[DOMAIN]:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The server that is listed in the error is our MS SQL database server and also the application server for an application used throughout our organization. I have researched this error online, and have tried using the suggested methods to search for duplicate SPN's matching the server name. When I follow the instructions at this location...

http://blogs.dirteam.com/blogs/carlos/archive/2006/04/21/812.aspx

...I get the following output as a result:


dn: CN=[SERVER],CN=Computers,DC=[DOMAIN],DC=[DOMAIN],DC=[DOMAIN]
changetype: add
servicePrincipalName: MSSQLSvc/[SERVER].[DOMAIN]:1433
servicePrincipalName: WSMAN/[SERVER].[DOMAIN]
servicePrincipalName: HOST/[SERVER].[DOMAIN]
servicePrincipalName: WSMAN/[SERVER]
servicePrincipalName: HOST/[SERVER]

However, I do not understand SPN's well enough to really interpret that output and know whether it is normal or not.

Can anyone provide me some more information on this error and suggestions for dealing with it?

Thanks,
Ithizar
IthizarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Darius GhassemCommented:
The link below will tell you exactly what you need to do to get rid of the duplicate SPNs.

http://msmvps.com/blogs/vandooren/archive/2008/03/11/getting-rid-of-the-duplicate-spn-in-active-directory.aspx
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Anthony PerkinsCommented:
The following will list the duplicates:
SetSPN -X

You can then delete them by using the -D parameter.
0
 
IthizarAuthor Commented:
I have tried what you have suggested, and am unable to identify the duplicate SPN. Maybe I'm just not understanding it. But what I posted above is the output of these attempts. Do you see a duplicate there?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
AmitIT ArchitectCommented:
Below is the solution for your issue
http://support.microsoft.com/kb/321044
0
 
IthizarAuthor Commented:
As I have already said, I have used the tools to attempt to identify the duplicate SPN. And I have posted the output I am getting above. I am not seeing any duplicates in that output. That's what I don't understand. Do you see duplicates in what I posted?
0
 
Anthony PerkinsCommented:
>>I have used the tools to attempt to identify the duplicate SPN.<<
So you are saying that you tried the following and there were no results?
SetSPN -X
0
 
IthizarAuthor Commented:
The -X switch does not appear to be a valid switch. When I use it, it simply displays a help screen listing the valid switches, of which that is not one.
0
 
Anthony PerkinsCommented:
Sure it is.  Perhaps you are using an older version.  This is what I get when I type setspn /?:
Usage: setspn [switches data] computername
  Where "computername" can be the name or domain\name

  Modifiers:
   -F = perform the duplicate checking on forestwide level
   -P = do not show progress (useful for redirecting output to file)
  Switches:
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R computername
   -A = add arbitrary SPN
    Usage:   setspn -A SPN computername
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN computername
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN computername
   -L = list registered SPNs
    Usage:   setspn [-L] computername
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN
   -X = search for duplicate SPNs
    Usage:   setspn -X


Examples:
setspn -R daserver1
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -A http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
setspn -D http/daserver daserver1
   It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1" if no such SPN exists in the forest
0
 
Anthony PerkinsCommented:
Yep, that is what it is.  See here:
New features in SETSPN.EXE on Windows Server 2008
http://blogs.msdn.com/b/saurabh_singh/archive/2009/01/09/new-features-in-setspn-exe-on-windows-server-2008.aspx
0
 
IthizarAuthor Commented:
Well, we have a Server 2008 machine in the mix, but our domain controllers are both 2003. I can run SetSPN from the 2008 box, but will that work correctly with the 2003 DC's?
0
 
Anthony PerkinsCommented:
It is just a utility.  Use it where ever it works for you.
0
 
IthizarAuthor Commented:
Continuing to work on this; will report back...
0
 
IthizarAuthor Commented:
I've requested that this question be deleted for the following reason:

Never found a solution. Going to repost as a fresh question.
0
 
IthizarAuthor Commented:
Got a solution. Cancelling delete request to close question and award points.
0
 
IthizarAuthor Commented:
Thanks everyone!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.