Avatar of SPLAT-Tech
SPLAT-Tech
Flag for United States of America asked on

KDC / Duplicate SPN - Ghost?

I am having an issue on one of my DCs. I keep getting an event log entry stating I have a duplicate SPN. The DC stops processing logins as a result.

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is RPCSS/mis45 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for RPCSS/mis45 in Active Directory.

I am not however, able to find the duplicate SPN stated in the log entry.

C:\>setspn -X
Checking domain DC=splat,DC=com
Processing entry 11
found 0 group of duplicate SPNs.

C:\>setspn -l mis45
Registered ServicePrincipalNames for CN=MIS45,CN=Computers,DC=splat,DC=com:
        TERMSRV/mis45.splat.com
        RestrictedKrbHost/MIS45
        HOST/MIS45
        RestrictedKrbHost/MIS45.splat.com
        HOST/MIS45.splat.com
C:\>


I also ran the query at the Forrest level  and got 71 groups of duplicate entries on different systems. Some that don't exist anymore and some that still do including the mentioned culprit. The duplicates are however, on child domains. (I will deal with those later)

Why can't I find the duplicate SPN?
Could the duplicate SPN mentioned be in one of the child domains?
Why is only this DC getting the log entry?
Microsoft Legacy OSMicrosoft Server OSWindows Server 2008

Avatar of undefined
Last Comment
SPLAT-Tech

8/22/2022 - Mon
motnahp00

Did you clone any of your DCs?
SPLAT-Tech

ASKER
No cloning.  They were all setup clean.
compdigit44

Was this server rebuilt using the same host name? If so, was is properly removed from the domain?

What were the last changes you made in your enviroment before this error started?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SPLAT-Tech

ASKER
The server is a new DC.  Nothing has been done to that server.  The only changes that have happened on the domain is that we have been demoting satellite DCs.  

I have demoted 50+ DCs over the past 6 months. All of the sites that used to have DCs are now looking to the affected DC for authentication.
motnahp00

Do you have your Active Directory and Sites configured correctly with site names and subnets?
SPLAT-Tech

ASKER
Absoulutely. Has been checked and verified several times.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
compdigit44

Where there any FSMO roles on the server?

Have you tried to use NTDSUTIL to see if there are any remains of the old server still present in AD??
ASKER CERTIFIED SOLUTION
motnahp00

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SPLAT-Tech

ASKER
Tried and failed before posting the issue.  Tried it again just for kicks. Still happening.
SPLAT-Tech

ASKER
CompDigit... there are no FSMO roles on this server. All servers have been removed properly.
Your help has saved me hundreds of hours of internet surfing.
fblack61
compdigit44

WHen you ran the repadmin /syncall you stated it failed. If this is the case, this would explain by parts of our old servers are still showing up in AD. How we have to figure out why replication is broken.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SPLAT-Tech

ASKER
Compdigit... I meant failed as in "failed to fix the issue".

Problem is fixed.
I ran SETSPN -F -X and got 82 hits of duplicate SPN groups.  I zapped each one of them untill they were all gone.  
Then I ran another sync with REPADMIN /SYNCALL DCNAME DC=DOMAIN,DC=LOCAL /D /E

Have not had the issue since.  The interesting thing is that none of the duplicate SPNs were from the DCs that were removed. They were all from existing corporate office systems.

Thanks for the suggestions and the help.
SPLAT-Tech

ASKER
Great questions and suggestions.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.