The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is RPCSS/mis45 (of type DS_SERVICE_PRINCIPAL_NAME)
I am not however, able to find the duplicate SPN stated in the log entry.
Checking domain DC=splat,DC=com
Processing entry 11
found 0 group of duplicate SPNs.
C:\>setspn -l mis45
Registered ServicePrincipalNames for CN=MIS45,CN=Computers,DC=s
I also ran the query at the Forrest level and got 71 groups of duplicate entries on different systems. Some that don't exist anymore and some that still do including the mentioned culprit. The duplicates are however, on child domains. (I will deal with those later)
Why can't I find the duplicate SPN?
Could the duplicate SPN mentioned be in one of the child domains?
Why is only this DC getting the log entry?
What were the last changes you made in your enviroment before this error started?
I have demoted 50+ DCs over the past 6 months. All of the sites that used to have DCs are now looking to the affected DC for authentication.
Have you tried to use NTDSUTIL to see if there are any remains of the old server still present in AD??
Problem is fixed.
I ran SETSPN -F -X and got 82 hits of duplicate SPN groups. I zapped each one of them untill they were all gone.
Then I ran another sync with REPADMIN /SYNCALL DCNAME DC=DOMAIN,DC=LOCAL /D /E
Have not had the issue since. The interesting thing is that none of the duplicate SPNs were from the DCs that were removed. They were all from existing corporate office systems.
Thanks for the suggestions and the help.
may I kindly ask you, how did you zap them?
I have seeveral found like this:
HOST/atads001.aa.xxx.yyy is registered on these accounts:
and I am unable to remove the one with 0ACNF trying with this command:
setspn -D HOST/atads001.aa.xxx.yyy ATADS001\0ACNF:a757649c-f8bc-429d-88ce-8e02f97276a7
Any hints how to remove it?