Solved

Active Directory Error / Duplicate Entry / There are multiple accounts with name MSSQLSvc/xxxxxx

Posted on 2014-04-02
6
620 Views
Last Modified: 2014-04-06
Hello all my DCs are reporting the below error:

There are multiple accounts with name MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The DCLVMEVSQL is a new Windows 2008 R2 server which is hosting a SQL 2005 SP4 DB.

This is the log from when use the setspn cmd on the dclvmevsql server.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.HQ>setspn -X
Checking domain DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
Processing entry 1
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/cfgadmin.HQ.DavisCofferLyons.Co.Uk is reg
istered on these accounts:
        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/CFGADMIN is registered on these accounts:

        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

found 3 groups of duplicate SPNs.


C:\Users\administrator.HQ>setspn -L dclvmevsql
Registered ServicePrincipalNames for CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCo
fferLyons,DC=Co,DC=Uk:
        MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433
        TERMSRV/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        TERMSRV/DCLVMEVSQL
        WSMAN/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        WSMAN/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL
        HOST/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        HOST/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk

Please let me know on how I can resolve this issue but also if possible give me any possible causes on why it happened.

Thank you for you time and help!
0
Comment
Question by:jamescarson69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39973900
I can't give you a definitive answer.

The SPN is the Server Principal Name. I think it's intent in 2005 was to set itself up during the SQL Server 2005 install in the AD but was never really used by anything back then. That is a commpn error to see the SPN not registered in the install log.

I usually see accounts like that on the local server and not in the full up AD. So was your install a standard one from a disk/image or was it part of an application install?

If it was an application install then I can see how some company was trying to get that in the AD for lookup purposes. I think you can probably just iignore it and go on.

I'm sorry I can't give you a better answer.
0
 

Author Comment

by:jamescarson69
ID: 39974314
Hello Jim,

Thank you for the quick reply and your time!

SQL was not a part of another installation.

But at least telling me that I can probably ignore it makes thing better already!
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39974466
You can delete the duplicated SPN's

To remove an SPN, use the setspn -d service/namehostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing setspn -d http/server3.contoso.com server3, and then pressing ENTER.

http://technet.microsoft.com/en-us/library/cc731241.aspx

SPN's can be created manually or through application's registering their own SPN's during installation. During the creation phases, there is no validation or verification if an SPN exists. So multiple re-installations of an application can cause duplicates to be created.

The same applies to manual SPN creation. If one was manually created and the task was restarted for whatever reason then duplicates can be created as well.

Duplicate SPN's only become an issue when an application tries to use the SPN to find resources. You could leave them as is if you want...since they point to the same resource, but I would rather clean it up.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:jamescarson69
ID: 39977657
Hello Leon,

Thank you for all the information.

I came across the above article below but because I'm not familiar with the above logs I was sure what I should delete.

Is it possible to let me know from the above logs that I have posted?

Many thanks for your time and help.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 39977731
This is the errors that you should be focussing on:
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

According to this information, there is a SPN registered for both the Computer[DCLCMEVSQL] and for the User[Administrator], which I'm guessing is your domain admin account.

The SPN on the domain admin account must be deleted:
setspn -D MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 daviscofferlyons\administrator

Open in new window


You can verify my findings by running:
SETSPN -L daviscofferlyons\administrator

It should show you the SPN.

I did read a little further research and needs to point out the following articles that could explain why you're seeing this SPN as it relates to the way that SQL Server service is starting.

Check out these links and the details about user accounts and SPN registration:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/68e53520-8336-493b-b048-ffb44675d1a7/cant-connect-to-linked-server
http://msdn.microsoft.com/en-us/library/ms191153.aspx
0
 

Author Closing Comment

by:jamescarson69
ID: 39981849
Leon much appreciate all your help and time.

Issue seems to be resolved and most important now I understand why.

Thank you again!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question