Solved

Active Directory Error / Duplicate Entry / There are multiple accounts with name MSSQLSvc/xxxxxx

Posted on 2014-04-02
6
631 Views
Last Modified: 2014-04-06
Hello all my DCs are reporting the below error:

There are multiple accounts with name MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The DCLVMEVSQL is a new Windows 2008 R2 server which is hosting a SQL 2005 SP4 DB.

This is the log from when use the setspn cmd on the dclvmevsql server.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.HQ>setspn -X
Checking domain DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
Processing entry 1
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/cfgadmin.HQ.DavisCofferLyons.Co.Uk is reg
istered on these accounts:
        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/CFGADMIN is registered on these accounts:

        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

found 3 groups of duplicate SPNs.


C:\Users\administrator.HQ>setspn -L dclvmevsql
Registered ServicePrincipalNames for CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCo
fferLyons,DC=Co,DC=Uk:
        MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433
        TERMSRV/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        TERMSRV/DCLVMEVSQL
        WSMAN/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        WSMAN/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL
        HOST/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        HOST/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk

Please let me know on how I can resolve this issue but also if possible give me any possible causes on why it happened.

Thank you for you time and help!
0
Comment
Question by:jamescarson69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39973900
I can't give you a definitive answer.

The SPN is the Server Principal Name. I think it's intent in 2005 was to set itself up during the SQL Server 2005 install in the AD but was never really used by anything back then. That is a commpn error to see the SPN not registered in the install log.

I usually see accounts like that on the local server and not in the full up AD. So was your install a standard one from a disk/image or was it part of an application install?

If it was an application install then I can see how some company was trying to get that in the AD for lookup purposes. I think you can probably just iignore it and go on.

I'm sorry I can't give you a better answer.
0
 

Author Comment

by:jamescarson69
ID: 39974314
Hello Jim,

Thank you for the quick reply and your time!

SQL was not a part of another installation.

But at least telling me that I can probably ignore it makes thing better already!
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39974466
You can delete the duplicated SPN's

To remove an SPN, use the setspn -d service/namehostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing setspn -d http/server3.contoso.com server3, and then pressing ENTER.

http://technet.microsoft.com/en-us/library/cc731241.aspx

SPN's can be created manually or through application's registering their own SPN's during installation. During the creation phases, there is no validation or verification if an SPN exists. So multiple re-installations of an application can cause duplicates to be created.

The same applies to manual SPN creation. If one was manually created and the task was restarted for whatever reason then duplicates can be created as well.

Duplicate SPN's only become an issue when an application tries to use the SPN to find resources. You could leave them as is if you want...since they point to the same resource, but I would rather clean it up.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:jamescarson69
ID: 39977657
Hello Leon,

Thank you for all the information.

I came across the above article below but because I'm not familiar with the above logs I was sure what I should delete.

Is it possible to let me know from the above logs that I have posted?

Many thanks for your time and help.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 39977731
This is the errors that you should be focussing on:
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

According to this information, there is a SPN registered for both the Computer[DCLCMEVSQL] and for the User[Administrator], which I'm guessing is your domain admin account.

The SPN on the domain admin account must be deleted:
setspn -D MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 daviscofferlyons\administrator

Open in new window


You can verify my findings by running:
SETSPN -L daviscofferlyons\administrator

It should show you the SPN.

I did read a little further research and needs to point out the following articles that could explain why you're seeing this SPN as it relates to the way that SQL Server service is starting.

Check out these links and the details about user accounts and SPN registration:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/68e53520-8336-493b-b048-ffb44675d1a7/cant-connect-to-linked-server
http://msdn.microsoft.com/en-us/library/ms191153.aspx
0
 

Author Closing Comment

by:jamescarson69
ID: 39981849
Leon much appreciate all your help and time.

Issue seems to be resolved and most important now I understand why.

Thank you again!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question