Solved

Active Directory Error / Duplicate Entry / There are multiple accounts with name MSSQLSvc/xxxxxx

Posted on 2014-04-02
6
587 Views
Last Modified: 2014-04-06
Hello all my DCs are reporting the below error:

There are multiple accounts with name MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The DCLVMEVSQL is a new Windows 2008 R2 server which is hosting a SQL 2005 SP4 DB.

This is the log from when use the setspn cmd on the dclvmevsql server.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.HQ>setspn -X
Checking domain DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
Processing entry 1
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/cfgadmin.HQ.DavisCofferLyons.Co.Uk is reg
istered on these accounts:
        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/CFGADMIN is registered on these accounts:

        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

found 3 groups of duplicate SPNs.


C:\Users\administrator.HQ>setspn -L dclvmevsql
Registered ServicePrincipalNames for CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCo
fferLyons,DC=Co,DC=Uk:
        MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433
        TERMSRV/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        TERMSRV/DCLVMEVSQL
        WSMAN/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        WSMAN/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL
        HOST/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        HOST/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk

Please let me know on how I can resolve this issue but also if possible give me any possible causes on why it happened.

Thank you for you time and help!
0
Comment
Question by:jamescarson69
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39973900
I can't give you a definitive answer.

The SPN is the Server Principal Name. I think it's intent in 2005 was to set itself up during the SQL Server 2005 install in the AD but was never really used by anything back then. That is a commpn error to see the SPN not registered in the install log.

I usually see accounts like that on the local server and not in the full up AD. So was your install a standard one from a disk/image or was it part of an application install?

If it was an application install then I can see how some company was trying to get that in the AD for lookup purposes. I think you can probably just iignore it and go on.

I'm sorry I can't give you a better answer.
0
 

Author Comment

by:jamescarson69
ID: 39974314
Hello Jim,

Thank you for the quick reply and your time!

SQL was not a part of another installation.

But at least telling me that I can probably ignore it makes thing better already!
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39974466
You can delete the duplicated SPN's

To remove an SPN, use the setspn -d service/namehostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing setspn -d http/server3.contoso.com server3, and then pressing ENTER.

http://technet.microsoft.com/en-us/library/cc731241.aspx

SPN's can be created manually or through application's registering their own SPN's during installation. During the creation phases, there is no validation or verification if an SPN exists. So multiple re-installations of an application can cause duplicates to be created.

The same applies to manual SPN creation. If one was manually created and the task was restarted for whatever reason then duplicates can be created as well.

Duplicate SPN's only become an issue when an application tries to use the SPN to find resources. You could leave them as is if you want...since they point to the same resource, but I would rather clean it up.
0
 

Author Comment

by:jamescarson69
ID: 39977657
Hello Leon,

Thank you for all the information.

I came across the above article below but because I'm not familiar with the above logs I was sure what I should delete.

Is it possible to let me know from the above logs that I have posted?

Many thanks for your time and help.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 39977731
This is the errors that you should be focussing on:
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

According to this information, there is a SPN registered for both the Computer[DCLCMEVSQL] and for the User[Administrator], which I'm guessing is your domain admin account.

The SPN on the domain admin account must be deleted:
setspn -D MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 daviscofferlyons\administrator

Open in new window


You can verify my findings by running:
SETSPN -L daviscofferlyons\administrator

It should show you the SPN.

I did read a little further research and needs to point out the following articles that could explain why you're seeing this SPN as it relates to the way that SQL Server service is starting.

Check out these links and the details about user accounts and SPN registration:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/68e53520-8336-493b-b048-ffb44675d1a7/cant-connect-to-linked-server
http://msdn.microsoft.com/en-us/library/ms191153.aspx
0
 

Author Closing Comment

by:jamescarson69
ID: 39981849
Leon much appreciate all your help and time.

Issue seems to be resolved and most important now I understand why.

Thank you again!
0

Join & Write a Comment

In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now