Solved

Active Directory Error / Duplicate Entry / There are multiple accounts with name MSSQLSvc/xxxxxx

Posted on 2014-04-02
6
623 Views
Last Modified: 2014-04-06
Hello all my DCs are reporting the below error:

There are multiple accounts with name MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The DCLVMEVSQL is a new Windows 2008 R2 server which is hosting a SQL 2005 SP4 DB.

This is the log from when use the setspn cmd on the dclvmevsql server.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.HQ>setspn -X
Checking domain DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
Processing entry 1
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/cfgadmin.HQ.DavisCofferLyons.Co.Uk is reg
istered on these accounts:
        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/CFGADMIN is registered on these accounts:

        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

found 3 groups of duplicate SPNs.


C:\Users\administrator.HQ>setspn -L dclvmevsql
Registered ServicePrincipalNames for CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCo
fferLyons,DC=Co,DC=Uk:
        MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433
        TERMSRV/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        TERMSRV/DCLVMEVSQL
        WSMAN/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        WSMAN/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL
        HOST/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        HOST/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk

Please let me know on how I can resolve this issue but also if possible give me any possible causes on why it happened.

Thank you for you time and help!
0
Comment
Question by:jamescarson69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39973900
I can't give you a definitive answer.

The SPN is the Server Principal Name. I think it's intent in 2005 was to set itself up during the SQL Server 2005 install in the AD but was never really used by anything back then. That is a commpn error to see the SPN not registered in the install log.

I usually see accounts like that on the local server and not in the full up AD. So was your install a standard one from a disk/image or was it part of an application install?

If it was an application install then I can see how some company was trying to get that in the AD for lookup purposes. I think you can probably just iignore it and go on.

I'm sorry I can't give you a better answer.
0
 

Author Comment

by:jamescarson69
ID: 39974314
Hello Jim,

Thank you for the quick reply and your time!

SQL was not a part of another installation.

But at least telling me that I can probably ignore it makes thing better already!
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39974466
You can delete the duplicated SPN's

To remove an SPN, use the setspn -d service/namehostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing setspn -d http/server3.contoso.com server3, and then pressing ENTER.

http://technet.microsoft.com/en-us/library/cc731241.aspx

SPN's can be created manually or through application's registering their own SPN's during installation. During the creation phases, there is no validation or verification if an SPN exists. So multiple re-installations of an application can cause duplicates to be created.

The same applies to manual SPN creation. If one was manually created and the task was restarted for whatever reason then duplicates can be created as well.

Duplicate SPN's only become an issue when an application tries to use the SPN to find resources. You could leave them as is if you want...since they point to the same resource, but I would rather clean it up.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:jamescarson69
ID: 39977657
Hello Leon,

Thank you for all the information.

I came across the above article below but because I'm not familiar with the above logs I was sure what I should delete.

Is it possible to let me know from the above logs that I have posted?

Many thanks for your time and help.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 39977731
This is the errors that you should be focussing on:
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

According to this information, there is a SPN registered for both the Computer[DCLCMEVSQL] and for the User[Administrator], which I'm guessing is your domain admin account.

The SPN on the domain admin account must be deleted:
setspn -D MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 daviscofferlyons\administrator

Open in new window


You can verify my findings by running:
SETSPN -L daviscofferlyons\administrator

It should show you the SPN.

I did read a little further research and needs to point out the following articles that could explain why you're seeing this SPN as it relates to the way that SQL Server service is starting.

Check out these links and the details about user accounts and SPN registration:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/68e53520-8336-493b-b048-ffb44675d1a7/cant-connect-to-linked-server
http://msdn.microsoft.com/en-us/library/ms191153.aspx
0
 

Author Closing Comment

by:jamescarson69
ID: 39981849
Leon much appreciate all your help and time.

Issue seems to be resolved and most important now I understand why.

Thank you again!
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question