Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory Error / Duplicate Entry / There are multiple accounts with name MSSQLSvc/xxxxxx

Posted on 2014-04-02
6
Medium Priority
?
656 Views
Last Modified: 2014-04-06
Hello all my DCs are reporting the below error:

There are multiple accounts with name MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The DCLVMEVSQL is a new Windows 2008 R2 server which is hosting a SQL 2005 SP4 DB.

This is the log from when use the setspn cmd on the dclvmevsql server.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.HQ>setspn -X
Checking domain DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
Processing entry 1
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/cfgadmin.HQ.DavisCofferLyons.Co.Uk is reg
istered on these accounts:
        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

{14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/CFGADMIN is registered on these accounts:

        CN=bebackup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=backup,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=CFGADMIN,OU=Servers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

found 3 groups of duplicate SPNs.


C:\Users\administrator.HQ>setspn -L dclvmevsql
Registered ServicePrincipalNames for CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCo
fferLyons,DC=Co,DC=Uk:
        MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433
        TERMSRV/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        TERMSRV/DCLVMEVSQL
        WSMAN/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        WSMAN/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL
        HOST/DCLVMEVSQL
        RestrictedKrbHost/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk
        HOST/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk

Please let me know on how I can resolve this issue but also if possible give me any possible causes on why it happened.

Thank you for you time and help!
0
Comment
Question by:jamescarson69
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 39973900
I can't give you a definitive answer.

The SPN is the Server Principal Name. I think it's intent in 2005 was to set itself up during the SQL Server 2005 install in the AD but was never really used by anything back then. That is a commpn error to see the SPN not registered in the install log.

I usually see accounts like that on the local server and not in the full up AD. So was your install a standard one from a disk/image or was it part of an application install?

If it was an application install then I can see how some company was trying to get that in the AD for lookup purposes. I think you can probably just iignore it and go on.

I'm sorry I can't give you a better answer.
0
 

Author Comment

by:jamescarson69
ID: 39974314
Hello Jim,

Thank you for the quick reply and your time!

SQL was not a part of another installation.

But at least telling me that I can probably ignore it makes thing better already!
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39974466
You can delete the duplicated SPN's

To remove an SPN, use the setspn -d service/namehostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing setspn -d http/server3.contoso.com server3, and then pressing ENTER.

http://technet.microsoft.com/en-us/library/cc731241.aspx

SPN's can be created manually or through application's registering their own SPN's during installation. During the creation phases, there is no validation or verification if an SPN exists. So multiple re-installations of an application can cause duplicates to be created.

The same applies to manual SPN creation. If one was manually created and the task was restarted for whatever reason then duplicates can be created as well.

Duplicate SPN's only become an issue when an application tries to use the SPN to find resources. You could leave them as is if you want...since they point to the same resource, but I would rather clean it up.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:jamescarson69
ID: 39977657
Hello Leon,

Thank you for all the information.

I came across the above article below but because I'm not familiar with the above logs I was sure what I should delete.

Is it possible to let me know from the above logs that I have posted?

Many thanks for your time and help.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 2000 total points
ID: 39977731
This is the errors that you should be focussing on:
MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 is registered on these accoun
ts:
        CN=DCLVMEVSQL,CN=Computers,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk
        CN=Administrator,CN=Users,DC=HQ,DC=DavisCofferLyons,DC=Co,DC=Uk

According to this information, there is a SPN registered for both the Computer[DCLCMEVSQL] and for the User[Administrator], which I'm guessing is your domain admin account.

The SPN on the domain admin account must be deleted:
setspn -D MSSQLSvc/DCLVMEVSQL.HQ.DavisCofferLyons.Co.Uk:1433 daviscofferlyons\administrator

Open in new window


You can verify my findings by running:
SETSPN -L daviscofferlyons\administrator

It should show you the SPN.

I did read a little further research and needs to point out the following articles that could explain why you're seeing this SPN as it relates to the way that SQL Server service is starting.

Check out these links and the details about user accounts and SPN registration:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/68e53520-8336-493b-b048-ffb44675d1a7/cant-connect-to-linked-server
http://msdn.microsoft.com/en-us/library/ms191153.aspx
0
 

Author Closing Comment

by:jamescarson69
ID: 39981849
Leon much appreciate all your help and time.

Issue seems to be resolved and most important now I understand why.

Thank you again!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question