I currently get errors in the system log on my Windows 2008 R2 domain controller daily, such as:
Event ID: 11
Source Name: KDC
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/IKSDB01.iks.bz:1139 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/IKSDB01.iks.bz:1139 in Active Directory.
I googled this and found an article that makes the fix seem fairly straighforward:
http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx
Here is my output when I run: setspn -X
Checking domain DC=iks,DC=bz
Processing entry 2
MSSQLSvc/iksdb01.iks.bz:3064 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC=iks,DC=bz
CN=Administrator,CN=Users,DC=iks,DC=bz
MSSQLSvc/iksdb01.iks.bz:3964 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC=iks,DC=bz
CN=Administrator,CN=Users,DC=iks,DC=bz
MSSQLSvc/iksdb01.iks.bz:1139 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC=iks,DC=bz
CN=Administrator,CN=Users,DC=iks,DC=bz
MSSQLSvc/iksdb01.iks.bz:4929 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC=iks,DC=bz
CN=Administrator,CN=Users,DC=iks,DC=bz
MSSQLSvc/2000sql01.iks.bz:1407 is registered on these accounts:
CN=2000SQL01,CN=Computers,DC=iks,DC=bz
CN=Administrator,CN=Users,DC=iks,DC=bz
MSSQLSvc/SHAREPOINT.iks.bz:1433 is registered on these accounts:
CN=SHAREPOINT,CN=Computers,DC=iks,DC=bz
CN=Administrator,CN=Users,DC=iks,DC=bz
found 6 groups of duplicate SPNs.
The article then gives instructions using setspn -D<SPN> <computer_name> to delete these.
Some questions:
#1. Given the output of my duplicate SPNs, what would be command that I type to erase one of these.
#2. How do I know which duplicate to erase?
#3. If in doing this, I screw something up, is there a way to undo?
Thanks,
Jamie
|
