Next: Domain Rename
From: John Rosenlof on 10 Feb 2005 13:25 Hi, I'm having a really hard time figuring this out and I was hoping somebody here might be able to shed some light on this. We keep getting KDC errors of type 11 in the system event log. They say that there are multiple accounts with the name... and then it lists different names in each message, but they are all based on the same computer and they are all of type10. Ex: HOST/ATLANTA, HOST/ATLANTA.DOMAIN.COM, HOST/atlanta.DOMAIN.COM, HOST/Atlanta, cifs/ATLANTA.DOMAIN.COM, cifs/ATLANTA, HTTP/atlanta.DOMAIN.COM, HTTP/ATLANTA I've read the KB article on how to find duplicate SPN's. LDP didn't help, but the ldifde utility did. I printed out a file with our domain as a base (dc=domain,dc=dom) and found multiple spn's under Atlanta's computer account. I used ADSIEdit and found these spn's under the properties page of cn=atlanta, cn=computers,dc=domain,dc=com. Here are the spn's from Atlanta: HOST/ATLANTA HOST/atlanta.DOMAIN.COM MSSQLSvc/atlanta.DOMAIN.COM:4819 SMTPSVC/ATLANTA SMTPSVC/atlanta.DOMAIN.COM This server isn't running our SQL servers, but it is our CRM server. I'm trying to figure out 1) how it came to have those duplicate spn's 2) what the impact would be of deleting some (especially on CRM) 3) which ones to delete 4) what cifs and HTTP have to do with those duplicate spn's if they're not even listed in the spn list from atlanta. Any ideas or help? Thanks a lot in advance. -John
From: Chriss3 [MVP] on 10 Feb 2005 15:50 Hello John. I had exactly same behavior when I used CRM on a domain controller that's not recommended. The problem I had was that the administrator account had got one of the same SPs as the server, So look into the service principal names for the administrator account and see if you have a duplication there with your server atlantas service principal names. I don't think I matters here but are you running the SQL Server under the local system account? If you are using a domain account as service account. You can use setspn -A MSSQLSvc/foo.bar.com domain\account -- Regards Christoffer Andersson Microsoft MVP - Directory Services No email replies please - reply in the newsgroup ------------------------------------------------ http://www.chrisse.se - Active Directory Tips "John Rosenlof" <greyseal96(a)hotmail.com> skrev i meddelandet news:%23$mu435DFHA.2676(a)TK2MSFTNGP12.phx.gbl... > Hi, > > I'm having a really hard time figuring this out and I was hoping somebody > here might be able to shed some light on this. > > We keep getting KDC errors of type 11 in the system event log. They say > that there are multiple accounts with the name... and then it lists > different names in each message, but they are all based on the same > computer > and they are all of type10. > Ex: > HOST/ATLANTA, HOST/ATLANTA.DOMAIN.COM, HOST/atlanta.DOMAIN.COM, > HOST/Atlanta, cifs/ATLANTA.DOMAIN.COM, cifs/ATLANTA, > HTTP/atlanta.DOMAIN.COM, HTTP/ATLANTA > > I've read the KB article on how to find duplicate SPN's. LDP didn't help, > but the ldifde utility did. I printed out a file with our domain as a > base > (dc=domain,dc=dom) and found multiple spn's under Atlanta's computer > account. I used ADSIEdit and found these spn's under the properties page > of > cn=atlanta, cn=computers,dc=domain,dc=com. Here are the spn's from > Atlanta: > HOST/ATLANTA > HOST/atlanta.DOMAIN.COM > MSSQLSvc/atlanta.DOMAIN.COM:4819 > SMTPSVC/ATLANTA > SMTPSVC/atlanta.DOMAIN.COM > > This server isn't running our SQL servers, but it is our CRM server. I'm > trying to figure out 1) how it came to have those duplicate spn's 2) what > the impact would be of deleting some (especially on CRM) 3) which ones to > delete 4) what cifs and HTTP have to do with those duplicate spn's if > they're not even listed in the spn list from atlanta. > > Any ideas or help? Thanks a lot in advance. > > -John > >
From: John Rosenlof on 10 Feb 2005 16:12 Hi, Thanks! That appears to be what it was. When I would use LDP to run the search for the spn's it would keep returning the administrator account and atlanta. I just thought that the instructions were wrong, but I guess not! I would have never figured that out, thanks. Can I delete those from the administrator account without messing up CRM? Also, could you explain a little more fully about the stuff you said about running SQL Server under the local system account? I'm not the database expert, but I can figure it out. I just need a few more details. I really appreciate all of your help. Thanks a lot. -John "Chriss3 [MVP]" <noSpamHere(a)chrisse.se> wrote in message news:uwU7YI7DFHA.1524(a)TK2MSFTNGP09.phx.gbl... > Hello John. > I had exactly same behavior when I used CRM on a domain controller that's > not recommended. The problem I had was that the administrator account had > got one of the same SPs as the server, So look into the service principal > names for the administrator account and see if you have a duplication there > with your server atlantas service principal names. I don't think I matters > here but are you running the SQL Server under the local system account? If > you are using a domain account as service account. > You can use setspn -A MSSQLSvc/foo.bar.com domain\account > > -- > Regards > Christoffer Andersson > Microsoft MVP - Directory Services > > No email replies please - reply in the newsgroup > ------------------------------------------------ > http://www.chrisse.se - Active Directory Tips > > "John Rosenlof" <greyseal96(a)hotmail.com> skrev i meddelandet > news:%23$mu435DFHA.2676(a)TK2MSFTNGP12.phx.gbl... > > Hi, > > > > I'm having a really hard time figuring this out and I was hoping somebody > > here might be able to shed some light on this. > > > > We keep getting KDC errors of type 11 in the system event log. They say > > that there are multiple accounts with the name... and then it lists > > different names in each message, but they are all based on the same > > computer > > and they are all of type10. > > Ex: > > HOST/ATLANTA, HOST/ATLANTA.DOMAIN.COM, HOST/atlanta.DOMAIN.COM, > > HOST/Atlanta, cifs/ATLANTA.DOMAIN.COM, cifs/ATLANTA, > > HTTP/atlanta.DOMAIN.COM, HTTP/ATLANTA > > > > I've read the KB article on how to find duplicate SPN's. LDP didn't help, > > but the ldifde utility did. I printed out a file with our domain as a > > base > > (dc=domain,dc=dom) and found multiple spn's under Atlanta's computer > > account. I used ADSIEdit and found these spn's under the properties page > > of > > cn=atlanta, cn=computers,dc=domain,dc=com. Here are the spn's from > > Atlanta: > > HOST/ATLANTA > > HOST/atlanta.DOMAIN.COM > > MSSQLSvc/atlanta.DOMAIN.COM:4819 > > SMTPSVC/ATLANTA > > SMTPSVC/atlanta.DOMAIN.COM > > > > This server isn't running our SQL servers, but it is our CRM server. I'm > > trying to figure out 1) how it came to have those duplicate spn's 2) what > > the impact would be of deleting some (especially on CRM) 3) which ones to > > delete 4) what cifs and HTTP have to do with those duplicate spn's if > > they're not even listed in the spn list from atlanta. > > > > Any ideas or help? Thanks a lot in advance. > > > > -John > > > > > >
From: Chriss3 [MVP] on 14 Feb 2005 00:47 Hello John, Yes you can remove the duplicated SPN from the administrator account, I'm the ms ds expert and not the sql server expert either so it may be a good idea to post the sql question into the sql server newsgroups. -- Regards Christoffer Andersson Microsoft MVP - Directory Services No email replies please - reply in the newsgroup ------------------------------------------------ http://www.chrisse.se - Active Directory Tips "John Rosenlof" <greyseal96(a)hotmail.com> skrev i meddelandet news:u5BYxU7DFHA.624(a)TK2MSFTNGP15.phx.gbl... > Hi, > > Thanks! That appears to be what it was. When I would use LDP to run the > search for the spn's it would keep returning the administrator account and > atlanta. I just thought that the instructions were wrong, but I guess > not! > I would have never figured that out, thanks. Can I delete those from the > administrator account without messing up CRM? > > Also, could you explain a little more fully about the stuff you said about > running SQL Server under the local system account? I'm not the database > expert, but I can figure it out. I just need a few more details. I > really > appreciate all of your help. Thanks a lot. > > -John > "Chriss3 [MVP]" <noSpamHere(a)chrisse.se> wrote in message > news:uwU7YI7DFHA.1524(a)TK2MSFTNGP09.phx.gbl... >> Hello John. >> I had exactly same behavior when I used CRM on a domain controller that's >> not recommended. The problem I had was that the administrator account had >> got one of the same SPs as the server, So look into the service principal >> names for the administrator account and see if you have a duplication > there >> with your server atlantas service principal names. I don't think I >> matters >> here but are you running the SQL Server under the local system account? >> If >> you are using a domain account as service account. >> You can use setspn -A MSSQLSvc/foo.bar.com domain\account >> >> -- >> Regards >> Christoffer Andersson >> Microsoft MVP - Directory Services >> >> No email replies please - reply in the newsgroup >> ------------------------------------------------ >> http://www.chrisse.se - Active Directory Tips >> >> "John Rosenlof" <greyseal96(a)hotmail.com> skrev i meddelandet >> news:%23$mu435DFHA.2676(a)TK2MSFTNGP12.phx.gbl... >> > Hi, >> > >> > I'm having a really hard time figuring this out and I was hoping > somebody >> > here might be able to shed some light on this. >> > >> > We keep getting KDC errors of type 11 in the system event log. They >> > say >> > that there are multiple accounts with the name... and then it lists >> > different names in each message, but they are all based on the same >> > computer >> > and they are all of type10. >> > Ex: >> > HOST/ATLANTA, HOST/ATLANTA.DOMAIN.COM, HOST/atlanta.DOMAIN.COM, >> > HOST/Atlanta, cifs/ATLANTA.DOMAIN.COM, cifs/ATLANTA, >> > HTTP/atlanta.DOMAIN.COM, HTTP/ATLANTA >> > >> > I've read the KB article on how to find duplicate SPN's. LDP didn't > help, >> > but the ldifde utility did. I printed out a file with our domain as a >> > base >> > (dc=domain,dc=dom) and found multiple spn's under Atlanta's computer >> > account. I used ADSIEdit and found these spn's under the properties > page >> > of >> > cn=atlanta, cn=computers,dc=domain,dc=com. Here are the spn's from >> > Atlanta: >> > HOST/ATLANTA >> > HOST/atlanta.DOMAIN.COM >> > MSSQLSvc/atlanta.DOMAIN.COM:4819 >> > SMTPSVC/ATLANTA >> > SMTPSVC/atlanta.DOMAIN.COM >> > >> > This server isn't running our SQL servers, but it is our CRM server. > I'm >> > trying to figure out 1) how it came to have those duplicate spn's 2) > what >> > the impact would be of deleting some (especially on CRM) 3) which ones > to >> > delete 4) what cifs and HTTP have to do with those duplicate spn's if >> > they're not even listed in the spn list from atlanta. >> > >> > Any ideas or help? Thanks a lot in advance. >> > >> > -John >> > >> > >> >> > >
|
Pages: 1 Next: Domain Rename |