Hello everybody.
as I was searching through event viewer of my domain controllers, I noticed some error with event id 2974 which indicated duplicate SPN in my forest. I have a forest with multiple child domains. This is the event. I know it is related to duplicate SPNs but the problem is , I do not understant the event itself... Take a look:
------------------------------------------------------------------------------------------------------------------------------
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=MSSQLSvc/SCCM-SRV.Contoso.com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
Value=MSSQLSvc/SCCM-SRV.Contoso.com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com Winerror: 8647
------------------------------------------------------------------------------------------------------------------------------
so here are my questions:
- it says "MSSQLSvc/SCCM-SRV.Contoso.com" is not unique? I do not understand why it says like that. My "DE" user is running different services on different servers, why it says it is not unique?
- why there are 19 lines of "CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com". does it means there are 19 duplicates?
Ok so if you are like me to believe that "DE" user is problematic, I went in to the the SPNs of that "DE" account. I have exported 'serviceprincipalnames' attribute look below:
------------------------------------------------------------------------------------------------------------------------------
MSSQLSvc/SCOM-SRV.Contoso.com:SCOM
MSSQLSvc/SCOM-SRV.Contoso.com:49581
MSSQLSvc/SCOM-SRV.Contoso.com:49759
MSSQLSvc/SCOM-SRV.Contoso.com:SCOMDW
MSSQLSvc/SCOM-SRV.Contoso.com:SCOMACS
MSSQLSvc/SCOM-SRV.Contoso.com:49989
MSSQLSvc/DPM-SRV.Contoso.com
MSSQLSvc/DPM-SRV.Contoso.com:1433
MSSQLSvc/BackUp-EXEC.Contoso.com:1433
MSSQLSvc/BackUp-EXEC.Contoso.com
MSSQLSvc/SCCM-SRV.Contoso.com:1433
MSSQLSvc/SCCM-SRV.Contoso.com
MSSQLSvc/DPM-3.Contoso.com:1433
MSSQLSvc/DPM-3.Contoso.com
MSSQLSvc/DPM-1.Contoso.com:1433
MSSQLSvc/DPM-1.Contoso.com
MSSQLSvc/SharePoint.Contoso.com
MSSQLSvc/SharePoint.Contoso.com:1433
MSSQLSvc/BackUp-EXEC.Contoso.com:49840
MSSQLSvc/BackUp-EXEC.Contoso.com:BACKUPEXEC
MSSQLSvc/SCCM-2.Contoso.com
MSSQLSvc/SCCM-2.Contoso.com:1433
MSSQLSvc/BackupExec2015.Contoso.com:BACKUPEXEC
MSSQLSvc/BackupExec2015.Contoso.com:49598
MSSQLSvc/SCCM-3.Contoso.com:1433
MSSQLSvc/SCCM-3.Contoso.com
MSSQLSvc/SCOM-SRV.Contoso.com:49843
MSSQLSvc/SCOM-SRV.Contoso.com:49725
MSSQLSvc/SCOM-SRV.Contoso.com:49362
MSSQLSvc/Spotlight.Contoso.com:1433
MSSQLSvc/Spotlight.Contoso.com
MSSQLSvc/PRTG.Contoso.com:56445
MSSQLSvc/PRTG.Contoso.com:SPOTLIGHT
MSSQLSvc/SCOM-SRV.Contoso.com:53550
MSSQLSvc/DPM-SRV.Contoso.com:52166
MSSQLSvc/DPM-SRV.Contoso.com:SCDPM
MSSQLSvc/SCOM-SRV.Contoso.com:53652
MSSQLSvc/SCOM-SRV.Contoso.com:53102
MSSQLSvc/SCOM-2.Contoso.com:57092
MSSQLSvc/SCOM-2.Contoso.com:SCOM
MSSQLSvc/PRTG.Contoso.com:1433
MSSQLSvc/PRTG.Contoso.com
------------------------------------------------------------------------------------------------------------------------------
That's it. Just to mention, there is no problem in our environment, but I am not that kinda guy who simply ignore events. Even if it cause no problem, help me to understand this. That is why I am sticking to this event...
Thanks.