none
SPN gets removed few seconds after get registered

    Question

  • Hi,

    i have a weird situation where a SPN disappear few seconds after getting registered.

    Here is the situation... I'm decomissioning old 2003 DC's and they are replaced by 2012 DC's.  We don't know if any application could have "hard coded" the DC Name (the old Windows 2003) so just to be sure, after i decommission the old one, i rename it and then i create an CNAME with the old DC  name that redirect to the new 2012 DC.

    Also, i want to be sure that kerberos authentication will still work so i create the required SPN on the new DC (the Windows 2012).

    I have done this for several domains without any issues but for this particular domain, when i try to do this, the SPN i created, i can see it and if i query using setspn -l [DC_Name], i can see that it is listed but after 30 sec. to a minute, multiple SPN like HOST/ are gone.

    It's really strange and there is no duplicate SPN.  I also exported all ServicePrincipalName attribute from AD and there is no other duplicate.

    Any ideas ?


    This posting is provided AS IS without warranty of any kind

    Monday, January 23, 2017 3:29 AM

All replies

  • Hi,

    Sorry for the delayed reply.

    I suggest you try to register SPN manually.

    Here is an article below for your reference.

    Register a Service Principal Name for Kerberos Connections

    https://msdn.microsoft.com/en-us/library/ms191153.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 27, 2017 4:15 AM
    Moderator
  • Check how and who is doing the change back, that might help you to isolate the issue

    http://www.windowstricks.in/2015/05/active-directory-user-attributes-auditing-using-object-meta.html


    Regards,
    Ganesamoorthy.S
    www.windowstricks.in)


    Friday, January 27, 2017 5:54 PM
  • Hi,

    You don't need to create new alias and add new SPN based on old name of domain controller.

    The client is able to find the correct name of new domain controller if it need to connect to domain service.

    The following SPN must be exist on computer account of domain controller:

    HOST/DomainControllerHostname
    HOST/DomainControllerHostname/domainname
    HOST/DomainControllerHostname.domainname.lan
    HOST/DomainControllerHostname.domainname.lan/domainname
    HOST/DomainControllerHostname.domainname.lan/domainname.lan

    If you add another SPN with HOST as service class , it will be deleted automatically


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Friday, January 27, 2017 6:35 PM
  • Thanks for your hints.

    Actually, the SPN of the new DC are registered correctly but if i try to add the SPN of the old DC (using setspn or manually), the spn is created, replicated to other DC and then, after 30 sec or around, the SPN is deleted.

    very weird. But the Cname is working correctly because if i try to access file share on the new DC using theold name, i receive TGS with the new DC name.


    This posting is provided AS IS without warranty of any kind

    Friday, January 27, 2017 11:46 PM
  • Another reason why i want to add the SPN of the old DC is because several applications may have hard coded the DC name in their code.

    I will check with the repadmin /showobjmeta "dn" if i can have more info of the SPN deletion.

    Thanks!


    This posting is provided AS IS without warranty of any kind

    Saturday, January 28, 2017 2:10 PM
  • Dear,

    I hope this will help you resolving the application using hard coded DC name/ip address in their code.

    https://blogs.technet.microsoft.com/pie/2014/07/13/how-to-detect-applications-using-hardcoded-dc-name-or-ip

    Thanks

    Syed Abdul Kadar M.


    Saturday, January 28, 2017 5:18 PM
  • Thanks!

    I'll take a look at this article


    This posting is provided AS IS without warranty of any kind

    Saturday, January 28, 2017 5:39 PM

  • Actually, the SPN of the new DC are registered correctly but if i try to add the SPN of the old DC (using setspn or manually), the spn is created, replicated to other DC and then, after 30 sec or around, the SPN is deleted.

    This behavior happen only on computer account for domain controller.

    very weird. But the Cname is working correctly because if i try to access file share on the new DC using theold name, i receive TGS with the new DC name.

    It's normal, because the client will ask a SPN based on only by hostname. if the client try to access on share using a alias , it will check the hostname on which the alias is pointing to ask domain controller the SPN based on hostname for kerberos authentification.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Saturday, January 28, 2017 6:48 PM