Duplicate SPN for Domain Controller account


  • I worked with a consultant this morning to get federated services added to my domain controller and in the process we manually used the setspn.exe -a command to add the Federated services account.  Little did I know this would ultimately duplicate the SPN entries for my domain controller and stop me from being able to login to it.  I can still access the shares and the event viewer which got me a little further.

    I found this:  and it is exactly the problem I am facing.  Now that I have identified the duplicate account what is the safest way to remove it and does it need to be completed from another domain controller?

    Please help!

    I used the ldp.exe procedure to find this, but why would this duplicate not show up using the setspn.exe -X command?  For that reason I wonder which is the preferred method to remove it.  I'm thinking that setspn.exe -d will not work, but I'm not sure and don't want to chance it.  

    Will my DC need to be restarted to get it working again or should the synchronization work as soon as the incorrect SPN is gone?

    • Edited by dvanbru Friday, October 18, 2013 5:05 PM
    Friday, October 18, 2013 4:34 PM


  • Nevermind.  I found the answer after more searching.  

    For all interested I used ADSIEdit to remove the duplicate.  It was quite simple.  Go to the offending account, right click it, properties, scroll to "servicePrincipalName", click edit and remove the incorrect entry.

    It was completed on my secondary domain controller that was working fine and almost immediately after I removed the duplicate I was able to login to the primary domain controller again.


    Friday, October 18, 2013 5:47 PM

All replies