This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

SCOM 2016 - MP SQL 2014 problems via spn checks (Missing SPNs)

Question
0

Sign in to vote
Hello

We have MS SCOM 2016 with all update and CU installed(onpromise) and 2 domains in one forest (same)

domain1.lan (our office lan network)
domain2.lan (public cloud with private lan and IPSEC to office)
2 DC in office and 1 DC public cloud
All domains on same forest
3 different MS CLUSTERs

In domain domain1.lan (office) we have MS SQL cluster 1. SCOM monitoring all SPN and everything is ok.

In domain domain2.lan (public cloud) we have MS SQL cluster 2 and MS SQL cluster 3. SCOM gives alerts:

Cluster 3: MissingSpnList MSSQLSvc/dtln-auc-sql.domain2.lan MSQLSvc/dtln-auc-sql.domain2.lan:1433
Cluster 4: MissingSpnList MSSQLSvc/dtln-doc-sql.domain2.lan MSQLSvc/dtln-doc-sql.domain2.lan:1433

Acount for monitoing - domain1\OMAction have "read all atributes" and "read permissions" for domain - domain2.lan

Service account for MS SQL DB Engine - domain2\dtln-DOC-SQLDBEngine (Cluster2) and domain2\dtln-AUC-SQLDBEngine (Cluster3). With is accounts have permissions:

Read servicePrincipalName

Write servicePrincipalName

But ........ SCOM monitor not working correctly :(
setspn -Q MSSQLSvc/DTLN-DOC-SQL
Checking domain DC=domain2,DC=lan
CN=dtln-DOC-SQLDBEngine,OU=SQL_SERVERS,OU=Doc,DC=domain2,DC=lan
MSSQLSvc/DTLN-DOC-SQL:MSSQLSERVER
MSSQLSvc/DTLN-DOC-SQL.domain2.lan:MSSQLSERVER
MSSQLSvc/DTLN-DOC-SQL.domain2.lan:1433
MSSQLSvc/DTLN-DOC-SQL.domain2.lan
HTTP/dtln-doc-sql.domain2:1433
HTTP/dtln-doc-sql.domain2.lan
HTTP/dtln-doc-sql
HTTP/dtln-doc-sql:1433
MSSQLSvc/DTLN-DOC-SQL:1433
MSSQLSvc/DTLN-DOC-SQL

Existing SPN found!
setspn -Q MSSQLSvc/DTLN-AUC-SQL
Checking domain DC=domain2,DC=lan
CN=dtln-AUC-SQLDBEngine,OU=SQL_SERVERS,OU=AUC,DC=domain2,DC=lan
MSSQLSvc/DTLN-AUC-SQL:MSSQLSERVER
MSSQLSvc/DTLN-AUC-SQL.domain2.lan:1433
MSSQLSvc/DTLN-AUC-SQL.domain2.lan
MSSQLSvc/DTLN-AUC-SQL.domain2.lan:MSSQLSERVER
HTTP/dtln-auc-sql
HTTP/dtln-auc-sql:1433
HTTP/dtln-auc-sql.domain2.lan
HTTP/dtln-auc-sql.domain2.lan:1433
MSSQLSvc/dtln-auc-sql
MSSQLSvc/dtln-auc-sql:1433

Existing SPN found!

What the broblem dont anderstand :(
- Edited by p.harlamov Friday, May 12, 2017 8:04 PM
Friday, May 12, 2017 8:03 PM

All replies

0

Sign in to vote

Hi Sir,

I'm not familiar with SQL cluster .

But I have seen a similar issue , it was caused by the SQL server service running account .

Please check if "SQL Server" is running under a domain user account .

If yes, please move the SPN from computer object to that domain user account SPN property .

Best Regards,

Elton
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, May 15, 2017 8:57 AM
0

Sign in to vote
Yeap

SQL account have needed SPNs for accounts:

DTLN-AUC-SQLDBENGINE in domain domain2.lan
DTLN-DOC-SQLDBENGINE in domain domain2.lan
- Edited by p.harlamov Thursday, May 18, 2017 2:53 PM
Thursday, May 18, 2017 2:52 PM
0

Sign in to vote

In override for monitor try some manipulations with "Scope of search" change value from LDAP to GC

Parameter Description:
Use LDAP search when the scope of a search is the domain or an organizational unit.
When the scope of a search is the forest, the query can be resolved within any partition by using a Global Catalog (GC) search.
List of values:
LDAP
GC

But this not give any result :/

I have no more ideas .......

Tuesday, May 23, 2017 4:24 PM