locked
SCOM 2016 - MP SQL 2014 problems via spn checks (Missing SPNs) RRS feed

  • Question

  • Hello 

    We have MS SCOM 2016 with all update and CU installed(onpromise) and 2 domains in one forest (same)

    • domain1.lan (our office lan network)
    • domain2.lan (public cloud with private lan and IPSEC to office)
    • 2 DC in office and 1 DC public cloud
    • All domains on same forest 
    • 3  different MS CLUSTERs

    In domain domain1.lan  (office) we have MS SQL cluster 1. SCOM monitoring all SPN and everything is ok.

    In domain domain2.lan (public cloud) we have MS SQL cluster 2 and MS SQL cluster 3. SCOM gives alerts:

    • Cluster 3: MissingSpnList       MSSQLSvc/dtln-auc-sql.domain2.lan MSQLSvc/dtln-auc-sql.domain2.lan:1433
    • Cluster 4: MissingSpnList       MSSQLSvc/dtln-doc-sql.domain2.lan MSQLSvc/dtln-doc-sql.domain2.lan:1433

    Acount for monitoing - domain1\OMAction have "read all atributes" and "read permissions" for domain - domain2.lan 

    Service account for MS SQL DB Engine - domain2\dtln-DOC-SQLDBEngine (Cluster2) and domain2\dtln-AUC-SQLDBEngine (Cluster3). With is accounts have permissions:

    • Read servicePrincipalName
    • Write servicePrincipalName

    But ........ SCOM monitor not working correctly :(

    setspn -Q MSSQLSvc/DTLN-DOC-SQL
    Checking domain DC=domain2,DC=lan
    CN=dtln-DOC-SQLDBEngine,OU=SQL_SERVERS,OU=Doc,DC=domain2,DC=lan
            MSSQLSvc/DTLN-DOC-SQL:MSSQLSERVER
            MSSQLSvc/DTLN-DOC-SQL.domain2.lan:MSSQLSERVER
            MSSQLSvc/DTLN-DOC-SQL.domain2.lan:1433
            MSSQLSvc/DTLN-DOC-SQL.domain2.lan
            HTTP/dtln-doc-sql.domain2:1433
            HTTP/dtln-doc-sql.domain2.lan
            HTTP/dtln-doc-sql
            HTTP/dtln-doc-sql:1433
            MSSQLSvc/DTLN-DOC-SQL:1433
            MSSQLSvc/DTLN-DOC-SQL

    Existing SPN found!

    setspn -Q MSSQLSvc/DTLN-AUC-SQL
    Checking domain DC=domain2,DC=lan
    CN=dtln-AUC-SQLDBEngine,OU=SQL_SERVERS,OU=AUC,DC=domain2,DC=lan
            MSSQLSvc/DTLN-AUC-SQL:MSSQLSERVER
            MSSQLSvc/DTLN-AUC-SQL.domain2.lan:1433
            MSSQLSvc/DTLN-AUC-SQL.domain2.lan
            MSSQLSvc/DTLN-AUC-SQL.domain2.lan:MSSQLSERVER
            HTTP/dtln-auc-sql
            HTTP/dtln-auc-sql:1433
            HTTP/dtln-auc-sql.domain2.lan
            HTTP/dtln-auc-sql.domain2.lan:1433
            MSSQLSvc/dtln-auc-sql
            MSSQLSvc/dtln-auc-sql:1433

    Existing SPN found!

    What the broblem dont anderstand :( 


    • Edited by p.harlamov Friday, May 12, 2017 8:04 PM
    Friday, May 12, 2017 8:03 PM

All replies

  • Hi Sir,

    I'm not familiar with SQL cluster .

    But I have seen a similar issue , it was caused by the SQL server service running account .

    Please check if "SQL Server" is running under a domain user account .

    If yes, please move the SPN from computer object to that domain user account SPN property .

     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 15, 2017 8:57 AM
  • Yeap

    SQL account have needed SPNs for accounts:

    •  DTLN-AUC-SQLDBENGINE in domain domain2.lan
    •  DTLN-DOC-SQLDBENGINE in domain domain2.lan 

    • Edited by p.harlamov Thursday, May 18, 2017 2:53 PM
    Thursday, May 18, 2017 2:52 PM
  • In override for monitor try some manipulations with "Scope of search" change value from LDAP to GC

    Parameter Description:
    Use LDAP search when the scope of a search is the domain or an organizational unit.
    When the scope of a search is the forest, the query can be resolved within any partition by using a Global Catalog (GC) search.
    List of values:
    LDAP
    GC

    But this not give any result :/

    I have no more ideas .......

    

    Tuesday, May 23, 2017 4:24 PM