none
Deleted SPN's keep coming back RRS feed

  • Question

  • I have several duplicate SPN's associated with one of my DC's.  I have deleted each of them multiple times, using both setspn -D and ADSIedit, but after a few minutes these SPN's all re-appear.  How can I permanently delete them?  Where do they come from?  In case it's relevant, I re-named one of my DC's--was named "Blue", now named "Green", to make way for a new server named "Blue."  The problem is server Green still has several "Blue" SPN's in addition to the "Green" SPN's, and those Blue SPN's conflict with the Blue SPN's on the new server Blue.  The duplicates are not creating any obvious problems except for Kerberos error events logged in the System Log on the new server Blue.
    Tuesday, May 19, 2020 8:28 PM

Answers

  • Hi,

    Thanks for your reply!

    Not quite sure what did you do to change the old DC name, i would recommend you restart the DC at least 2 times for updates.

    If you still can't resolve the problem, i would recommend you demote the old DC ,then do a metadata clean up, and then promote it again.

    Clean up Active Directory Domain Controller server metadata

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 21, 2020 3:40 AM

All replies

  • Hi,

    Thanks for sharing!

    Did you try to delete the duplicate SPN from a different DC?

    To know the issue more clearly,If possible , would you please share a screenshot of the duplicate SPN?

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 20, 2020 12:57 AM
  • Thanks for your reply; I just tried your suggestion of deleting the duplicates from a different DC--this time I tried one separate from either DC involved with the duplicates, but I got the same result: While the dupes seem to delete, after a few minutes they spontaneously re-appear.

    I don't want to provide a screenshot because it would show actual domain names, but here's a list of the duplicates:

    HOST/BLUE

    HOST/BLUE/DOMAIN

    HOST/BLUE/domainname

    ldap/BLUE

    ldap/BLUE/DOMAIN

    ldap/BLUE/domainname

    ldap/BLUE/DomainDnsZones.domainname

    ldap/BLUE/ForestDnsZones.domainname

    RestrictedKrbHost/BLUE

    Wednesday, May 20, 2020 1:33 PM
  • Hi,

    Thanks for your reply!

    Not quite sure what did you do to change the old DC name, i would recommend you restart the DC at least 2 times for updates.

    If you still can't resolve the problem, i would recommend you demote the old DC ,then do a metadata clean up, and then promote it again.

    Clean up Active Directory Domain Controller server metadata

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 21, 2020 3:40 AM
  • I used the netdom command to add the new name as a secondary name, then made the new name primary, restarted, then removed the old name.

    Anyway, yesterday I did end up demoting the problem DC so it's now only a member server, and that does seem to have resolved the problem of the duplicate SPN's.  After the demotion, a few duplicates persisted, but I deleted those using setspn -D, and they have not come back since.  Since this seems to be the answer, I'll mark your reply as the answer, but would you please provide your recommendations for metadata cleanup?  I don't want to miss anything.

    Many thanks for your help with this!

    Thursday, May 21, 2020 1:31 PM
  • Hi,

    Thanks for you reply.

    For metadata clean up, i would recommend you refer to the following steps:

    Step-By-Step: Removing A Domain Controller Server Manually

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 21, 2020 11:54 PM
  • Just what I was looking for!  Many thanks, Fan.

    George

    Friday, May 22, 2020 1:11 PM