none
Event ID 11 and Duplicate SPN was not found RRS feed

  • Question

  • I keep getting EventID 11 describing a duplicate ServicePrincipalName for cifs/mycomputer. Using methods in http://support.microsoft.com/kb/321044/en-us i searched for the SPN in all of my forest domain controllers and it was not found. This event is in the system log of a domain controller that the Windows 2000 Adv server is not a member of.

    I've dumped to file all computer objects from the domain controler with the event and the home domain for the server described by this event. There are no duplicate SPN. I have no idea what to do now. I hope someone has a suggestion.

    Thursday, July 15, 2010 7:13 PM

Answers

  • cifs/<computername> does not actually have to be registered explicitly - its presence is provided impicitly by the HOST/<computername> entry.

    This entry (in your case - since you rely on the short name) should be unique forest-wide - so to resolve this issue, you should rename the other computer

    hth
    Marcin

     

    • Marked as answer by ScooterOCDC Tuesday, July 20, 2010 3:07 PM
    Thursday, July 15, 2010 10:37 PM

All replies

  • You don't say which method you used to search for SPN's, or what form of SPN you used. Also, the duplicate doesn't have to refer to a DC. I would query the forest for all SPN's and dump to a file so you can search for duplicates. The query filter would be:

    (servicePrincipalName=*)

    I have a VBScript program I use to make queries like this linked here:

    http://www.rlmueller.net/GenericADO.htm

    I would modify the program to search the Global Catalog. Do this by replacing the moniker LDAP: with GC: throughout the program (3 instances). Run the program at a command prompt so you can redirect the output to a text file. For example:

    cscript //nologo GenericADO.vbs > SPNs.txt

    The program will first prompt for the base of the search. Enter the DN of your root domain. The program then prompts for the filter to use. Use the filter above, (servicePrincipalName=*). Finally, the program prompts for a comma delimited list of attribute values to retrieve. The distinguishedName is always included, so enter servicePrincipalName. The output will include the DN of every computer, and several SPN's for each. If you have many computers, the output will be large.

    Come to think of it, this method could be revised to read all of the SPN's into a dictionary object to quickly indentify duplicates. I will post that later.

    Richard Mueller


    MVP ADSI
    Thursday, July 15, 2010 9:38 PM
  • The VBScript program below searches the global catalog for all servicePrincipalName's and outputs any duplicates:

    Option Explicit
    
    Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN
    Dim arrSPNs, strSPN, objList
    
    ' Setup dictionary object.
    Set objList = CreateObject("Scripting.Dictionary")
    objList.CompareMode = vbTextCompare
    
    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection
    
    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("GC://RootDSE")
    strDNSDomain = objRootDSE.Get("rootDomainNamingContext")
    strBase = "<GC://" & strDNSDomain & ">"
    
    ' Filter on all objects with servicePrincipalNames.
    strFilter = "(servicePrincipalName=*)"
    
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,servicePrincipalName"
    
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    
    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
      ' Retrieve values.
      strDN = adoRecordset.Fields("distinguishedName").Value
      arrSPNs = adoRecordset.Fields("servicePrincipalName").Value
      If (TypeName(arrSPNs) = "String") Then
        ' Only one SPN for this object.
        If (objList.Exists(arrSPNs) = True) Then
          ' Display duplicates.
          Wscript.Echo "Duplicate: " & arrSPNs
          Wscript.Echo " DN: " & strDN
          Wscript.Echo " DN: " & objList(arrSPNs)
        Else
          ' Add to dictionary object.
          objList(arrSPNs) = strDN
        End If
      Else
        ' Array of SPNs.
        For Each strSPN In arrSPNs
          If (objList.Exists(strSPN) = True) Then
            ' Display duplicates.
            Wscript.Echo "Duplicate: " & strSPN
            Wscript.Echo " DN: " & strDN
            Wscript.Echo " DN: " & objList(strSPN)
          Else
            ' Add to dictionary object.
            objList(strSPN) = strDN
          End If
        Next
      End If
      ' Move to the next record in the recordset.
      adoRecordset.MoveNext
    Loop
    
    ' Clean up.
    adoRecordset.Close
    adoConnection.Close
    

    The program should be run at a command prompt using the cscript host program. The output can be redirected to a text file. I tested this, but I have no duplicates.

    Richard Mueller


    MVP ADSI
    Thursday, July 15, 2010 10:05 PM
  • Thank you Richard, I enjoy your articles. I used csvde on each of my forest domains for the output

    csvde -s domain.controller.system -f outfile.txt -r "(&(objectClass=computer)(objectCategory=computer))" -l "servicePrincipalName, adspath" -p "subtree" -j .

    There is another domain (not the one reporting the error) with a compuer using the same NETBIOS name but the SPN values are correct for that domain. Also, it doesn't look like that computer (in the other domain) has been active for a year.

    what cifs/<computername> anyway? I do not see this value in any of the SPN object attributes so why does it show in my log to begin with?

     

    Thursday, July 15, 2010 10:09 PM
  • I think cifs is Common Internet File System.

    NetBIOS names and sAMAccountNames must be unique in the domain, but from your experience duplicates in the forest are a problem.

    Richard Mueller


    MVP ADSI
    Thursday, July 15, 2010 10:30 PM
  • cifs/<computername> does not actually have to be registered explicitly - its presence is provided impicitly by the HOST/<computername> entry.

    This entry (in your case - since you rely on the short name) should be unique forest-wide - so to resolve this issue, you should rename the other computer

    hth
    Marcin

     

    • Marked as answer by ScooterOCDC Tuesday, July 20, 2010 3:07 PM
    Thursday, July 15, 2010 10:37 PM
  • the cifs/<computername> is what threw me but i guess its another of those interesting things microsoft does to keep us on our toes. We dont have very much reliance on the short names except for a data protection application by HP. I'll check with the admin in that other domain to see if he will remove the old computer object.
    Thursday, July 15, 2010 11:25 PM