I'll second that. Dups can be found not only across multiple domain NCs. Not long ago I stumbled upon exactly the same error and it turned out that it was a result of orphaned connection object in LostAndFoundConfig container in Config partition. All the tests came up clean, repadmin was coming up clean, but some DCs were logging the duplicate SPN error and a script that was querying replication status using WMI was coming up with non-replicating connection (interesting that repadmin did not error on this).
Deleting the object from LostAndFoundConfig (it belonged to a retired DC whose metadata was cleaned properly) fixed the issue. I guess this had to do with the timing the metadata cleanup was performed and KCC re-generating the topology. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 17, 2006 6:55 PM To: [email protected] Subject: RE: [ActiveDir] Kerberos is Killing Me! Yes if you want to focus on a specific domain, use the -b and the NC you want. However the SPNs are across all NCs so when you do an SPN lookup, look at the GC and search across all NCs. It is unlikely to get duped HOST entries in a single domain, usually that is a cross domain thing. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Friday, November 17, 2006 10:26 AM To: [email protected] Subject: Re: [ActiveDir] Kerberos is Killing Me! Thanks Joe. if i wanted to search within a child domain i would use the -b switch ? -b dc=child,dc=domain,dc=org ? On 11/17/06, joe <[EMAIL PROTECTED]> wrote: adfind -gc -null -f serviceprincipalname=<insert SPN here> -dn That will search your entire GC which you must do, you can't just focus on a single domain like I saw a previous dsquery command do. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 2:38 PM To: [email protected] Subject: Re: [ActiveDir] Kerberos is Killing Me! Joe, how do i find out if there are any duplicate SPN's ? On 11/16/06, joe <[EMAIL PROTECTED]> wrote: Do you have any duplicate SPNs? Well specifically the SPNs mentioned in the error? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of hboogz Sent: Thursday, November 16, 2006 12 :09 PM To: [email protected] Subject: [ActiveDir] Kerberos is Killing Me! I am having continued issues with Kerberos. I tried running tokensz against the problem server and i get this error message.. C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation /target_s erver:host/phmaindc1 Name: Negotiate Comment: Microsoft Package Negotiator Current PackageInfo->MaxToken: 12128 Asked for delegate, but didn't get it. Check if server is trusted for delegation. QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4 KeySize = 128 Flags = 2001c Signature Algorithm = -138 Encrypt Algorithm = 26625 QueryContextAttributes (lifespan): Status = 2148074242 0x80090302 SEC_E_NOT_SUPP ORTED any ideas ? I keep getting the following event log message on a domain controller which prevents users from accessing it and authenticating to it. Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 11/16/2006 Time: 12:02:37 PM User: N/A Computer: PHMAINDC1 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was host/phprint1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Help! -- HBooGz:\> -- HBooGz:\> -- HBooGz:\>
