KDC error 11

[Ribald]

Hello together,

I have a problem

In my AD I got this error thousends of times on every DC:
Source: KDC
Category: None
Type: Error
Event ID: 11
User: N/A
Computer: <DC>
The description varies slightly:
There are multiple accounts with name
- host/bpopen-iis-04 bl.bpopen.mydomain.com
- host/bpopen-iis-03.bl.bpopen.mydomain.com
- host/BPOPEN-IIS-03.bl.bpopen.mydomain.com
- host/BPOPEN-IIS-04.bl.bpopen.mydomain.com
- RPCSS/BPOPEN-IIS-03.bl.bpopen.mydomain.com
- RPCSS/BPOPEN-IIS-04.bl.bpopen.mydomain.com
of type DS_SERVICE_PRINCIPAL_NAME.

I found a very good thread in here which describes that problem exactly.
But while searching after the duplicates with
"ldifde -f check_SPN2.txt -t 3268 -d "" -l servicePrincipalName -r "(serviceP
rincipalName=HOST/bpopen-iis-04*)" -p subtree"
it returnes 19(!) accounts

So my questions are:
* Do I have to clear all the SPNs?
* Which one will cary the principale name at least?


Thank you all for your help in advance!
Alfred

[Expertz]

On the domain controller, do one or both of the following:
a.. For computer accounts, at the command prompt, type
ldifde -f filename -d BaseDistinguishedName -r (objectclass=computer) -p
subtree
b.. For user accounts, at the command prompt, type
ldifde -f filename -d BaseDistinguishedName -r (objectclass=user) -p
subtree
I also suggest you to read:
http://support.microsoft.com/default...s;321044&sd=ee
(read about ADSIEdit)

[Lillebror]

You can solve the problem by following Use the LDP support tool
Note If you do not have the Windows 2000 support tools installed, install them from the Windows 2000 CD-ROM before you continue. The Setup executable file for the support tools is located on the CD-ROM in the Support\Tools folder. The installation does not require that you restart the computer. However, you may have to restart the computer to update the environment variables.

1. Click Start, click Run, type LDP, and then click OK.
2. Click Connection, and then click Connect.
3. Leave the default settings, and then click OK.

Note If you do not receive the expected result, try another search by using the Global Catalog Port (3268) instead of the default setting (389).
4. Click Connection, and then click Bind.
5. Leave the default settings, and then click OK.
6. Click View, and then click Tree.
7. In the Tree View dialog box, type DC=YourDomain,DC=com in the BaseDN box, where YourDomain is your domain.
8. Click Browse, and then click Search.
9. In the Search dialog box, type DC=YourDomain,DC=com in the BaseDN box.
10. In the Search dialog box, type (serviceprincipalname=HOST/mycomputer.mydomain.com) in the Filter box. If the service principal name that is referred to in the error in the System log differs from this example, type the service principal name to which the error refers.

Note If you do not receive the expected result, try searching for " HOST/" as opposed to searching only for the exact SPN in the event ID.
11. Under Scope, click Subtree.
12. Click Run.

[Ribald]

Hi Expertz and Lillebror,

I don't think that your posts will help me :-(
I read all the threads and MS KB articles already but what I was wondering that i found the same name in 19 different accounts (service & computer).
Do I really have to delete all duplicates?
Which one will / must survive?
Those are the questions...
Thanks anyway
Alfred