This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 20%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Hello,
iam seeing in the eventlog ActiveDirectory_DomainService with the message that there is a duplicate SPN. No idea how this could be archived)
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/ServerName:50500
CN=ServerName,OU=Systeme,DC=mydomain,DC=int
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/ServerName:50500
CN=ServerName,OU=Systeme,DC=mydomain,DC=int
CN=ServerName,OU=Systeme,DC=mydomain,DC=int
CN=ServerName,OU=Systeme,DC=mydomain,DC=int Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
So I had the SPNs displayed and indeed there was this duplicated SPN again under deleted objects.
repadmin /showattr DC1 "DC=mydomain,DC=int" /subtree /filter:"(servicePrincipalName=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM)" /deleted /atts:DN
I deleted it with delete-ADObject and now I only see one entry when I run my filter.
Nevertheless, my DC spits out the event that there is still this duplicate SPN with nice regularity.
setspn -X -F returnes nothing unecpected
The overall structure "DC=domain,DC=int" is checked.
The process is performed within the overall structure, this process may take some time.
Entry 5 is processed.
0 Group of duplicate SPNs found.
What am I missing? In my opinion there shouldn't be anything thumbstoned when I delete the object hard from the trash or am I wrong? Do I have to wait for some garbage collector job?
I am looking forward to answers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Something here could help.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/spn-and-upn-uniqueness
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hello AndreasErnst
In most cases the mysterious case of reappearing SPNs is related to 3rd Party LDS tools that interact with your Active Directory. Usually, when a 3rd Party LDS tool is installed in a Member server instead of a Domain controller may produce a synchronization issue, where the Admin deletes an object in AD, but the LDS 3rd Party tool recreates the object.
The solution for this is:
Additionally, for more context and tests, I can also recommend the next official article:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/spn-and-upn-uniqueness
---------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
Hello,
No 3rd party tools are in place. It bugs me...
The dcdiag test knowsofroleholders runs without an error (Monitoring) but some times a day he comes up with this not unique spn.
Hello Andreas,
This is just a guess, but is it possible that there is no duplicate SPN and the error is caused and logged when some software (possibly some synchronization software) tries to add a new (duplicate) SPN (which fails)?
The error code (8647 = ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST, message: "The operation failed because SPN value provided for addition/modification is not unique forest-wide.") is more suited to denying the addition of an SPN than reporting the detection of duplicate SPNs.
Gary
