Pages

Sunday, April 3, 2005

Event ID 11 in the system log of domain controllers

I was getting quite a few of these.  Seems there was a bad node out there in the ad.  Found this on the MS Knowledgebase.

Event ID 11 in the system log of domain controllers

Article ID : 321044
Last Review : September 22, 2004
Revision : 3.0
This article was previously published under Q321044
 
 
The following event may be recorded in the System log on one or more of your domain controllers:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 4/1/2002
Time: 1:40:14 PM
User: N/A
Computer: ComputerName Description:
There are multiple accounts with name host/mycomputer.mydomain.com of type 10.
This may also apply to other service principal names, for example: host/NetBIOSComputerName.

CAUSE

There are two or more computer accounts that have the same service principal names (SPNs) registered.

RESOLUTION

Locate the machine accounts that have the duplicate SPNs. To do so, use one of the following methods.

Method 1

NOTE: If you do not have the Windows 2000 support tools installed, install them from the Windows 2000 CD-ROM before proceeding. The Setup executable file for the support tools is located on the CD-ROM in the Support\Tools folder. The installation does not require you to restart the computer, but you may have to restart the computer so that the environment variables are updated.
1. Click Start, and then click Run.
2. Type LDP, and then click OK.
3. Click Connection, and then click Connect.
4. Leave the default settings, and then click OK.
5. Click Connection, and then click Bind.
6. Leave the default settings, and then click OK.
7. Click View, and then click Tree.
8. In the Tree View dialog box, type DC=YourDomain,DC=com in the BaseDN box, where YourDomain is your domain.
9. Click Browse, and then click Search.
10. In the Search dialog box, type DC=YourDomain,DC=com in the BaseDN box.
11. In the Search dialog box, type serviceprincipalname=HOST/mycomputer.mydomain.com in the Filter box. If the service principal name that is referred to in the error in the system log is different from this example here, type the service principal name that the error refers to.
12. Under Scope, click Subtree.
13. Click Run.

Method 2

Use the Ldifde utility to dump the machine accounts for the domain, or from the suspected container or OU:
1. From the domain controller, open a command prompt, and then type the following string:
ldifde -f domain.txt -d DNDomain
(NOTE: If the machines that seem to have the duplicate SPNs are located in a certain OU (for example, Florida), you can refine the base dn, for example: -d "ou=florida,dc=mydomain,dc=com".
2. Open the text file in Notepad, and then search for the SPN that is reported in the event log.
3. Note the machine accounts under which the SPN is located.


When you have located the computers that have the duplicate SPNs, you can either delete the machine account from the domain, disjoin and rejoin the machine to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN.

ADSIEdit

In most cases, the computers have unique names, for example: machine1 and machine2.

The SPN that is reported as duplicate may be HOST/machine1.mydomain.com. With ADSIEdit, you can edit the SPN list on machine2 to delete the duplicate SPN (HOST/machine1.mydomain.com), add the correct SPN (HOST/machine2.mydomain.com), and then allow it to replicate to your other domain controllers.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

APPLIES TO
Microsoft Windows 2000 Service Pack 1
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2