Error 11 KDC

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello:

I have been getting event id's 11 with a source of KDC in my event log on my
domain controllers. I have looked at TechNet article 321044 and they
reference using ADSIEdit or LDP to resolve this. I have tried both, but I
can not seem to resolve this issue. Can anyone shed some light on this?
The full event is below.

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 3/2/2005
Time: 2:15:07 PM
User: N/A
Computer: TPADC1
Description:
There are multiple accounts with name host/tpa-cthornton.aviinc.local of
type 10.

Harrison Midkiff
10 answers Last reply
More about error
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hello Harrison,

    Thank you for your posting.

    According to the error message, this error is caused by duplicate service
    principal names (SPNs) registered by computer accounts.

    Have you located the machine accounts that have the duplicate SPNs? You
    mentioned you have tried ADSIEdit. Can you see the machines with the same
    SPN? In your case, the duplicated SPN is host/tpa-cthornton.aviinc.local.

    We need to do the following steps.
    1. Locate the machine with the duplicate SPN.
    2. Delete the duplicate SPN and add the correct SPN.
    For example: let us say you have two machine, machine1 and machine2. They
    may have the same SPN: HOST/machine1.mydomain.com. With ADSIEdit, you can
    edit the SPN list on machine2 to delete the duplicate SPN
    (HOST/machine1.mydomain.com), add the correct SPN
    (HOST/machine2.mydomain.com), and then allow it to replicate to your other
    domain controllers.


    In your scenario, please find the computers with the SPN
    host/tpa-cthornton.aviinc.local by ADSIEdit and edit the SPN.

    Follow the steps below to achieve your goal.

    1. Click Start, point to Programs, click Windows 2000 Support Tools, click
    Tools, and then click ADSI Edit.
    Note If the Windows 2000 Support Tools are not installed, install them from
    the Windows 2000 CD. The file path is <CDROM Drive>:Support\Tools\Setup.exe.

    2. Expand the Domain container.

    3. Expand DC=My Domain, DC=COM.

    4. Right-click the container CN=Computers and click CN=computername (the
    name varies), and then click Properties.

    5. In the CN=<ObjectName> Properties window, click Optional.

    6. Click Select which property to view, and then click servicePrincipalName.

    7. In the Values list, click host/tpa-cthornton.aviinc.local.

    8. Edit the value, and then click OK.


    Hope this helps. If you have any further questions, don't hesitate to get
    in touch!


    Best regards,

    Frances He


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Frances:

    Thanks for your reply...

    I am looking at one of the computer accounts in ADSIEdit that is generating
    a KDC event. The event is:

    Event Type: Error
    Event Source: KDC
    Event Category: None
    Event ID: 11
    Date: 3/3/2005
    Time: 7:06:07 PM
    User: N/A
    Computer: TPADC1
    Description:
    There are multiple accounts with name HOST/jaxdc1.AVIINC.LOCAL of type 10.

    I am not sure what I should delete. Here is all the ServicePrincipalName
    values:

    MSSQLSvc/jaxdc1.AVIINC.LOCAL:2743
    LDAP/jaxdc1.AVIINC.LOCAL/AVIINC.LOCAL
    DNS/jaxdc1/AVIINC.LOCAL
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/jax
    HOST/JAXDC1
    HOST/jaxdc1.AVIINC.LOCAL
    HOST/jaxdc1.AVIINC.LOCAL/AVIINC
    HOST/jaxdc1.AVIINC.LOCAL/AVIINC.LOCAL
    GC/jaxdc1.AVIINC.LOCAL/AVIINC.LOCAL
    LDAP/JAXDC1
    LDAP/jaxdc1.AVIINC.LOCAL/AVIINC
    LDAP/jaxdc1.AVIINC.LOCAL
    LDAP/35907490-7bb0-4024-ac5d
    E3514235-4B06-11D1-AB04-00C04F


    I am not sure which entry is considered a duplicate? Any suggestions...


    "Frances [MSFT]" <v-franhe@microsoft.com> wrote in message
    news:5oDK4h7HFHA.3692@TK2MSFTNGXA02.phx.gbl...
    > Hello Harrison,
    >
    > Thank you for your posting.
    >
    > According to the error message, this error is caused by duplicate service
    > principal names (SPNs) registered by computer accounts.
    >
    > Have you located the machine accounts that have the duplicate SPNs? You
    > mentioned you have tried ADSIEdit. Can you see the machines with the same
    > SPN? In your case, the duplicated SPN is host/tpa-cthornton.aviinc.local.
    >
    > We need to do the following steps.
    > 1. Locate the machine with the duplicate SPN.
    > 2. Delete the duplicate SPN and add the correct SPN.
    > For example: let us say you have two machine, machine1 and machine2. They
    > may have the same SPN: HOST/machine1.mydomain.com. With ADSIEdit, you can
    > edit the SPN list on machine2 to delete the duplicate SPN
    > (HOST/machine1.mydomain.com), add the correct SPN
    > (HOST/machine2.mydomain.com), and then allow it to replicate to your other
    > domain controllers.
    >
    >
    > In your scenario, please find the computers with the SPN
    > host/tpa-cthornton.aviinc.local by ADSIEdit and edit the SPN.
    >
    > Follow the steps below to achieve your goal.
    >
    > 1. Click Start, point to Programs, click Windows 2000 Support Tools, click
    > Tools, and then click ADSI Edit.
    > Note If the Windows 2000 Support Tools are not installed, install them
    > from
    > the Windows 2000 CD. The file path is <CDROM
    > Drive>:Support\Tools\Setup.exe.
    >
    > 2. Expand the Domain container.
    >
    > 3. Expand DC=My Domain, DC=COM.
    >
    > 4. Right-click the container CN=Computers and click CN=computername (the
    > name varies), and then click Properties.
    >
    > 5. In the CN=<ObjectName> Properties window, click Optional.
    >
    > 6. Click Select which property to view, and then click
    > servicePrincipalName.
    >
    > 7. In the Values list, click host/tpa-cthornton.aviinc.local.
    >
    > 8. Edit the value, and then click OK.
    >
    >
    > Hope this helps. If you have any further questions, don't hesitate to get
    > in touch!
    >
    >
    > Best regards,
    >
    > Frances He
    >
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    >
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    >
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hello,

    According to your information, you have located the problematic computer.

    If this is not a DC, you can delete the machine account from the domain,
    disjoin and rejoin the machine to the domain. This way, you can resolve the
    KDC 11 error.

    If this is a DC, please do the following steps.

    1. Copy all the servicePrincipalName to a .txt file for backup.

    2. Change the name of HOST/jaxdc1.AVIINC.LOCAL according to the computer
    name.
    For example, if the computer name is jaxdc2, you can change it to
    HOST/jaxdc2.AVIINC.LOCAL.

    3. Save your modification and then check the effect.

    4. If the error persists, you can try to replace all jaxdc1 with the new
    name.

    5. Save your modification and then check the effect.

    In addition, have you changed the computer name of this problematic
    computer? By default, the SPN will take the computer name as part of its
    name.

    Hope this helps. If you have any further questions, don't hesitate to get
    in touch!

    Best regards,

    Frances He


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Frances:

    Thanks for your reply.

    Your reply confused me a little bit. The computer name is
    "jaxdc1.aviinc.local". Everything under the ServicePricipleName attribute
    for the computer name looks right. I am really not sure what to do.

    Any suggestions?

    Harrison Midkiff


    "Frances [MSFT]" <v-franhe@microsoft.com> wrote in message
    news:uK9g$LwIFHA.3836@TK2MSFTNGXA02.phx.gbl...
    > Hello,
    >
    > According to your information, you have located the problematic computer.
    >
    > If this is not a DC, you can delete the machine account from the domain,
    > disjoin and rejoin the machine to the domain. This way, you can resolve
    > the
    > KDC 11 error.
    >
    > If this is a DC, please do the following steps.
    >
    > 1. Copy all the servicePrincipalName to a .txt file for backup.
    >
    > 2. Change the name of HOST/jaxdc1.AVIINC.LOCAL according to the computer
    > name.
    > For example, if the computer name is jaxdc2, you can change it to
    > HOST/jaxdc2.AVIINC.LOCAL.
    >
    > 3. Save your modification and then check the effect.
    >
    > 4. If the error persists, you can try to replace all jaxdc1 with the new
    > name.
    >
    > 5. Save your modification and then check the effect.
    >
    > In addition, have you changed the computer name of this problematic
    > computer? By default, the SPN will take the computer name as part of its
    > name.
    >
    > Hope this helps. If you have any further questions, don't hesitate to get
    > in touch!
    >
    > Best regards,
    >
    > Frances He
    >
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    >
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    >
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Harrison,

    If you have duplicate SPNs, it usually means you have more than one
    object with the same SPN. So if all of the SPNs on that object are
    correct, it means there is another object in your domain with same SPN.
    So, in my opinion, the easiest way to find out what that object is, is
    to do an ldifde dump of your domain to a text file and search for the
    string in the event. You should find it twice. Once, it will be listed
    under the correct object. Second, it should appear under another object
    in your domain, which will be the object that needs to have the SPN
    entry modified / deleted.

    Harrison Midkiff wrote:
    > Frances:
    >
    > Thanks for your reply.
    >
    > Your reply confused me a little bit. The computer name is
    > "jaxdc1.aviinc.local". Everything under the ServicePricipleName attribute
    > for the computer name looks right. I am really not sure what to do.
    >
    > Any suggestions?
    >
    > Harrison Midkiff
    >
    >
    >
    > "Frances [MSFT]" <v-franhe@microsoft.com> wrote in message
    > news:uK9g$LwIFHA.3836@TK2MSFTNGXA02.phx.gbl...
    >
    >>Hello,
    >>
    >>According to your information, you have located the problematic computer.
    >>
    >>If this is not a DC, you can delete the machine account from the domain,
    >>disjoin and rejoin the machine to the domain. This way, you can resolve
    >>the
    >>KDC 11 error.
    >>
    >>If this is a DC, please do the following steps.
    >>
    >>1. Copy all the servicePrincipalName to a .txt file for backup.
    >>
    >>2. Change the name of HOST/jaxdc1.AVIINC.LOCAL according to the computer
    >>name.
    >>For example, if the computer name is jaxdc2, you can change it to
    >>HOST/jaxdc2.AVIINC.LOCAL.
    >>
    >>3. Save your modification and then check the effect.
    >>
    >>4. If the error persists, you can try to replace all jaxdc1 with the new
    >>name.
    >>
    >>5. Save your modification and then check the effect.
    >>
    >>In addition, have you changed the computer name of this problematic
    >>computer? By default, the SPN will take the computer name as part of its
    >>name.
    >>
    >>Hope this helps. If you have any further questions, don't hesitate to get
    >>in touch!
    >>
    >>Best regards,
    >>
    >>Frances He
    >>
    >>
    >>Microsoft Online Partner Support
    >>Get Secure! - www.microsoft.com/security
    >>
    >>=====================================================
    >>
    >>When responding to posts, please "Reply to Group" via your newsreader so
    >>that others may learn and benefit from your issue.
    >>
    >>=====================================================
    >>This posting is provided "AS IS" with no warranties, and confers no
    >>rights.
    >>
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hello,

    Thank you for your feed back.

    If the computer name is "jaxdc1.aviinc.local", it seems that there is
    another computer in you domain with the same SPN of
    HOST/jaxdc1.AVIINC.LOCAL.

    Our goal it to find that computer and change its SPN attributes. Or just
    delete the machine account from the domain, disjoin and rejoin the machine
    to the domain.

    Please use ADSIEdit to find the other computer with the SPN of
    HOST/jaxdc1.AVIINC.LOCAL in your domain if you don't have many computers.
    Otherwise, you can use ldifde, as Jeremy suggested.

    If you have any further questions, don't hesitate to get in touch!

    Best regards,

    Frances He


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hello Harrison,

    Good to hear that you have located the computer with duplicated SPN.

    Does the computer exist in your domain now? After you deleted the computer
    account, please disjoin it from the domain and rejoin it. Then check the
    effect.

    If the problem still persists, please send the exact KDC error message to
    v-franhe@microsoft.com for further research. Also send me the dump you
    created.

    I am looking forward to your reply.

    Best regards,

    Frances He


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hello Harrison,

    We haven't heard from you. How is it going? Please feel free to respond to
    the
    newsgroups if you need additional help.

    Have a great day!

    Best regards,

    Frances He


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    (Sorry if this gets posted twice)

    Thank you for all the great advice posted here. I am having the same
    problem with two different SPNs, but they don't have duplicates in the dump
    file. They're servers so are there any other suggestions before I reboot
    them? Also, the KDC errors are being generated at 9pm every day and 1am
    every saturday, could there be some service running something or connecting
    somewhere that could be causing this problem?

    Thank you.

    "Frances [MSFT]" wrote:

    > Hello Harrison,
    >
    > We haven't heard from you. How is it going? Please feel free to respond to
    > the
    > newsgroups if you need additional help.
    >
    > Have a great day!
    >
    > Best regards,
    >
    > Frances He
    >
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    >
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    >
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Frances [MSFT]" wrote:

    > Hello Harrison,
    >
    > We haven't heard from you. How is it going? Please feel free to respond to
    > the
    > newsgroups if you need additional help.
    >
    > Have a great day!
    >
    > Best regards,
    >
    > Frances He
    >
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    >
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    >
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
Ask a new question

Read More

Active Directory Event Id Windows