Sign in with
Sign up | Sign in
Your question

Error 11 KDC

Last response: in Windows 2000/NT
Share
Anonymous
March 2, 2005 5:55:09 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello:

I have been getting event id's 11 with a source of KDC in my event log on my
domain controllers. I have looked at TechNet article 321044 and they
reference using ADSIEdit or LDP to resolve this. I have tried both, but I
can not seem to resolve this issue. Can anyone shed some light on this?
The full event is below.

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 3/2/2005
Time: 2:15:07 PM
User: N/A
Computer: TPADC1
Description:
There are multiple accounts with name host/tpa-cthornton.aviinc.local of
type 10.

Harrison Midkiff

More about : error kdc

Anonymous
March 3, 2005 9:15:59 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Harrison,

Thank you for your posting.

According to the error message, this error is caused by duplicate service
principal names (SPNs) registered by computer accounts.

Have you located the machine accounts that have the duplicate SPNs? You
mentioned you have tried ADSIEdit. Can you see the machines with the same
SPN? In your case, the duplicated SPN is host/tpa-cthornton.aviinc.local.

We need to do the following steps.
1. Locate the machine with the duplicate SPN.
2. Delete the duplicate SPN and add the correct SPN.
For example: let us say you have two machine, machine1 and machine2. They
may have the same SPN: HOST/machine1.mydomain.com. With ADSIEdit, you can
edit the SPN list on machine2 to delete the duplicate SPN
(HOST/machine1.mydomain.com), add the correct SPN
(HOST/machine2.mydomain.com), and then allow it to replicate to your other
domain controllers.


In your scenario, please find the computers with the SPN
host/tpa-cthornton.aviinc.local by ADSIEdit and edit the SPN.

Follow the steps below to achieve your goal.

1. Click Start, point to Programs, click Windows 2000 Support Tools, click
Tools, and then click ADSI Edit.
Note If the Windows 2000 Support Tools are not installed, install them from
the Windows 2000 CD. The file path is <CDROM Drive>:Support\Tools\Setup.exe.

2. Expand the Domain container.

3. Expand DC=My Domain, DC=COM.

4. Right-click the container CN=Computers and click CN=computername (the
name varies), and then click Properties.

5. In the CN=<ObjectName> Properties window, click Optional.

6. Click Select which property to view, and then click servicePrincipalName.

7. In the Values list, click host/tpa-cthornton.aviinc.local.

8. Edit the value, and then click OK.


Hope this helps. If you have any further questions, don't hesitate to get
in touch!


Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
March 4, 2005 5:33:10 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Frances:

Thanks for your reply...

I am looking at one of the computer accounts in ADSIEdit that is generating
a KDC event. The event is:

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 3/3/2005
Time: 7:06:07 PM
User: N/A
Computer: TPADC1
Description:
There are multiple accounts with name HOST/jaxdc1.AVIINC.LOCAL of type 10.

I am not sure what I should delete. Here is all the ServicePrincipalName
values:

MSSQLSvc/jaxdc1.AVIINC.LOCAL:2743
LDAP/jaxdc1.AVIINC.LOCAL/AVIINC.LOCAL
DNS/jaxdc1/AVIINC.LOCAL
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/jax
HOST/JAXDC1
HOST/jaxdc1.AVIINC.LOCAL
HOST/jaxdc1.AVIINC.LOCAL/AVIINC
HOST/jaxdc1.AVIINC.LOCAL/AVIINC.LOCAL
GC/jaxdc1.AVIINC.LOCAL/AVIINC.LOCAL
LDAP/JAXDC1
LDAP/jaxdc1.AVIINC.LOCAL/AVIINC
LDAP/jaxdc1.AVIINC.LOCAL
LDAP/35907490-7bb0-4024-ac5d
E3514235-4B06-11D1-AB04-00C04F


I am not sure which entry is considered a duplicate? Any suggestions...






"Frances [MSFT]" <v-franhe@microsoft.com> wrote in message
news:5oDK4h7HFHA.3692@TK2MSFTNGXA02.phx.gbl...
> Hello Harrison,
>
> Thank you for your posting.
>
> According to the error message, this error is caused by duplicate service
> principal names (SPNs) registered by computer accounts.
>
> Have you located the machine accounts that have the duplicate SPNs? You
> mentioned you have tried ADSIEdit. Can you see the machines with the same
> SPN? In your case, the duplicated SPN is host/tpa-cthornton.aviinc.local.
>
> We need to do the following steps.
> 1. Locate the machine with the duplicate SPN.
> 2. Delete the duplicate SPN and add the correct SPN.
> For example: let us say you have two machine, machine1 and machine2. They
> may have the same SPN: HOST/machine1.mydomain.com. With ADSIEdit, you can
> edit the SPN list on machine2 to delete the duplicate SPN
> (HOST/machine1.mydomain.com), add the correct SPN
> (HOST/machine2.mydomain.com), and then allow it to replicate to your other
> domain controllers.
>
>
> In your scenario, please find the computers with the SPN
> host/tpa-cthornton.aviinc.local by ADSIEdit and edit the SPN.
>
> Follow the steps below to achieve your goal.
>
> 1. Click Start, point to Programs, click Windows 2000 Support Tools, click
> Tools, and then click ADSI Edit.
> Note If the Windows 2000 Support Tools are not installed, install them
> from
> the Windows 2000 CD. The file path is <CDROM
> Drive>:Support\Tools\Setup.exe.
>
> 2. Expand the Domain container.
>
> 3. Expand DC=My Domain, DC=COM.
>
> 4. Right-click the container CN=Computers and click CN=computername (the
> name varies), and then click Properties.
>
> 5. In the CN=<ObjectName> Properties window, click Optional.
>
> 6. Click Select which property to view, and then click
> servicePrincipalName.
>
> 7. In the Values list, click host/tpa-cthornton.aviinc.local.
>
> 8. Edit the value, and then click OK.
>
>
> Hope this helps. If you have any further questions, don't hesitate to get
> in touch!
>
>
> Best regards,
>
> Frances He
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Related resources
Can't find your answer ? Ask !
Anonymous
March 7, 2005 1:47:00 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

According to your information, you have located the problematic computer.

If this is not a DC, you can delete the machine account from the domain,
disjoin and rejoin the machine to the domain. This way, you can resolve the
KDC 11 error.

If this is a DC, please do the following steps.

1. Copy all the servicePrincipalName to a .txt file for backup.

2. Change the name of HOST/jaxdc1.AVIINC.LOCAL according to the computer
name.
For example, if the computer name is jaxdc2, you can change it to
HOST/jaxdc2.AVIINC.LOCAL.

3. Save your modification and then check the effect.

4. If the error persists, you can try to replace all jaxdc1 with the new
name.

5. Save your modification and then check the effect.

In addition, have you changed the computer name of this problematic
computer? By default, the SPN will take the computer name as part of its
name.

Hope this helps. If you have any further questions, don't hesitate to get
in touch!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
March 8, 2005 5:51:06 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Frances:

Thanks for your reply.

Your reply confused me a little bit. The computer name is
"jaxdc1.aviinc.local". Everything under the ServicePricipleName attribute
for the computer name looks right. I am really not sure what to do.

Any suggestions?

Harrison Midkiff



"Frances [MSFT]" <v-franhe@microsoft.com> wrote in message
news:uK9g$LwIFHA.3836@TK2MSFTNGXA02.phx.gbl...
> Hello,
>
> According to your information, you have located the problematic computer.
>
> If this is not a DC, you can delete the machine account from the domain,
> disjoin and rejoin the machine to the domain. This way, you can resolve
> the
> KDC 11 error.
>
> If this is a DC, please do the following steps.
>
> 1. Copy all the servicePrincipalName to a .txt file for backup.
>
> 2. Change the name of HOST/jaxdc1.AVIINC.LOCAL according to the computer
> name.
> For example, if the computer name is jaxdc2, you can change it to
> HOST/jaxdc2.AVIINC.LOCAL.
>
> 3. Save your modification and then check the effect.
>
> 4. If the error persists, you can try to replace all jaxdc1 with the new
> name.
>
> 5. Save your modification and then check the effect.
>
> In addition, have you changed the computer name of this problematic
> computer? By default, the SPN will take the computer name as part of its
> name.
>
> Hope this helps. If you have any further questions, don't hesitate to get
> in touch!
>
> Best regards,
>
> Frances He
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Anonymous
March 8, 2005 5:51:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Harrison,

If you have duplicate SPNs, it usually means you have more than one
object with the same SPN. So if all of the SPNs on that object are
correct, it means there is another object in your domain with same SPN.
So, in my opinion, the easiest way to find out what that object is, is
to do an ldifde dump of your domain to a text file and search for the
string in the event. You should find it twice. Once, it will be listed
under the correct object. Second, it should appear under another object
in your domain, which will be the object that needs to have the SPN
entry modified / deleted.

Harrison Midkiff wrote:
> Frances:
>
> Thanks for your reply.
>
> Your reply confused me a little bit. The computer name is
> "jaxdc1.aviinc.local". Everything under the ServicePricipleName attribute
> for the computer name looks right. I am really not sure what to do.
>
> Any suggestions?
>
> Harrison Midkiff
>
>
>
> "Frances [MSFT]" <v-franhe@microsoft.com> wrote in message
> news:uK9g$LwIFHA.3836@TK2MSFTNGXA02.phx.gbl...
>
>>Hello,
>>
>>According to your information, you have located the problematic computer.
>>
>>If this is not a DC, you can delete the machine account from the domain,
>>disjoin and rejoin the machine to the domain. This way, you can resolve
>>the
>>KDC 11 error.
>>
>>If this is a DC, please do the following steps.
>>
>>1. Copy all the servicePrincipalName to a .txt file for backup.
>>
>>2. Change the name of HOST/jaxdc1.AVIINC.LOCAL according to the computer
>>name.
>>For example, if the computer name is jaxdc2, you can change it to
>>HOST/jaxdc2.AVIINC.LOCAL.
>>
>>3. Save your modification and then check the effect.
>>
>>4. If the error persists, you can try to replace all jaxdc1 with the new
>>name.
>>
>>5. Save your modification and then check the effect.
>>
>>In addition, have you changed the computer name of this problematic
>>computer? By default, the SPN will take the computer name as part of its
>>name.
>>
>>Hope this helps. If you have any further questions, don't hesitate to get
>>in touch!
>>
>>Best regards,
>>
>>Frances He
>>
>>
>>Microsoft Online Partner Support
>>Get Secure! - www.microsoft.com/security
>>
>>=====================================================
>>
>>When responding to posts, please "Reply to Group" via your newsreader so
>>that others may learn and benefit from your issue.
>>
>>=====================================================
>>This posting is provided "AS IS" with no warranties, and confers no
>>rights.
>>
>
>
>
Anonymous
March 9, 2005 1:35:12 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

Thank you for your feed back.

If the computer name is "jaxdc1.aviinc.local", it seems that there is
another computer in you domain with the same SPN of
HOST/jaxdc1.AVIINC.LOCAL.

Our goal it to find that computer and change its SPN attributes. Or just
delete the machine account from the domain, disjoin and rejoin the machine
to the domain.

Please use ADSIEdit to find the other computer with the SPN of
HOST/jaxdc1.AVIINC.LOCAL in your domain if you don't have many computers.
Otherwise, you can use ldifde, as Jeremy suggested.

If you have any further questions, don't hesitate to get in touch!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
March 14, 2005 4:52:26 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Harrison,

Good to hear that you have located the computer with duplicated SPN.

Does the computer exist in your domain now? After you deleted the computer
account, please disjoin it from the domain and rejoin it. Then check the
effect.

If the problem still persists, please send the exact KDC error message to
v-franhe@microsoft.com for further research. Also send me the dump you
created.

I am looking forward to your reply.

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
March 23, 2005 3:27:32 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Harrison,

We haven't heard from you. How is it going? Please feel free to respond to
the
newsgroups if you need additional help.

Have a great day!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
May 31, 2005 7:39:39 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

(Sorry if this gets posted twice)

Thank you for all the great advice posted here. I am having the same
problem with two different SPNs, but they don't have duplicates in the dump
file. They're servers so are there any other suggestions before I reboot
them? Also, the KDC errors are being generated at 9pm every day and 1am
every saturday, could there be some service running something or connecting
somewhere that could be causing this problem?

Thank you.

"Frances [MSFT]" wrote:

> Hello Harrison,
>
> We haven't heard from you. How is it going? Please feel free to respond to
> the
> newsgroups if you need additional help.
>
> Have a great day!
>
> Best regards,
>
> Frances He
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
Anonymous
May 31, 2005 8:15:43 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Frances [MSFT]" wrote:

> Hello Harrison,
>
> We haven't heard from you. How is it going? Please feel free to respond to
> the
> newsgroups if you need additional help.
>
> Have a great day!
>
> Best regards,
>
> Frances He
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
!