Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,885 questions
How to Migrate to Azure Virtual server and fix Duplicate SPN records on Window server 2019 Domain controller?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 78%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Matt Linsey
0
Reputation points
Here's a breakdown of the situation and the issue, keeping in mind the potential complexities of an unsupported DC:
- Improper Removal: The old DC was removed without proper demotion, which can leave remnants in Active Directory, potentially causing conflicts and errors.
- Duplicate SPN: The duplicate SPN record is likely a result of the new 2019 DC having the same name and IP as the old one. This has confused Kerberos authentication and lead to failures.
Action Plan
- Create a New DC:
- Install a new domain controller on a separate server with a different name and IP address.
- This new DC will serve as the clean and supported foundation for your domain.
- Transfer FSMO Roles:
- Carefully transfer all FSMO roles from the problematic 2019 DC to the new DC.
- Use the ntdsutil command or the Active Directory Domains and Trusts console to transfer the roles one by one, ensuring each transfer is successful before proceeding to the next.
- Address Duplicate SPN:
- Once the FSMO roles are transferred, focus on resolving the duplicate SPN issue on the problematic 2019 DC.
- Use the setspn command to identify and remove the duplicate SPN record. If you're unable to remove it due to the "unable to find" error, you might need to use the setspn -R command to reset the SPN.
- Demote the Problematic DC:
- After transferring roles and resolving the SPN issue, demote the problematic 2019 DC using dcpromo.exe or Uninstall-ADDSDomainController.
- Ensure you have a backup before demoting the DC.
- Metadata Cleanup:
- After demoting the problematic DC, clean up its metadata in Active Directory using ntdsutil or the Active Directory Users and Computers console.
- Monitor and Verify:
- Monitor the environment closely after the migration to ensure everything is functioning correctly.
- Check event logs for any errors or warnings.
- Verify that Kerberos authentication is working smoothly across all devices.
This issue is outside my expertise and I am looking for feedback or suggestions related to this issue. Let me know if you need any other information.
Sign in to answer