August 28th, 2009
KDC error 11- there are multiple accounts with name host/(computername.domain of type ds_service_principal_name

This error occurs when 2 or more accounts have registered the same service principal name (SPN).

For example, I had a duplicate entry for host/cit10.xxxxdom1

1. From the domain controller, open a command prompt and then type the following string:
ldifde -f domain.txt -d dc=domain,dc=com

2. Open the text file in Notepad and then search for the SPN that is reported in the event log.
ie. host/cit10.xxxxdom1

3. Note the user accounts under which the SPN is located and the organizational unit the accounts reside in and determine which one is incorrect.  In my example, one computer had both a correct spn (host/compna0003.xxxxdom1) and a duplicate spn (host/cit10.xxxxdom1) right below it that another PC also (correctly) had.  I noted the where the offender was located in the AD hierarchy.

Then once the above has been located use the Windows Support Tools utility ADsiedit

Using ADSIEdit
1. Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
2. Navigate to each user account you previously documented as having a duplicate SPN registration and right click the account and select properties.
3. Scroll through the list of attributes until you see ServicePrincipalName, double click ServicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.

Posted by Guy Conklin on August 28th, 2009 in Microsoft Windows Server 200x | Permalink | No Comments
Digg This | Save to del.icio.us
August 12th, 2009
Migration from Windows 2000 to Windows 2008 SBS

While the migration path from Windows 2000 to Windows 2008 SBS is completely unsupported by Microsoft, we were able to achieve it via the following steps:

1) Disrupt the normal SBS installation by using an ‘answer file’ stored on a USB drive; this allows you to tell it the existing domain / server information.

2) Once the new server is installed, you need to run adprep and forestprep on the Windows 2000 DC using the 2008 SBS media.

3) Once the Domain and Forest are prepared, you need to rename the ntds.dit file to sbsntds.dit (the ntds.dit file is Active Directory) on the Windows 2000 DC.

4) Now you can run ‘dcpromo’  on the new server and transfer over all of the FSMO roles.

5) Lastly, you need to Install / Configure Exchange 2007 manually, as it will not install by default when using this method.

Once step 5 is complete, you still are left with all of the normal configurations required with a new Windows 2008 SBS server; however, you won’t need to dis-join/re-join all of the machines and migrate all of the data/profiles across domains.

Good Luck!

Posted by Richard Eodice on August 12th, 2009 in Microsoft Windows Server 200x | Permalink | 4 Comments
Digg This | Save to del.icio.us