We get a lot of calls related to Kerberos configuration, and I'm planning to write more about our experiences and troubleshooting techniques for these types of issues across the box (Engine, AS and RS).
With Windows 2000/2003 SetSPN had only a few commands associated with it.
The other problem was that SetSPN was part of the Resource Kit and did not ship with the OS.
This has changed in Windows 2008. SetSPN is now part of the OS from the moment you install it. They have also improved what SetSPN can do. Namely the ability to look for duplicate SPNs. In the past I have used numerous tools to look for duplicate SPNs. This ranged from DHDiag (an internal CSS tool that uses LDIFDE) to
Here are the new switches for SetSPN that ships with Windows 2008:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)
-R = reset HOST ServicePrincipalName
Usage: setspn -R computername
-A = add arbitrary SPN
Usage: setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage: setspn -S SPN computername
-D = delete arbitrary SPN
Usage: setspn -D SPN computername
-L = list registered SPNs
Usage: setspn [-L] computername
-Q = query for existence of SPN
Usage: setspn -Q SPN
-X = search for duplicate SPNs
Usage: setspn -X
The Q switch is really the nice feature here. This allows you to see if an SPN is already out on your domain. You could also combine this with the F modifier to look through the whole forest.