SPN creation and replication question(s)

%3CLINGO-SUB%20id%3D%22lingo-sub-2033453%22%20slang%3D%22en-US%22%3ESPN%20creation%20and%20replication%20question(s)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2033453%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%3C%2FP%3E%3CP%3EWe're%20having%20an%20issue%20occasionally%20where%20a%20PC%20object%20is%20created%20in%20AD%20via%20automation.%3C%2FP%3E%3CP%3EThen%2C%20the%20PC%20joins%20the%20domain%2C%20it%20creates%203%20SPN%20entries%20on%20that%20existing%20object.%3C%2FP%3E%3CP%3EUpon%20reboot%2C%20sometimes%20we're%20seeing%20the%20PC%20connect%20to%20a%20different%20DC%20and%20creating%202%20more%20SPN%20entries%20on%20the%20object%20before%20the%20DCs%20had%20a%20chance%20to%20replicate.%3C%2FP%3E%3CP%3EWhen%20the%20objects%20replicate%20on%20the%20DCs%2C%20the%20last%20change%20is%20winning%20(overwriting%20the%20first%203%20SPN%20entries).%20This%20is%20causing%20issues%20obviously.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20we're%20thinking%20of%20injecting%20all%205%20of%20the%20SPN%20entries%20when%20the%20object%20is%20created%20via%20that%20automation.%26nbsp%3B%20When%20the%20PC%20joins%20the%20domain%20and%20reboots%2C%20will%20it%20overwrite%20the%20SPN%20entries%20if%20it%20already%20sees%20them%20there%3F%20Or%20will%20it%20just%20leave%20them%20alone%3F%26nbsp%3B%20Anyone%20know%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2033453%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Regular Visitor

Hello.

We're having an issue occasionally where a PC object is created in AD via automation.

Then, the PC joins the domain, it creates 3 SPN entries on that existing object.

Upon reboot, sometimes we're seeing the PC connect to a different DC and creating 2 more SPN entries on the object before the DCs had a chance to replicate.

When the objects replicate on the DCs, the last change is winning (overwriting the first 3 SPN entries). This is causing issues obviously.

 

My question is, we're thinking of injecting all 5 of the SPN entries when the object is created via that automation.  When the PC joins the domain and reboots, will it overwrite the SPN entries if it already sees them there? Or will it just leave them alone?  Anyone know?

 

Thanks.

0 Replies