5

I am trying to join a Windows Server 2016 VM called BORON to a domain which has a Windows 2012 R2 domain controller. The DC name is SNOWDROP.DUCK.LOC When I try to join I get this error:

The operation failed because SPN value provided for addition/modification is not unique forest-wide.

!?

I tried to find out why with this command on the domain controller:

Get-ADComputer -Filter {serviceprincipalname -like "*boron*"} | select *

DistinguishedName  : CN=SNOWDROP,OU=Domain Controllers,DC=duck,DC=loc
DNSHostName        : snowdrop.duck.loc
Enabled            : True
Name               : SNOWDROP
ObjectClass        : computer
ObjectGUID         : 2b5d6206-707a-4f09-835b-2d8222474e4d
SamAccountName     : SNOWDROP$
SID                : S-1-5-21-1075642099-280362434-2919291742-1001
UserPrincipalName  : 
PropertyNames      : {DistinguishedName, DNSHostName, Enabled, Name...}
AddedProperties    : {}
RemovedProperties  : {}
ModifiedProperties : {}
PropertyCount      : 9

I'm not sure what else to try, any ideas?

Mark Allison
  • 2,098
  • 7
  • 26
  • 45
  • If you view the Attributes tab for SNOWDROP in AD Users and Computers, does it have BORON in one of the ServicePrincipalNames? – Greg Askew Feb 10 '18 at 17:33
  • Is this VM a clone? If so, did you Sysprep it before deploying it? If not, you need to. – joeqwerty Feb 10 '18 at 17:34
  • @GregAskew yes it did. I removed them and it worked, not sure how that got it in there... do you want to write as answer and I'll accept? – Mark Allison Feb 10 '18 at 17:58
  • @MarkAllison: sure thing! – Greg Askew Feb 10 '18 at 18:09
  • 1
    Another thing to note if this VM was cloned without Sysprep (which you didn't confirm or deny); If you use WSUS you're going to have issues with a duplicate SUSClientID on all of the machines that were cloned, which you'll need to fix. – joeqwerty Feb 10 '18 at 18:38

3 Answers3

5

If you view the Attributes tab for SNOWDROP in AD Users and Computers, remove BORON if it is present in one of the ServicePrincipalNames.

galoget
  • 223
  • 1
  • 9
Greg Askew
  • 34,339
  • 3
  • 52
  • 81
1

In my case it was because there was already a server in the "computers" list with this name. Removed that computer from the "computers" list and was able to join the server to the domain.

Bobby
  • 11
  • 1
0

I had to remove the specific host from the "Computers" section on the left from the domain which is under AD users and computer.

Also, i had to replicate the ADC and RODC from sites and services to update all of them.

krishna shakya
  • 1