SPN value provided for addition/modification is not unique forest-wide

When
adding a new service principal name, you may end up with an error where the SPN
is already registered on another user or computer object in in the forest. The
exact error is:

Operation
failed. Error code: 0x21c7

The
operation failed because SPN value provided for addition/modification is not
unique forest-wide.

00021C7:
AtrErr: DSID-03200BA6, #1:

0:
000021C7: DSID-03200BA6, problem 1005

(CONTRAINT_ATT_TYPE),
data 0, Att 90303 (servicePrincipalName)

If
you want to find out where the SPN is registered, you can use the Get-ADUser and Get-ADComputer commands which require the Active Directory PowerShell module (installed
on any 2008 Domain Controller and higher).

To search user objects:

Get-ADUser -Filter {serviceprincipalname -like “http/MYSharePointSite”}

To search computer objects:

Get-ADComputer -Filter {serviceprincipalname -like “http/MYSharePointSite”}

You can also use wildcards in your search. E.g.

Get-ADComputer -Filter {serviceprincipalname -like “http/*SharePoint*”}

Before
Server 2012 R2, there was no check when adding duplicate SPNs so we are seeing issue
more. If you find that you cannot get around this and you really need two
accounts with the same name, you can install a hotfix from Microsoft that disables
this new feature. See https://support.microsoft.com/en-us/kb/3070083.

SPN value provided for addition/modification is not unique forest-wide

SPN value provided for addition/modification is not unique forest-wide

You may also like:

Exchange 2016 DNS Round Robin Load Balancing (Part 1)

DHCP Client Behaviour

Migrate 80/20 (split scope) to DHCP Failover