none
Set-ADComputer parameters for registering SQL SPN RRS feed

  • Question

  • Hi,

    I am trying to register SPN for one of our clustered SQL servers. The instance name is like Myclu\MyInst and running with a service account say MyDomain\ServiceAccount. I am using below command 

    Set-ADComputer -identity "MyDomain\ServiceAccount" -ServicePrincipalName @{add="MSSQLSvc/MyClu.MyDomain.com:MyInst"}

    But i keep getting below error.

    Set-ADComputer : Cannot find an object with identity: 'MyDomain\ServiceAccount' under: 'DC=MyDomain,DC=Subdomain,DC=com'.
    At line:1 char:1
    + Set-ADComputer -identity "MyDomain\ServiceAccount" -ServicePrincipalName @{add= ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (SQLCERT\sqladmin:ADComputer) [Set-ADComputer], ADIdentityNotFoundException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetADComputer

    I have verified that the account exists on Active directory. Can someone please point out the error in the command I am using.

    Thanks for your time.

    • Moved by Bill_Stewart Friday, March 15, 2019 6:49 PM User answered own question
    Wednesday, January 30, 2019 5:59 AM

All replies

  • You shouldn't put your domain with the computer name when searching via identity.I.e Set-ADComputer -Identity ServiceAccounts works but you're method doesn't.

    If you have more than one object in that OU then you'll need a foreach loop to run through all the objects and pipe that into Set-ADComputer

    Wednesday, January 30, 2019 11:15 AM
  • I would use Get-ADComputer with the -SearchBase and -Filter parameters, then pipe to Set-ADCompter:

    Get-ADComputer -SearchBase "dc=MyDomain,dc=com" -Filter {Name -eq "ServiceAccount"} | Set-ADComputer -ServicePrincipalName @{add="MSSQLSvc/MyClu.MyDomain.com:MyInst"}

    But you must specify the full distinguished name of the base, which can be a domain, an OU, or a container.

    Note that the default base is the current domain. And as noted, it is possible for Get-ADComputer to find more than one computer with a given "Name", so best to specify an OU.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, January 30, 2019 11:46 AM
  • When I run the command you have given, it doesn't gives any error but doesn't registers the SPN.

    Although I used another method, not sure how correct it is, but works well for me :).

    $AccountName is the service account without domain name. $SPN holds the complete SPN I need to register.

    $user = (Get-ADUser -Identity $AccountName).DistinguishedName
    Set-ADObject -Identity $user -add @{serviceprincipalname=$SPN}
    

    Thanks again.

    Wednesday, January 30, 2019 2:10 PM
  • Might be because the Name does not necessarily uniquely identify the object. But distinguishedName does. In any case, I'm glad you got it to work.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, January 30, 2019 2:30 PM