When running DCDIAG /e from a domain controller, I get an error saying * Missing SPN :LDAP/a3fc27e1-8772-485f-8dbc-2d5d47b500c5._msdcs.contoso.com Failed check MachineAccount. (I changed our actual domain name to contoso.com and changed the GUID just to use it as an example). So I go to troubleshoot this, and from a command prompt on a 2008 R2 DC, I type "setspn -L <computername> (for the domain controller in the error from DCDIAG), and it shows that the computer does indeed have an LDAP/<GUID> SPN entry... However, it is DIFFERENT from the "missing" value that is being shown in DCDIAG. This is a Windows 2008 R2 domain controller in a single-forest, single domain with 5 sites and 8 DCs. Domain functional level Windows 2008 R2.
I do not want to make things worse, because this error might not be a big issue, but then again, it might be a big issue. So I am not sure what to do - should I use SETSPN to reset the existing LDAP/<GUID> entry to the value of the one that DCDIAG claims is missing? Or should I ADD the "missing" SPN to the domain controller - if it is even possible for a computer 2 have 2 different GUIDS for the LDAP/<GUID> value. Or should I demote the domain controller and remove it from the domain, and wait until I am certain that all the DCs and the ADDS has fully synchronized, and then add it back to the domain and re-promote it?
Any advice on this will be appreciated to the fullest extent!
Many thanks,
Sam "Flux" S.