Relationship between ‘SPN Duplication’ and ‘Domain Join’ process

As you might already know, “Service Principal Names” plays an important role in authentication process of Active Directory. If you haven’t watched my video on Kerberos, I suggest you have a look at that video because I explain Kerberos and use of SPNs in Active Directory. However, I will produce a separate video dedicated to SPN later on, so make sure to follow my YouTube channel for more videos. Anyways, in this article, I am going to briefly talk about one of the common problems of authentication and consequently “Secure Channel” which falls to the category of “Duplicated SPN”.


Why secure channel can break in Active Directory?

As everybody know, ‘Secure Channel’ in Active Directory is a key factor for initiating communication between domain controllers and clients. It’s crucial to understand what ‘Secure Channel’ is before jumping on troubleshooting the issues related to this concept. In this video firstly I explain briefly what secure channel is and how it is created. So if you always wanted to know how secure channel is created don’t miss the video.


What is Secure Channel in Active Directory?

The word channel is easy to explain. Channel is a way of communicating with people or getting something done. Considering that communication can be a public process, a question will pop up that how can I secure my communication? That’s where the word secure comes into play. A combination of these two words will result in a concept which is absolutely crucial in Active Directory environment and that’s Secure Channel. The term “Secure Channel” can be defined as a way which authenticates the requestor and also provide confidentiality and integrity of data sent across the way.


Lingering Objects in Active Directory and How To's?

There are some specific concepts in active directory which may put your environment in trouble if you do not attend to fix them as soon as you notice. One of them is lingering objects. Defining the meaning of Lingering Objects (LO) is not difficult. Basically, if an object in your active directory partitions exist in one or more domain controllers and not exist in the rest of the domain controllers in the same partition. So you may ask yourself how that is possible to have an object in a DC and not having the same object in another DC? So what is the responsibility of replication? Wasn’t it designed in order to have a synchronized AD database in your environment? We are going to cover your questions as well.