Recently been receiving these duplicate SPN messages on one of the DCs. I'm not sure I understand the problem, as these are all valid instances/listening ports, and none of them are running under an Administrator user account.
I see this message, and they toss between port 63229 and 53985:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/DBServer.domain.local:63229 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/DBServer.domain.local:63229 in Active Directory.
Issuing setspn -X results in:
MSSQLSvc/DBServer.domain.local:INSTANCE1 is registered on these acc
ounts:
CN=Administrator,CN=Users,DC=domain,DC=local
CN=DBServer,OU=SERVERS_OU,DC=domain,DC=local
MSSQLSvc/DBServer.domain.local:53985 is registered on these accounts
:
CN=Administrator,CN=Users,DC=domain,DC=local
CN=DBServer,OU=SERVERS_OU,DC=domain,DC=local
MSSQLSvc/DBServer.domain.local:INSTANCE2 is registered on these ac
counts:
CN=Administrator,CN=Users,DC=domain,DC=local
CN=DBServer,OU=SERVERS_OU,DC=domain,DC=local
MSSQLSvc/DBServer.domain.local:63229 is registered on these accounts
:
CN=Administrator,CN=Users,DC=domain,DC=local
CN=DBServer,OU=SERVERS_OU,DC=domain,DC=local
found 4 groups of duplicate SPNs.