“Failed to register service principal name” on Hyper-V host

I recently replaced one of my Hyper-V hosts with Windows Server 2008 R2, and noticed that I was getting the following event logged every two minutes: –

Log Name:      Microsoft-Windows-Hyper-V-VMMS-Admin
Source:        Microsoft-Windows-Hyper-V-VMMS
Date:          20/09/2009 5:52:42 PM
Event ID:      14050
Task Category: None
Level:         Error
Keywords:    �
User:          SYSTEM
Computer:      HyperV01.mydomain.internal
Description:
Failed to register service principal name.

 I was nearly certain that this was due to the fact that I hadn’t removed the computer from the domain before rebuilding it, and therefore it had acquired the old computer account when it was re-joined. This error indicates that there was an error updating the “servicePrincipalName” attribute of the computer account for my Hyper-V server.

I jumped in to my Active Directory to check out the permissions of the computer account first, and the first thing I noticed was that there was an unresolvable SID in my ACL. This wasn’t causing the issue, but it was a good indication that the permissions were probably in need of attention.

To understand how to resolve this issue, it’s important to understand what’s failing. In this case, we can see from the event 14050, that the SYSTEM account on my Hyper-V host tried to update the servicePrincipalAttribute of it’s own computer account within Active Directory, but failed. We believe it’s a permissions issue, so we should check the “SELF” entry in the ACL to see if it has the correct permissions: –

 

…And bingo! The “SELF” entry is missing the “Validated write to service principal name” permissions, so therefore it can’t write the attribute. “SELF” in this case, corresponds to the SYSTEM account of the host that owns the computer account.

So I went ahead and granted this permission to the computer account, and confirmed that the servicePrincipalName attribute updated on next attempt and that the events were no longer being logged.

32 thoughts on ““Failed to register service principal name” on Hyper-V host”

  1. Hi Luke,

    If you can’t see the security tab in your console, you probably need to turn on Advanced Features.

    Just go up to the View menu, and check Advanced Features.

  2. Thanks for the reply,
    I found it after right-clicking the computer after activating Advanced Features.
    Thanks again,
    Luke

  3. Hi Chris,

    I’m assuming you don’t have the Security tab?

    In Active Directory Users and Computers, click on View, then tick Advanced Features.

    This will enable additional tabs in your view, including Security.

  4. Hi,

    thanks for the quick reply. no, i cannot find the system account. I assume I have to open active directory users and computers, check the advanced features on my PDS/AD. But in there i cannot find the system account anywhere.

    where do i find it ?

    1. Chris, you make mention of the SYSTEM account, however when looking at the ACL’s of the objects in AD, what you are looking for is the SELF account rather than the SYSTEM account.

  5. I believe this question has already been answered above, but to re-iterate, you need to ensure that Advanced Features is turned on in Active Directory Users and Computers, which will allow you to see the Security tab of objects.

    You want to look at the Security tab of the HyperV server’s computer account.

  6. i am too stupid to find this. i opened AD users and computers on the DC (hyperv guest) and checked advanced features. the i opened properties of the DC and the Host I can see the validated write on SELF checked for both.

    Is that the correct spot ? could you provide the excat way to get to the point where you need to set the check mark ? eg open ADUC, go to computerx or user accoun y, click properties, click security, et voila.
    something like this… from the comments it seems that this is still unclear for many readers.

    best pete

    1. Hi Peter,

      You are spot on with the actions you performed, so it sounds like you may have a different issue if SELF already has validated write permissions.

  7. I’m struggling with this too, with a Hyper-V just installed on an Server 2008 Standard R2 SP1 system, a member server on a 2003 R2 domain. ADUC shows the above already allowed for SELF. Oddly, I don’t get the errors when restarting HV services, just when rebooting. Four identical 14050’s within 30 seconds of each other.

  8. I not have the Active Directory, but Domain Controller is Samba.
    I have the error: “Failed to register service principal name”, but haven’t SELF because haven’t Active Direcotry.
    Is possible resolve the problem?
    Please!

  9. I am having a similar issue. First I tried to restart VMMS via Technet blog post. That didn’t solve my problem. I then found your article and my particular setting was already selected. Is there any other options I can try?

    My Windows 2008 R2 server is running in a SBS 2003 domain. Thanks in advance!

  10. I’m having this problem too, but also I know there are issues on my DC. I can’t create GPOs either for example. I believe something went amiss when I transfered my FSMO roles back on to that server, then a disk failed on a different server which messed up replication and finally the servers are reporting different schemas even though I updated to try and get everything on 2008r2. There are a lot of things wrong with my servers and I’m hoping this will give other people some more ideas of things to check when they have this problem with HyperV

  11. I have the same problem. I checked with ADUC the computer account of my Hyper-V Server. The check box Validated write to service principal name for the SELF ACL entry was allready checked. Then I uncked I press Apply and then rechecked and press again Apply. I Reboot my Hyper-V Machine and no more 14050 errors appeard in the event log.

  12. OK, what if I am not running Hyper-V under AD. I am using 2008 R2 as my development OS so I can use Hyper-V for development images.

    Any suggestions?

  13. Thank You Spiros that’s it:
    “The check box Validated write to service principal name for the SELF ACL entry was allready checked. Then I uncked I press Apply and then rechecked and press again Apply. I Reboot my Hyper-V Machine and no more 14050 errors appeard in the event log.”

    Good luck

  14. Repeat:

    Thank You Spiros that’s it:
    “The check box Validated write to service principal name for the SELF ACL entry was allready checked. Then I uncked I press Apply and then rechecked and press again Apply. I Reboot my Hyper-V Machine and no more 14050 errors appeard in the event log.”

    Good luck

  15. Thanks for your post.

    I have the same issue.

    Once the “Validated write to service principal name” enable in the AD event is stopping. But after a few moment (when check) above setting is again unchecked in the AD security settings (Events are again appearing) in. Is this normal behavior or is there any other setting to configure this permanently?

  16. My Hyper-V host is a Windows Server 2012 (non R2) and my domain server 2008 R2. Had the same issue and “untick > apply > tick > reboot Hyper-V host” did not work. Guess I have to dig deeper.

  17. Just one thing to say: THANKS!!!!!!!!!!

    (this is the only post with the right solution, i’ve just wasted hours googleing and trying to fix the 14050 issues)

  18. Hi All,

    Great article, try sort this issue with my host for long time, this happen with me when set connection, VPN Site-to-Site, in differed location, after this changes work perfect, even tried Microsoft blogs, and nothing, well done,

    Thanks again, lot!!!

Leave a Reply to Rizwan Ahmad Cancel reply

Your email address will not be published. Required fields are marked *