Blog du Tristank : Windows Server 2008

PL15W2SP.DLL vs Firewall Client

tristank — Wed, 19 Aug 2009 14:37:00 GMT

As I possibly misspelled or misremembered it, the PL15ws2p.dll (possible sic) file was installed as a Winsock Layered Service Provider on a couple of boxes at a customer site.

Coincidentally, these machines were Windows Server 2008 machines where we couldn’t get the Firewall Client to work properly.

We found that there was a third party LSP using:

NETSH WINSOCK SH CA > catalog.txt

And then opening catalog.txt in notepad. The properties of the Pl15ws2p.dll indicated that it was a signed DLL from American Power Corporation or similar (APC or ACP; one of those no-notes half-hours), and that it was used in some sort of management capacity.

But only one of the machines had this APC software installed on it, and the other didn’t… perhaps it got left behind when it was being uninstalled? The search engines didn’t seem to know much about it.

Either way, next step was clear:

NETSH WINSOCK RESET

To return the Windows Sockets provider list to its shiny defaults, and reboot the computer.

After that, the Firewall Client wasn’t working (which we expected).

A Repair from Not-Called-Add-Remove-Programs-Any-More-Now-It’s-Programs-And-Features-Silly fixed that up.

Cool, huh? Remember: when nothing makes sense and the configuration looks good, perhaps LSPs are to blame?

Now if only I could get my stupid Huawei 3G modem working on my Win7 laptop again (“Device attached to the system is not functioning”… thaaanks).

Improve Hyper-V Performance With Standard VGA!

tristank — Wed, 05 Aug 2009 06:36:27 GMT

Yes, kids, if you’re finding that the Hyper-V performance ain’t what it used to be since installing that whizbang graphics card driver on your shiny new seven core hyperthread-and-a-halved megaturboserver thing, you might be suffering from flushes.

Read all about it here:

Video performance may decrease when a Windows Server 2008-based computer has the Hyper-V role enabled and an accelerated display adapter installed
http://support.microsoft.com/default.aspx/kb/961661

KB titles are getting ever more catchy, I think you’ll agree. So many words, and we still couldn’t find space for “is”. Ah well.

So, in short, get back to your standard VGA driver (just uninstalling the whizbang one is typically enough for that) and you’ll be sweet.

ISA Server 2006 on Windows Server 2008: Nup

tristank — Thu, 04 Jun 2009 18:52:46 GMT

Yuri’s blog explains some of the detail. But there’s slightly more subtlety to it, which I’ll try to snake-oil in front of you here:

Can I install ISA 2006 on 32-bit Windows Server 2008 ?

No, it only runs on Windows Server 2003. Okay, so technically, it also runs on Windows 2000, but if you’re installing it like that now, you should check the calendar. Windows 2000 is old, man.

Why not ISA Server 2006 on Windows 2008?

Whenever I asked that, people mumbled about TCP/IP stack changes. Sounds plausible, so I let it slide.

Well can I install ISA 2006 on 64-bit Windows Server 2008 ?

No. Wait – sort of, not really. Do you count virtualization?

What do you mean?

Hyper-V or an SVVP-validated platform. (Details on security. And the inimitable “Jim Harris” apparently pretending to be Jim Harrison. Giggle.)

Er, if I do count virtual machines?

Yes. You run it in a 32-bit Windows Server 2003 guest.

Isn’t that cheating?!

No. Well, maybe. Sorry, did you have a point there?

What about Windows Server 2003, x64 Edition?

Installing ISA on it? No. It’s 32-bit only and uses kernel-mode software; you can’t mix and match 32-bit with 64-bit k-mode drivers. Hint: I just helped you study for 070-351.

What about Service Pack 2?

X64 Edition?

Yes!

No.

You’re not being helpful.

Oh really? Your eyes are the wrong shape.

The next version of ISA Server, called Forefront Threat Management Gateway (TMG, or, I guess, Timmy to his friends (yep, I’m betting the G ends up semi-silent)), is available in its initial release in the Windows 2008 Essential Business Server thingo, which is 64-bit only.

The next standalone (i.e. non-EBS-integrated) release is currently available in Beta form, and runs exclusively on Windows Server 2008, x64 edition.

That was more helpful.

You still look funny.

Hey, why don’t your links open in new windows?

Because I think it’s nice for the reader to be able to choose whether an informational link should appear in the current frame or a new tab (or a new window).

Sometimes (probably quite often on this blog), you’ll be done with the content at the current page you’re reading, and just want to replace it with something else. Forcing a new window isn’t polite in the age of tabbed browsing.

Let the user choose.

I agree, that’s so wise. You’re like, amazing.

I know.

Old MPSReports

tristank — Tue, 12 May 2009 05:14:21 GMT

There’s a new MPS Reports version in town, with new features : new 64-bit friendliness, various forms of wizard-driven hotness for all the products the individual old tools used to support, etc, etc.

Call me old school if you want, but I typically prefer the convenience of “run this and send me the CAB file”, rather than “grab this, install the prerequisites, and choose the following options in the wizard, then send me the CAB file”. For newer OSs, that’s a non-issue as the pre-reqs (.Net 2.0 and Powershell) are built in; for older OSes, not so much.

A colleague sent me a set of direct download links to the old set, so I’m going to publish them here.

MPSRPT_Alliance.exe	MPSRPT_Alliance_Readme.txt
MPSRPT_Cluster.exe	MPSRPT_Cluster_Readme.txt
MPSRPT_DirSvc.exe	MPSRPT_DirSvc_Readme.txt
MPSRPT_Network.exe	MPSRPT_Network_Readme.txt
MPSRPT_SETUPPerf.exe	MPSRPT_SetupPerf_Readme.txt
MPSRPT_SUS.exe	MPSRPT_SUS_Readme.txt

For whatever reason, the download pages to these editions were removed when the new version was published; personally, I’d have suggested that the new was added alongside the old – the old, for all their limitations, are well-understood and widely used.

But the files are still there, at least for the time being.

Update: Looks like the PFE edition is still available in a not-through-the-back-door way (thanks, PFE, you rock! Hey, *I* work for that organization! Yay!), and it’s the core old-school goodness you’ve come to know and love from MPS Reporting.

http://www.microsoft.com/downloads/details.aspx?familyid=00AD0EAC-720F-4441-9EF6-EA9F657B5C2F&displaylang=en

IAG – now available for Hyper-V

tristank — Thu, 29 Jan 2009 12:47:03 GMT

Of all the things I could be doing right now, blogging is the one that won. Feel special? Procrastination, but with a helpful bent.

IAG SP2 is now a VHD for Hyper-V

Your mission, Jim, is to make that into a song.

The most interesting “wow” moment I had today was reading that IAG (Intelligent Application Gateway - that’s that Whale SSL thingo) is now available without accompanying hardware.

Previously (as I understand it) IAG 2007 was only available on a hardware appliance of sorts.

Now, at least as far as the Technet Deity is concerned, IAG 2007 SP2 is licensable as a Hyper-V Virtual Machine, if you don’t want to go for the hardware.

The VHD includes IAG 2007 SP2 (I’m downloading the trial now, to get up to Mischief) and ISA Server 2006 (for the firewalling capabilities), running on Windows Server 2003.

I’m something of a noob to IAG, so, um, if you want to ask something, go hit them up instead.

But yay, can’t wait to try it out.

Home Hyper-V Networking Gotchas

tristank — Tue, 13 Jan 2009 15:12:56 GMT

Before the holidays, I bought myself an early present: a new quad-core box with 4GB RAM, which I was going to use for a home Hyper-V lab, so that I could run a bunch of 64-bit VMs as well as the 32-bit staples I’ve been using for years (SBS 2003, and a separate ISA Server box).

I’d had Windows Server 2008 installed on my Virtual Server host for a while, and use it with Routing and Remote Access (RRAS)’ NAT to provide a simple internet gateway for a segment of my internal network.

Lesson #1: Core Quad Q8200s don’t support VT (that’s Hyper-V, kids)

There was a 1300Mhz FSB Q8200 available for the same price as a Q6600, and I figured that I couldn’t go wrong with that. Surely, I thought, all Intel CPUs since the Core2 Duos support Hyper-V?

Well, no, said Intel, and thanks for your money (stupidty tax, I seem to pay a lot of it). The one Quad core chip that doesn’t support Hyper-V is the one I bought. Q8200 is being phased out (I read somewhere), so this mistake should be easily avoidable in the future. Or now, by how-you-say smarter people.

Lesson #2: When you Hyper-V-ify a Parent Partition, It’s Sort Of A Client Too (aka “You may need to set stuff like RRAS up again with the new virtualized network adapters”)

What I mean by this is that when I got the Right CPU and installed Hyper-V, I was without Internets.

To cut a long and boring troubleshooting story short: the physical network adapters I’d configured in RRAS were no longer the Right Network Adapters.

I set up new virtual networks for each physical adapter (one Internet, one Local), and then had to set up RRAS again, because it didn’t think there were any new interfaces to set up – it was quite happy only seeing the old ones, thank you very much.

After checking both virtual adapters were visible in the Network Connections interface, and that they had the right IPs assigned, I rechecked my Windows Firewall settings and ran a port probe to confirm only ports I knew I wanted open were open (RRAS Basic Firewall doesn’t exist any more in 2008, so be careful with dual-homing where the Internet is attached to one of your adapters).

The disconnect here was that I was assuming the parent partition would see the physical hardware – it does, it just doesn’t use it directly any more, it looks like it uses the virtualized setup instead, at least to some extent.

Lesson #3: Hyper-V and DHCP didn’t like each other when the physical host became the parent partition

My RRAS server had (to this point) been my DHCP server for the internal network. This was all fine, and seemed to be working okay (or had my lease durations just not expired yet?), except for the new virtual hosts I created today.

There’s some lore floating around on the forums that worked for me – the bit that worked was manually adding a REG_MULTI_SZ called IPAddress to the likeliest-looking adapter interface in the registry, because Hyper-V setup for whatever reason doesn’t do that.

The DHCP server wouldn’t bind to the physical adapters (or even show them in the Bindings interface), presumably because IPv4 and IPv6 was unbound from them (interesting, hey?) and also wouldn’t show me either of the virtual adapters, which I guess is due to the lack of a static IP address on either of them.

Now, though, my setup’s working nicely, everything more or less as it was before, only virtualized. And thus, you know, more sexy.

.HDMP and .MDMP files

tristank — Tue, 23 Sep 2008 11:12:27 GMT

Just a quickie – the rule is blog what you know, but I figure my speculation might be good enough here.

A friend gave me an HDMP file and asked what I could make of it. After the usual “I could make a hat! Or a brooch! Or a dinosaur!” type stuff, I realized it wouldn’t open anyway.

In my experience, most .HDMPs come with matching .MDMP files. I think of these as Minidumps (in the “real” mini sense – just information about threads and thread stacks), and Heap dumps (everything else the process knew or cared about in User mode).

This HDMP wasn’t openable in the debugger directly, but if its corresponding MDMP was present in the same folder at the same time, I reckon it woulda.

The feared WER-wolf produces these files in pairs (that’s Windows Error Reporting, kids, don’t be too scared, except that it invalidates everything we used to know about AEDebug registry keys and similar, but that’s another story for another time), and that’s how I’ve analyzed them in the past. I remember hearing of some sort of merge operation that needed to happen between M and H dumps, but I’m reasonably certain I haven’t bothered with that (I assume I’m lazy by default), so I think the debugger just does it for ya.

Now I’ve written that, I’m going to go look for references to support my assertions!

949180 How to create a user-mode process dump file in Windows Server 2008
http://support.microsoft.com/default.aspx?scid=kb;EN-US;949180

(At the bottom – mini and heap dumps - yay me!). Think that’s enough for today. Hugs!

That Memory Leak Revisited

tristank — Wed, 25 Jun 2008 08:59:22 GMT

While searching for memory leaking troubleshooting techniques that could be applied to 64-bit Windows (for the DHCP Server memory leak I found I had the other day), I stumbled across the answer to my problem in an internal tool (weird that I missed it from a web search the first time, but c'est la vie).

A Windows Server 2008-based DHCP server that is configured in a workgroup environment may consume too much memory

http://support.microsoft.com/default.aspx/kb/949530

And that's my problem! One REG command (and one restart of the DHCPServer service) later, I'm waiting to see how it went, but it all looks promising, based on that article. Neat-o.

Windows Server 2008 Diagnostics Off The Cuff

tristank — Fri, 20 Jun 2008 14:15:47 GMT

A word of caution to those of you that like endings: this isn't over yet.

I'm running a rather sad and noisy X64 desktop as a server at home. Once a proud warrior, actually, no, wait, it was never any good. It's just a Virtual Server host (it's not quite Hyper-V capable; next one will be). SBS 2003, an IIS and an ISA Server all exist(ed) happily in there at one point. (Did I mention I virtualized my work desktop machine the other day? So liberating!)

I blatted Windows Server 2008 onto it at RTM, and it's been happily puttering along doing the RRAS internet access and Virtual Server thing for me ever since.

Until Recently

But I've had to reset it from unresponsive-no-mouse-no-capslock situations on about four occasions over the last two weeks, and as the problem wasn't getting any better, so I figured I'd take a look at what I could do to try to diagnose it.

My guess was that I had a kernel-mode memory leak (a user mode memory leak shouldn't ever trash the box to that extent), but it didn't seem to correspond with any driver upgrades or software installations... something else had changed, sometime.

Perfmon (the new, shiny version) or more specifically the Reliability Monitor confirmed my suspicions:

(happy, everything-used-to-be-so-nice side on the left, then the gradual decline due to Disruptive Shutdowns towards the right). Note the quite-regular interval of red things on the bottom row. (Does it happen more when I'm at home, he wondered?)

Preparation:

As I had a theory in mind, I thought I'd create a Perfmon BLG (log file with lots of counters in it; lots of people seem to like CSV, but BLG is faster, and I'm never going to be opening it in Excel anyway).

How to do that? Things have changed: now, I create a "Data Collector Set", it seems. Oh yeah, reading manuals and/or following basic instruction: not my thing.

I created a new one based on the System Performance collector set, which matches my needs nicely because it contains all the Process counters and Memory counters. Between that lot, I should easily be able to spot a memory leak.

Started the collector set, and made a mental note to check in tonight.

Tonight:

After a little fiddling, I worked out that the animated "Data Collection In Progress" screen wasn't generating a report, and that I'd have to stop the data collector set to view it. Right on!

So, one stopped data collector set later, the Reports view is what I'm interested in.

Remember your training - you're interested in patterns that have slopes or steps. One counter leapt out at me, which I moused over and found was....

Process (_Total) Pool Nonpaged Bytes

So, yep, there's a memory leak, and it's in one or more of the objects tracked by Process counters. So let's add the Pool NonPaged Bytes counters for <All Instances> (so I can see all the processes).

So Add all them, and there's a counter that matches the slope, but at a different scale. Click it in the display to select it, and it's SVCHOST#10. Hide all the other counters I've just added (multi select, right click, hide all), and then right-click it and choose Scale Selected Counter.

Whop! Matches the curve almost exactly.

So, now I know it's a service host, but I don't know which one (they all look alike to me). I assume it's probably still running, too. How do I find that out now?

Easy: Add the "ID Process" counter for svchost#10 (#9 pictured, artistic license)

And then click the counter in the list to see the value it has (the plotted line is flat across the graph, meaning it didn't change at any point). I get PID 1348.

TASKLIST /SVC tells me everything I need to know (well, not everything obviously, but enough to take corrective action).

Yep - it's the DHCP Server instance of SVCHost that's apparently leaking NPP, a kernel resource.

Why!? And why now!?

The graph tells me the times at which this happened, but the Event Logs are very, very quiet around then. So I'll need to use tracing or logging or some other technique to actually track down the cause of the problem.

I right-clicked the SVCHOST instance with PID 1348 and chose Create Dump File (awesome feature, mentioned that before), for archival/root cause purposes - it may well not be possible to see the cause of the leak after the fact from a hangdump, but it's worth grabbing just in case - and then restarted the DHCP Server Service.

Taskman memory use dropped by about 100MB straight away. This is not a busy network, and NPP isn't typically used as cache by user mode programs (he giggled (in a manly way)). Something weird is going on there.

I restarted my performance logging, and I'll check in again tomorrow to see if there's any further indication of a memory leak (I haven't done anything to fix it, so I assume there will be). Now, time to look for logging and diagnostic options...

A word on Perfmon in Windows Vista and 2008: USE IT!

If you're doing any level of performance analysis of Perfmon logs, you need to try out the new, improved Perfmon in Vista. It runs rings around the old one. It's fantastic (at least by comparison). It's worth the cost of the upgrade alone. Seriously, if you do any sort of work with perfmon logs, try doing it on a Vista box and see whether your life is 1000% easier! I'm not saying it's perfect, but by comparison with the last version in XP/2003...

The Cat's Out Of The Bag: ISA Server will become ForeFront TMG

tristank — Wed, 09 Apr 2008 09:21:00 GMT

So, we all know that ISA 2006 doesn't work on Windows Server 2008. Massive architectural changes to the IP stack, blah blah, etc, etc.

People (uh, yeah, just "people") have been asking about what's to become of ISA Server for a while:

"There's no ISA 2008 announced!" they'd scream.

"This surely means the end of one of the best product lines Microsoft has produced!" might have also been heard (in a somewhat muffled way).

"Won't Tristan be out of a job?" one person wailed, unconvincingly.

Well, that's right - the plan at this point is that there is no ISA Server 2008.

(pause for effect, teeth-gnashing, gasping, horror to subside)

As of the next version, Internet Security and Acceleration Server is ForeFront Threat Management Gateway!

(Now you're going to tell me that ISA was a perfectly good name and not at all unwieldy...)

See our well-formed Press Release for details!

Microsoft also today announced the name of its next-generation network edge security product, Forefront Threat Management Gateway. Forefront Threat Management Gateway is the future version of Microsoft ISA Server and will extend the capabilities of ISA Server 2006 with new features and security technologies, designed to help provide multiple-threat protection, simplified management and secure connectivity, and will be built on Windows Server 2008. More details about Forefront Threat Management Gateway will be available later this year.

Excellent! So, key takeaway: we are working on a successor. The product isn't going away!

There's an early beta available from here, though it's downloading at a slow trickle for me right now (got excitement?).

So, go forth and, you know, Manage Threats! In the future!

IIS7 Modules Aplenty - WebDAV, Bitrate Throttling

tristank — Sat, 15 Mar 2008 14:51:00 GMT

New modules, supported by Microsoft, are now officially RTMd (RTWd?) and available for use with IIS 7.0.

WebDAV

Yay new WebDAV! Yay being able to enable it on specific parts of a site! Yay better!

Robert: http://blogs.msdn.com/robert_mcmurray/archive/2008/03/12/webdav-extension-for-windows-server-2008-rtm-is-released.aspx

Downloads:

• Microsoft WebDAV Extension for IIS 7.0 (x86) http://www.iis.net/go/1621/
• Microsoft WebDAV Extension for IIS 7.0 (x64)http://www.iis.net/go/1618/

Media Bitrate Throttling

Yay something about bandwidth for media files!

Vishal: http://blogs.iis.net/vsood/archive/2008/03/15/bit-rate-throttling-is-now-released.aspx

Downloadies:

· 32 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1640

· 64 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1641

Intro:

The Internet Information Services 7.0 (IIS 7.0) Media Pack – Bit Rate Throttling module provides the ability to throttle progressive downloads of media files (in which audio/video playback starts as soon as sufficient data has been buffered on the client) based on the content bit rate. For sites that deliver audio and video files that may not be watched in their entirety, this module could significantly reduce your media-related bandwidth costs. A secondary feature of the Bit Rate Throttling Module is that it can also be used to throttle non-media ("Data") file types at specified bit rates.

Don't Forget The New FTP Server While You're At It

I already mentioned this, but I'll list it here as a one-stop convenience (aww, aren't I nice?)

Replaces FTP6 (that shipped in the box) with FTP7: FTP with SSL, virtual hostname support, extensibility, right-click-and-add-FTP-to-a-website publishing integration... loads of cool stuff.

Microsoft FTP Publishing Service for IIS 7.0 (x86)

Microsoft FTP Publishing Service for IIS 7.0 (x64)

What's in IIS 7.0 for me?

tristank — Fri, 29 Feb 2008 06:16:00 GMT

While having a seemingly-innocuous chat with a colleague, I was asked to "throw together a few points" on what IIS 7.0 would do for a web application I've worked with in the past. Serves me right for talking to people, really.

In this application's case, authoring, publishing and content creation weren't as important as eventual scale-out and actual application performance (otherwise the just-released FTP7 would have been top of the list).

Here's what I came up with, off the cuff:

Reduced attack surface/patching requirements: IIS7 is now modular, and only the parts of the server actually needed by the application are required to be installed. This can also enable performance increases due to reduced memory footprint.
Vastly (imho) improved compression capabilities and compression performance (with automatic compression back-off when CPU use is high! How cool is that!?)
Simplified web farm management - if the application is able to work reliably in a web farm scenario, the IIS configuration store can be centralized and shared across all machines in the farm. (also see MSDeploy)
XCOPYable configuration - easily ensure settings are consistent between dev, qa and prod environments.
Failed Request Tracing (aka FREB) - if failures occur, request traces can be captured that include detailed diagnostic information.
Windows Server 2008 security, performance and scalability improvements - the most secure Windows yet (I expect); support for the latest hardware and 64-bit computing; and optimized TCP/IP performance.
SSL performance greatly increased - Kernel-mode SSL (not the best link for admin types) reduces context switching and ring transitions, and improves performance
Better UI! After a short time working out how the new model worked, I'm sold.

Windows Server 2008 Desktop Edition

tristank — Fri, 29 Feb 2008 05:44:00 GMT

WS08 Workstation, Anyone?

Apart from those pesky Live applications that won't install (why would anyone ever blog from a Server OS, as I'm doing now? Beats me...), I've had a relatively good run with Windows Server 2008 (x64, naturally) as my desktop OS.

Key drawbacks:

As mentioned, no official support of the Live suite (thanks!)

My Catalina handset is the only audio device I currently have a driver for, and Muse sounds odd through the speakerphone.

No Hyper-V, cos I'm only on a P4-class machine without VT/Pacifica/hardware support.

Now, onto less desktop-py things - managed debugging on the shiny new platform, with WinDBG:

Managed Debugging of dumps from, oh, say, a Sharepoint 2007 server on 32-bit

As a you'll-notice-this-when-it-hits-you mention, the version of MSCORDACWKS that ships with WS2008 looks like it's 2.0.50727.1434 (unless that came from somewhere else) instead of 1433 (2.0SP1, if I recall correctly (and I often do)) - meaning that debugging a managed dump won't work straight out:

PDB symbol for mscorwks.dll not loaded
Failed to load data access DLL, 0x80004005
Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
            2) the file mscordacwks.dll that matches your version of mscorwks.dll is
                in the version directory
            3) or, if you are debugging a dump file, verify that the file
                mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
            4) you are debugging on the same architecture as the dump file.
                For example, an IA64 dump file must be debugged on an IA64
                machine.

You can also run the debugger command .cordll to control the debugger's
load of mscordacwks.dll. .cordll -ve -u -l will do a verbose reload.
If that succeeds, the SOS command should work on retry.

If you are debugging a minidump, you need to make sure that your executable
path is pointing to mscorwks.dll as well.

After a little fiddling with .cordll, I worked out the easiest method (read: the first method I hit upon that worked) to get past it.

In less debugger-y speak:

grab a copy of the 2.0 SP1 version of MSCORDACWKS.DLL from the Windows\Microsoft.Net\Framework\2.0.50727 folder on a machine with the right version (I fished one out of my Vista installation on the same machine),
paste and rename it into the same folder as WinDBG, as mscordacwks_x86_x86_2.0.50727.1433.dll (rinse and repeat with amd64 for the 64 bit version, from Framework64).

Then .cordll -ve -u -l should work, and so should your SOS commands.

SetSPN improvements in Windows Server 2008! W00t!

tristank — Fri, 21 Dec 2007 10:21:00 GMT

All this stuff is based on a prerelease (RC1) version of Windows Server 2008 and may change before final release. Cheques may not be honoured.

I had a happy moment one night in India when the trainer for our IIS 7.0 TTT course discussed some of the Kerberos-related improvements in IIS7.

... SetSPN got revamped.

We all know (or knew, before my wiki collapsed) that duplicate Kerberos SPNs are bad. (The Wiki is still down, by the way, sorry).

We know that it's been a little bit iffy configuring said SPNs and that the chance of getting it wrong was quite high - there was no control that prevented the registration of the same SPN twice, against different accounts.

Worse: SetSPN was focused on the account (security principal) only - if you thought you had a duplicate, you needed to use a customized LDIFDE command to track it down based on the SPN, as SetSPN wouldn't search by SPN, only by account.

Buuut: Some wonderful SDE that should really be on my Christmas card list decided that SetSPN could become an all-singing all-dancing SPN troubleshooting tool!

Yes folks, SetSPN now has SANITY CHECK (-S) switches and FIND THE PROBLEM (-X) switches! HOW COOL IS THAT!?

In order to not break backwards compatibility (I infer; I didn't actually participate in the conversation or decision making process), these are implemented as new switches, not old ones: Existing scripts that rely on creating duplicates (and then presumably resolving that situation shortly afterwards) won't (er, shouldn't) suddenly break.

C:\Users\Administrator>setspn
Usage: setspn [modifiers switches data] computername
Where 'computername' can be the name or domain\name

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN
Usage:   setspn -D SPN computername
-L = list registered SPNs
Usage:   setspn [-L] computername
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

Examples:
setspn -R daserver1
It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}'
setspn -A http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1'
setspn -D http/daserver daserver1
It will delete SPN 'http/daserver' for computer 'daserver1'
setspn -F -S http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1' if no such SPN exists in the forest

So, any instructions out there that currently use the positively archaic SETSPN -A can now be updated to use the shiny new SETSPN -S.

Again, I ask you: How cool is that!?

I should add that I haven't actually tried this yet, just gurgled at the wonderful new options and imagined their effect. If it throws a "NotYetImplementedException", please forgive my enthusiasm :)