CPPM unable to join the domain which is on Microsoft AD 2012. However, CPPM was able to join the old domain on AD 2008, with the same access level permissions.
We can see the below error while joining the domain:
"Adding host to AD domain...
INFO - Fetched REALM 'BCU.BCH.INTRA' from domain FQDN
INFO - Fetched the NETBIOS name 'BCU'
INFO - Creating domain directories for 'BCU'
Enter BCU_clpass's password:
Failed to join domain: failed to set machine spn: Constraint violation
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'BCU'
ERROR - x120d173 failed to join the domain BCU.BCH.INTRA with domain
controller as s1202040.bcu.bch.intra
Join domain failed"
Worked with Microsoft team and found that Microsoft AD 2012 has a new feature, which checks the uniqueness of SPN's as described in the link below:
Hotfix available for the same in the above link.
SPN uniqueness introduced in 2012R2 with the above link prevents the join operation if another device was previously joined anywhere in the forest. Which was not the case in 2008 AD. Therefore domain join was working on that AD.
Found that there was a duplicate entry with the following SPNs: HOST/x120d173 and Host/ x120d173.domain.local when joining a new device to a different domain in the same forest will lead to a duplicate SPN scenario, where multiple machines in the same forest use the same SPN (Host/ x120d173).
we could see the below on the AD:
Duplicate SPNs found via setspn -x -f:
This can lead to Kerberos authentication problems, if the domain join requested is for host/x120d173.
Workaround on 2012 AD: We could temporarily allow duplicate SPNs via the dsheuristics attribute, Join the CPPM to the domain and then re-introduce the SPN Uniqueness check by setting the attribute as “Not Set”.
Short term fix: If the Host/120d173 SPN is manually removed from all devices and then again after each new device is joined, the customer should no longer land in the scenario described in Microsoft KB https://support.microsoft.com/en-us/kb/3070083 for SPN uniqueness check.
Long Term fix: Being able to join the devices to the domain with different computer names should also resolve this problem.