Domain Controllers Warning Event ID: 10154
Log Name: System
Source: Microsoft-Windows-WinRM
Date: 1/1/2010 1:22:43 PM
Event ID: 10154
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: dcname.domain.tld
Description:
The WinRM service failed to create the following SPNs: WSMAN/dcname.domain.tld; WSMAN/dcname.
Additional Data
The error received was 8344: %%8344.
User Action
The SPNs can be created by an administrator using setspn.exe utility.
I was getting this error at startup in new 2008 R2 Domain Controllers. Apparently the WinRM attempts to create 2 SPNs (WSMAN/dcname.domain.tld and WSMAN/servername) after startup process.
Since that WinRM runs under “Network Service” account, I was able to fix this warning by granting the “Validated Write to Service Principal Name” permission to the NETWORK SERVICE using the ADSIEDIT.msc. This will allow WinRM to auto create the necessary SPNs on that domain controller. After granting this permission, re-sync all DCs and do a reboot to each domain controller where you did the change, a couple of minutes after that reboot you’ll see that the warning is gone and the required SPNs were created successfully.
Note: I didn’t had the WinRM IIS Extension installed, but I still saw the warning message. If you plan to use WinRM IIS Extension, you need to use “Add features” from Server Manager, reboot the system and run WinRM from cmd to configure it (e.g: WinRM qc).
To learn more about SPNs, click here and here.
To learn more about WinRM, click here andf here.
To learn more about Network Service account click here and here.
How did you grant the permission to NETWORK SERVICE in adsiedit.msc? What object did you select the security tab so you could set permissions for NETWORK SERVICE? Thanks.
You wrote:
“I was able to fix this warning by granting the “Validated Write to Service Principal Name” permission to the NETWORK SERVICE using the ADSIEDIT.msc.”
wysiwyg
March 8, 2010 at 4:02 AM
Hi,
Use ADSIEDIT.msc, choose Default naming context and scroll down to the Domain Controllers OU, right-click the Domain Controller object that is showing the warnings and select properties, select security tab and click in the advanced button, in the advanced security settings menu, click add, type Network Service and hit ok. After that you’ll see the menu that is shown in this blog entry
IT Core
March 8, 2010 at 11:04 PM
Thanks for the update!
wysiwyg
March 9, 2010 at 2:48 AM
Worked for me! Thanks for publishing this tip.
PizzaGeek
April 23, 2010 at 6:52 PM
I’d rather know the reason why it’s occuring and if the network service is supposed to have these rights by default. Otherwise it feels like changing it would be the wrong thing to do
andy
December 24, 2010 at 12:42 AM
Thanks! It was very useful.
Matyas
April 27, 2010 at 10:50 AM
Got this after I rebooted the primary 2003 DC on my forest. I have never seen this before and all google hits on this lead to fairly new reports, so I reckon it is caused by some update.
Sepp
April 28, 2010 at 4:31 PM
I have followed this and it has got rid of the error message. Great.
Following the instructions I get the feeling I have just created a system account of some sort with ADSIEdit. In Fact I can now see there are two NETWORK SERVICE accounts, one inherited from my domain and the new one I have created.
Should I be concerned that I have created and account that Windows should or may try to in the future and fail causing some future instability.
Jo
Jo Cox
May 5, 2010 at 1:28 PM
You don’t need to create any new account, you must use the The NetworkService account which is a predefined local account used by the service control manager
IT Core
May 5, 2010 at 2:15 PM
Follow the above still cannot. After add the Write Permission the warning go away.
http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/ff42d97f-8c52-4ddc-93a2-6ae79498e3d5
Is it OK to add NETWORK SERVICE Write Permission to the Domain Controller Object ???
Justohelp
June 23, 2010 at 4:02 PM