User Cannot Logon - SPN Error

"The security database on the server does not have a computer account for this workstation trust relationship.". In my case, this turned out to be a duplicate computer name in Active Directory. I believe this occured when I joined a machine to the domain & the computer account was created on a DC at another site (in the default Computers OU). I could not find the computer in ADUC (most likely querying our site's DC), so I unjoined the workstation from the domain, manually created the computer in ADUC in the appropriate OU (we don't keep computers in the default Computers OU), and rejoined the workstation to the domain. Once the DCs replicated, there were now duplicate computer names in different OUs. I ran the following command on our DC: ldifde -f C:\SPNs\SPNs.txt -t 3268 -d dc=domain,dc=com -l serviceprincipalname -r (serviceprincipalname=*) -p subtree Notes: The above command failed when I tried to write the log file to the root of the C: drive (C:\SPNs.txt) probably due to Server 2008 restrictions on writing files to the root of C: (like Win7). It also failed when I added the SPNs folder name (C:\SPNs\SPNs.txt) without fisrt creating the SPNs folder. If the domain name is acme.int, the command line would be edited to: dc=acme,dc=int Once I got the command line sorted, the resulting file showed the duplicate computer account right at the top of the output file - including the OU it was in (in this case, the default Computers OU). If it isn't that obvious, search the output file for the word duplicate & then search for the name of the duplicate machine to find the second instance of it.