Hi, Have you tried the suggestions? If there is any update about this issue, please let us know. Have a nice day!

Hi there, I tried to change some settings for an account (SQL Server Service Account) in a server 2003 domain with ADSIEdit. I was able to change these settings (1. allow write serverPrincipalName; 2. allow read serverPrincipalName) and both were transferred to the other domain controllers. The SQL Server Service Account was then able to integrate itself with a SPN (as expected...). But when I looked again onto the domain controllers my settings were gone and the service account wasn't able to register itself again (after a restart for example). Now my question would be: Is this intended? Or is there another way to tell the domain that an account has the right to register a SPN itself (and keep the rights)? Best regards Jens PS: I did it like mentioned in this link: http://blogs.technet.com/b/mdegre/archive/2009/11/20/the-sql-network-interface-library-was-unable-to-register-spn.aspx Method 1 : The method recommended by Microsoft Support. You can give in Active Directory rights below to the service account of SQL Server: - Read servicePrincipalName - Write servicePrincipalName

Hi Jens, The problem may be caused by AdminSDHolder. Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification. Please check if this account belongs to protected Groups. For more information, please refer to: AdminSDHolder, Protected Groups and SDPROP http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx Hope this helps. Regards, Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.