Well, the title says it all really.

First of all, top marks to Tristan Kington and this Blog du Tristank. It really is the only place I’ve seen clear prescriptive advice on this topic.

My tuppence worth is I’ve taken Tristan’s work a tiny step further with this neat little batch file which finds any duplicate spns on your Active Directory Domain:

@echo off
rem findspns.cmd, Alasdair Cunningham-Smith, ACS Solutions Limited
setlocal
set SPN=%1
:again
if "%SPN%"=="" (
	set /p SPN=Please enter the SPN or part thereof to search for 
)
if "%SPN%"=="" (
	goto :again
)
ldifde -f CON: -s "%LOGONSERVER:\=%" -t 3268 -r "(ServicePrincipalName=*%SPN%*)" -l ServicePrincipalName
endlocal