It is recommended that you do not grant the WriteServicePrincipalName right
to the SQL service account when the following conditions are true:
- There are multiple domain controllers.
- SQL Server is clustered.
In this scenario, the SPN for the SQL Server may be deleted because
of latency in Active Directory replication. This may cause connectivity
issues to the SQL Server instance.
Assume that you have the following:
- An SQL virtual instance named Sqlcluster with two nodes:
Node A and Node B.
- Node A is authenticated by domain controller A, and Node B is
authenticated by domain controller B.
The following may occur:
- The Sqlcluster instance is active on Node A, and registered
the SQL SPN in domain controller A during start up.
- The Sqlcluster instance fails over to Node B when Node A is
shutdown normally.
- The Sqlcluster instance deregistered its SPN from domain controller
A during the shutdown process on Node A.
- The SPN is removed from domain controller A, but the change
has not yet been replicated to domain controller B.
- When starting up on Node B, the Sqlcluster instance tries to
register the SQL SPN with domain controller B. Since the SPN still
exists, Node B does not register the SPN.
- After some time, domain controller A replicates the deletion
of the SPN (from step 3) to domain controller B as part of Active
Directory replication. The end result is that no valid SPN exists
for the SQL instance in the domain and hence you see connection issues
to the Sqlcluster instance.