| Author | Chrissy LeMaire (@cl), netnerds.net |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Test-DbaAgSpn on GitHub.
Want to see the Bill Of Health for this command? Check out Test-DbaAgSpn.
Validates Service Principal Name registration for Availability Group listeners in Active Directory
Checks whether the required SPNs are properly registered in Active Directory for each Availability Group listener's service account. This function queries AD to verify that both the MSSQLSvc/listener.domain.com and MSSQLSvc/listener.domain.com:port SPNs exist, which are essential for Kerberos authentication to work correctly with AG listeners.
Use this to troubleshoot client connectivity issues, validate SPN configuration before deployments, or audit security compliance. Missing SPNs will cause authentication failures when clients attempt to connect using integrated Windows authentication through the listener.
https://learn.microsoft.com/en-us/sql/database-engine/availability-groups/windows/listeners-client-connectivity-application-failover?view=sql-server-ver16#SPNs was used as a guide
Test-DbaAgSpn
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Credential] <PSCredential>]
[[-AvailabilityGroup] <String[]>]
[[-Listener] <String[]>]
[[-InputObject] <AvailabilityGroup[]>]
[-EnableException]
[<CommonParameters>]
PS C:\> Get-DbaAvailabilityGroup -SqlInstance sql01 -AvailabilityGroup SharePoint | Test-DbaAgSpn
Tests the SPNs for the SharePoint availability group listeners on sql01
PS C:\> Test-DbaAgSpn -SqlInstance sql01 -AvailabilityGroup SharePoint -Listener spag01
Tests the spag01 SPN for the SharePoint availability group listener on sql01
PS C:\> Test-DbaAgSpn -SqlInstance sql01 | Set-DbaSpn
Tests the SPNs for all availability group listeners on sql01 and sets them if they are not set
The target SQL Server instance or instances. Server version must be SQL Server version 2012 or higher.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Alternative credential for connecting to Active Directory.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which availability groups to validate SPNs for by name. Use this when you need to check specific AGs instead of all AGs on the instance.
If not specified, all availability groups will be tested. Accepts multiple AG names for bulk validation.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which AG listeners to validate SPNs for by listener name. Use this when troubleshooting specific listener connectivity issues.
If not specified, all listeners within the specified availability groups will be tested. Accepts multiple listener names.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Accepts availability group objects from Get-DbaAvailabilityGroup for pipeline processing. Use this to chain commands when working with specific AG objects.
This allows for filtering AGs before SPN validation without needing to specify instance and AG names separately.
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |