I came across an interesting one recently whilst setting up Kerberos for a Skype for Business 2019 build.
As part of the standard build, I created a Kerberos account in the customer’s OU and assigned it to a site without error. But I did notice a tiny little warning that “Site 2” wasn’t in the topology.
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-1024x53.png)
So we quickly checked for the account, yep its there and assigned
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-2.png)
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-1.png)
But attempting to set the account password fails with the error message
1 | Kerberos account ucmadscientist\derpy is not assigned to any site. |
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-3-1024x166.png)
Another check of topologies verifies we have no Site 2.
But running Enable-CsTopology at the shell throws warnings re Site 2 (these didn’t show up in Topology Builder)
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-7-1024x369.png)
I even downloaded and searched the TBXML for OriginalSiteId=”2″ and OriginalCluster=”2 (note the lack of a trailing quote mark is intentional as any cluster ID’s would be after this) just to be sure.
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-4.png)
But the eagle-eyed among you might have spotted there is still a Kerberos account assigned to Site2 (hence the warning). So let’s remove that with a bit of code to select the relevant object and remove it
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-5.png)
1 | (Get-CsKerberosAccountAssignment)[1] | Remove-CsKerberosAccountAssignment |
You can now see we no longer have a Site:2 defined in our Kerberos assignments and we can now assign the account without warning.
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-6.png)
Enabling the Topology no longer throws warnings about site 2 either
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-8.png)
Now we need to remove the Kerberos association entirely and create it again using Remove-CsKerberosAccountAssignment and New-CsKerberosAccountAssignment
Note: Using Set-CsKerberosAccountAssignment doesn’t appear to fix it.
Then publish the topology with Enable-CsTopology
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-9.png)
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-11.png)
Wait for successful replication and then you can set your Kerberos password as normal.
![](https://www.UcMadScientist.com/wp-content/uploads/2019/12/image-12.png)
Hope this helps someone!