Sign in
|
Join
Search
Craig Gemmill's Blog
There is nothing more secure than an educated user!
Home
Contact
RSS
Atom
Comments RSS
Recent Posts
Beware: Group Policy DNS Settings
A New Era of Software
Halloween Horror: The SQL Timeout
Search.Live.Com. I want to like it, I really do...
VB.NET Hexadecimal to Floating Point / Single (IEEE 754)
Tags
.NET
3d
5788
5789
ADMT
ASP.NET
C#
community news
Conversion
Desktop
Domain migration
Double
GUI
Hex
Hexadecimal
Interface
Live
Live.com
Microsoft
Powershell
Search Engine
Single
Software Development
SQL Server
UI
VB.NET
Vista
Visual Basic
Windows Server 2003
XP
Navigation
Home
Blogs
.Other
codeguru
PocketZOOM
CRG IT Solutions
Blogs I read
James Roe-Smith
ASP.NET Bloggers
Paschal L
Brad Abrams
MSDN Bloggers
Paul Vick
Rico Mariani
Suresh Behera
The Scripting Guys'
Outside of the (Don) Box
Daniel Cazzulino
Scott Galloway
Rory Blyth (Neopoleon)
Dan Sellers
Archives
September 2009 (1)
November 2006 (1)
October 2006 (1)
September 2006 (2)
August 2006 (1)
April 2006 (1)
August 2005 (1)
July 2005 (1)
October 2004 (1)
August 2004 (2)
June 2004 (1)
May 2004 (3)
March 2004 (5)
February 2004 (3)
September 2009 - Posts
Beware: Group Policy DNS Settings
I like to keep my posts targeted at more obscure topics (at least that's my excuse for not posting more often), and this one is no exception.
We have started the process of integrating several disparate companies as part of a corporate acquisition. We chose a location similar to the corporate HQ for the first migration, believing that it would be the easiest location to roll over.
We proceeded to migrate this location...
Sure there were some bumps and headaches along the way, but everything had a straightforward solution. The kind of issues that you figure out by using the right combination of experience, tools, and kb searches.
Using Active Directory Migration Tool (ADMT) (as we have many times in the past), we started to migrate the workstations. The machines accepted the ADMT agent install, joined the new domain, and rebooted. Upon rebooting, the machines were not updating their Service Principal Names (SPN) in Active Directory (AD), or their A records in DNS. The event log on the migrated machines were throwing the following errors:
Error: 5788
Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed.
Error: 5789
Attempt to update DNS Host Name of the computer object in Active Directory failed. …
And as a result, the machines weren’t really a part of the target domain, which obviously caused all kinds of other issues.
Clearly a DNS issue, but all of the tools we’re reporting correct settings and behavior. A lot of digging later, a setting was found in the Group Policy of the source domain that proved to be the issue. It was the “Primary DNS Suffix” policy pointing to the source domain instead of the target.
As the title says, beware of the Group Policy DNS settings, especially “Computer Configuration\Administrative Templates\Network\Dns Client”.
It turns out that these settings take precedence over all of the information supplied in your interfaces, DHCP settings, etc. Even worse than that,
these settings do not show up in the output of any of the tools we’ve come to rely on
(ipconfig, netsh, Powershell, etc).
While this certainly will impact anyone performing migrations, it also has a much wider scope of interference.
I hope this saves someone the time we wasted.
Here is a Microsoft KB that actually has the Group Policy issue noted at the end of the article:
http://support.microsoft.com/kb/258503
Posted:
Sep 16 2009, 09:14 PM
by
CraigG
| with
1 comment(s)
Filed under:
.NET
,
5788
,
5789
,
ADMT
,
Domain migration
,
Powershell
,
Windows Server 2003
,
XP
More Posts