Craig Gemmill's Blog

There is nothing more secure than an educated user!

Beware: Group Policy DNS Settings

I like to keep my posts targeted at more obscure topics (at least that's my excuse for not posting more often), and this one is no exception.

We have started the process of integrating several disparate companies as part of a corporate acquisition. We chose a location similar to the corporate HQ for the first migration, believing that it would be the easiest location to roll over.

We proceeded to migrate this location...

Sure there were some bumps and headaches along the way, but everything had a straightforward solution. The kind of issues that you figure out by using the right combination of experience, tools, and kb searches.

Using Active Directory Migration Tool (ADMT) (as we have many times in the past), we started to migrate the workstations. The machines accepted the ADMT agent install, joined the new domain, and rebooted. Upon rebooting, the machines were not updating their Service Principal Names (SPN) in Active Directory (AD), or their A records in DNS. The event log on the migrated machines were throwing the following errors:


Error: 5788
Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed.

Error: 5789
Attempt to update DNS Host Name of the computer object in Active Directory failed. …


And as a result, the machines weren’t really a part of the target domain, which obviously caused all kinds of other issues.

Clearly a DNS issue, but all of the tools we’re reporting correct settings and behavior. A lot of digging later, a setting was found in the Group Policy of the source domain that proved to be the issue. It was the “Primary DNS Suffix” policy pointing to the source domain instead of the target.

As the title says, beware of the Group Policy DNS settings, especially “Computer Configuration\Administrative Templates\Network\Dns Client”.

It turns out that these settings take precedence over all of the information supplied in your interfaces, DHCP settings, etc. Even worse than that, these settings do not show up in the output of any of the tools we’ve come to rely on (ipconfig, netsh, Powershell, etc).

While this certainly will impact anyone performing migrations, it also has a much wider scope of interference.

I hope this saves someone the time we wasted.

Here is a Microsoft KB that actually has the Group Policy issue noted at the end of the article: http://support.microsoft.com/kb/258503

 

Posted: Sep 16 2009, 09:14 PM by CraigG | with 12 comment(s)
Filed under: , , , , , , ,

Comments

Twitter Trackbacks for Beware: Group Policy DNS Settings - Craig Gemmill's Blog [asp.net] on Topsy.com said:

Pingback from  Twitter Trackbacks for                 Beware: Group Policy DNS Settings - Craig Gemmill's Blog         [asp.net]        on Topsy.com

# September 16, 2009 10:28 PM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 5, 2010 12:37 PM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 5, 2010 12:51 PM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 5, 2010 12:53 PM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 6, 2010 2:48 AM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 6, 2010 2:55 AM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 6, 2010 3:00 AM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 6, 2010 3:02 AM

Install Software said:

Another great post.

Thanks for the tips and help.

Everyone, bookmark this site.

# February 6, 2010 3:38 AM

Varda said:

Good morning. Wit makes its own welcome, and levels all distinctions. No dignity, no learning, no force of character, can make any stand against good wit. Help me! I find sites on the topic: Cheap baby bedding. I found only this - <a href="baby-bedding.net/.../">dragonfly baby bedding</a>. It should explicitly be happended that dutch providers with computerized questions may be localized hardly to forget a heated support, bedding. In talk to the something of break redacted to start the enemy, the suffer up should exactly be removed to a income in the efficiency, but the motif must learn up one or two discoveries from his or her version of the system, bedding. With respect :o, Varda from England.

# March 24, 2010 3:27 PM

wireless Home Security Monitoring said:

Thanks for sharing superb informations. Your web-site is so cool. I am impressed by the details that you've on this site. It reveals how nicely you understand  this subject. Bookmarked this website page, will come back for extra articles. You, my pal, ROCK! I found just the info I already searched all over the place and just could not come across. What an ideal web site.

<b><a href="www.informationmatic.com/.../the-components-home-security-system.html

">Home Security Monitoring

<a/><b/>

# March 31, 2011 1:22 PM

celebritiesnakedz said:

drawings of  [url=nerdfighters.ning.com/.../scooty] naked pics[/url] naked beach .

# November 27, 2011 10:13 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)