Craig Gemmill's Blog

There is nothing more secure than an educated user!

Beware: Group Policy DNS Settings

I like to keep my posts targeted at more obscure topics (at least that's my excuse for not posting more often), and this one is no exception.

We have started the process of integrating several disparate companies as part of a corporate acquisition. We chose a location similar to the corporate HQ for the first migration, believing that it would be the easiest location to roll over.

We proceeded to migrate this location...

Sure there were some bumps and headaches along the way, but everything had a straightforward solution. The kind of issues that you figure out by using the right combination of experience, tools, and kb searches.

Using Active Directory Migration Tool (ADMT) (as we have many times in the past), we started to migrate the workstations. The machines accepted the ADMT agent install, joined the new domain, and rebooted. Upon rebooting, the machines were not updating their Service Principal Names (SPN) in Active Directory (AD), or their A records in DNS. The event log on the migrated machines were throwing the following errors:


Error: 5788
Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed.

Error: 5789
Attempt to update DNS Host Name of the computer object in Active Directory failed. …


And as a result, the machines weren’t really a part of the target domain, which obviously caused all kinds of other issues.

Clearly a DNS issue, but all of the tools we’re reporting correct settings and behavior. A lot of digging later, a setting was found in the Group Policy of the source domain that proved to be the issue. It was the “Primary DNS Suffix” policy pointing to the source domain instead of the target.

As the title says, beware of the Group Policy DNS settings, especially “Computer Configuration\Administrative Templates\Network\Dns Client”.

It turns out that these settings take precedence over all of the information supplied in your interfaces, DHCP settings, etc. Even worse than that, these settings do not show up in the output of any of the tools we’ve come to rely on (ipconfig, netsh, Powershell, etc).

While this certainly will impact anyone performing migrations, it also has a much wider scope of interference.

I hope this saves someone the time we wasted.

Here is a Microsoft KB that actually has the Group Policy issue noted at the end of the article: http://support.microsoft.com/kb/258503

 

Posted: Sep 16 2009, 09:14 PM by CraigG | with 1 comment(s)
Filed under: , , , , , , ,

Comments

Twitter Trackbacks for Beware: Group Policy DNS Settings - Craig Gemmill's Blog [asp.net] on Topsy.com said:

Pingback from  Twitter Trackbacks for                 Beware: Group Policy DNS Settings - Craig Gemmill's Blog         [asp.net]        on Topsy.com

# September 16, 2009 10:28 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)