Beware: Group Policy DNS Settings
We have started the process of integrating several disparate companies as part of a corporate acquisition. We chose a location similar to the corporate HQ for the first migration, believing that it would be the easiest location to roll over.
We proceeded to migrate this location...
Sure there were some bumps and headaches along the way, but everything had a straightforward solution. The kind of issues that you figure out by using the right combination of experience, tools, and kb searches.
Using Active Directory Migration Tool (ADMT) (as we have many times in the past), we started to migrate the workstations. The machines accepted the ADMT agent install, joined the new domain, and rebooted. Upon rebooting, the machines were not updating their Service Principal Names (SPN) in Active Directory (AD), or their A records in DNS. The event log on the migrated machines were throwing the following errors:
Error: 5788
Error: 5789
And as a result, the machines weren’t really a part of the target domain, which obviously caused all kinds of other issues.
Clearly a DNS issue, but all of the tools we’re reporting correct settings and behavior. A lot of digging later, a setting was found in the Group Policy of the source domain that proved to be the issue. It was the “Primary DNS Suffix” policy pointing to the source domain instead of the target.
As the title says, beware of the Group Policy DNS settings, especially “Computer Configuration\Administrative Templates\Network\Dns Client”.
It turns out that these settings take precedence over all of the information supplied in your interfaces, DHCP settings, etc. Even worse than that, these settings do not show up in the output of any of the tools we’ve come to rely on (ipconfig, netsh, Powershell, etc).
While this certainly will impact anyone performing migrations, it also has a much wider scope of interference.
I hope this saves someone the time we wasted.
Here is a Microsoft KB that actually has the Group Policy issue noted at the end of the article: http://support.microsoft.com/kb/258503