Beware: Group Policy DNS Settings

I like to keep my posts targeted at more obscure topics (at least that's my excuse for not posting more often), and this one is no exception.

We have started the process of integrating several disparate companies as part of a corporate acquisition. We chose a location similar to the corporate HQ for the first migration, believing that it would be the easiest location to roll over.

We proceeded to migrate this location...

Sure there were some bumps and headaches along the way, but everything had a straightforward solution. The kind of issues that you figure out by using the right combination of experience, tools, and kb searches.

Using Active Directory Migration Tool (ADMT) (as we have many times in the past), we started to migrate the workstations. The machines accepted the ADMT agent install, joined the new domain, and rebooted. Upon rebooting, the machines were not updating their Service Principal Names (SPN) in Active Directory (AD), or their A records in DNS. The event log on the migrated machines were throwing the following errors:


Error: 5788
Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed.

Error: 5789
Attempt to update DNS Host Name of the computer object in Active Directory failed. …


And as a result, the machines weren’t really a part of the target domain, which obviously caused all kinds of other issues.

Clearly a DNS issue, but all of the tools we’re reporting correct settings and behavior. A lot of digging later, a setting was found in the Group Policy of the source domain that proved to be the issue. It was the “Primary DNS Suffix” policy pointing to the source domain instead of the target.

As the title says, beware of the Group Policy DNS settings, especially “Computer Configuration\Administrative Templates\Network\Dns Client”.

It turns out that these settings take precedence over all of the information supplied in your interfaces, DHCP settings, etc. Even worse than that, these settings do not show up in the output of any of the tools we’ve come to rely on (ipconfig, netsh, Powershell, etc).

While this certainly will impact anyone performing migrations, it also has a much wider scope of interference.

I hope this saves someone the time we wasted.

Here is a Microsoft KB that actually has the Group Policy issue noted at the end of the article: http://support.microsoft.com/kb/258503

 

3 Comments

  • Good day! This post couldn't be written any better! Reading this post reminds me of my good old room mate! He always kept chatting about this. I will forward this article to him. Pretty sure he will have a good read. Many thanks for sharing!

  • When I initially commented I clicked the "Notify me when new comments are added" checkbox and now each time a comment is added I get four emails with the same comment. Is there any way you can remove people from that service? Appreciate it!

  • Hey there! Do you use Twitter? I'd like to follow you if that would be okay. I'm absolutely enjoying your
    blog and look forward to new posts.

Comments have been disabled for this content.