none
Missing spn attributes when moving pc with ADMT in interforest migrations

    Question

  • Hi there

    I keep having troubles with the migrations of computers using admt. I thought it was a matter of dns ,firewall or gpo but at the end I found out what the real problem was: after the reboot that is initiated by ADMT, the spn attribute of the computer object is not correctly created until I restart the pc a second time. In my previous post in this forum I wrote I found a solution but this was related to the second and manual reboot. I have realized that restarting the computer manually is not an expected behaviour talking to my colleagues who previously used the ADMT in the past, so there might be something new that has changed and is not working as before. I have read that ms has release a patch for Windows Server to fix an issue with the ADMT that is preventing this tool from creating the computer object in the intra-forest migration, but this is not my case as I am doing an inter-forest migration  KB 3070083

    Other people in this forum say that the second reboot is mandatory whereas other says that it's not true. 

    The reality is that there is something odd with this tool...the pc object is created by the ADMT but with no spn attributes so users can't log in to the new domain. When the second reboot happens, everything works... who is adding the spn in to the adsi properties of the computer? The pc or the ADMT tool? And also the more important question is why the pc is migrated without the correct attributes ? It does not make sense to me

    Thanks to everyone who can help to shed some lights on it

    Regards 



    • Edited by Selva_MSN Thursday, March 30, 2017 1:03 PM
    Thursday, March 30, 2017 5:38 AM

Answers

  • Hi,
    Based on my research, it seems that a restart is needed: https://technet.microsoft.com/en-us/library/cc974402(v=ws.10).aspx
    “Migrate workstations and member servers from the source domain to the target domain. When you migrate computers, the changes do not take effect until the computer is restarted. Restart the computers that you are migrating as soon as possible to complete the migration process.”
    And you could see the step-by-step action including reboot step in the following article: https://social.technet.microsoft.com/wiki/contents/articles/16621.admt-3-2-interforest-migration-part-3.aspx
    >> who is adding the spn in to the adsi properties of the computer
    As far as I know, a computer writes to servicePrincipalName attributes for its computer account in an Active Directory Domain Services (AD DS) domain in the following scenarios:
    Immediately after a Windows-based computer joins a domain, the computer tries to set the  servicePrincipalName attributes for its computer account in the new domain.
    When the security channel is established on a Windows-based computer that is already a member of an AD DS domain, the computer tries to update servicePrincipalName attributes for its computer account in the domain.
    On a Windows-based domain controller, the Netlogon service tries to update the servicePrincipalName attribute every 22 minutes.
    So the reboot is used for computer to write SPN after migration.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 31, 2017 7:56 AM
    Moderator
  • Thanks for your reply Wendy.

    I totally understand what you wrote and this is by design

    In any cases, I investigated a bit and looked for the specific logs in the Windows Event Viewer soon after the computer reboots itself due to trigger in ADMT

    I found ou that the computer tries to register to the new domain using  the previous primary dns suffix (OLD-PRIMARY-DNS-SUFFIX.COM) :o

    -------------------------------

    Log Name:      System
    Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
    Date:          30.03.2017 18:50:27
    Event ID:      1067
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      COMPUTERNAME.OLD-PRIMARY-DNS-SUFFIX.COM
    Description:
    The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The attribute syntax specified to the directory service is invalid.
    .

    I investigated again and I found out that the previous admin created a GPO to force the primary DNS suffix ...

    Now ADMT works like a charm :D

    I hope this help someone else who might encounter the same issue

    Regards


    • Proposed as answer by Wendy JiangModerator Wednesday, April 5, 2017 1:37 AM
    • Marked as answer by Selva_MSN Wednesday, April 5, 2017 8:06 AM
    • Edited by Selva_MSN Friday, July 14, 2017 6:40 PM
    Tuesday, April 4, 2017 11:42 AM

All replies

  • Hi,
    Based on my research, it seems that a restart is needed: https://technet.microsoft.com/en-us/library/cc974402(v=ws.10).aspx
    “Migrate workstations and member servers from the source domain to the target domain. When you migrate computers, the changes do not take effect until the computer is restarted. Restart the computers that you are migrating as soon as possible to complete the migration process.”
    And you could see the step-by-step action including reboot step in the following article: https://social.technet.microsoft.com/wiki/contents/articles/16621.admt-3-2-interforest-migration-part-3.aspx
    >> who is adding the spn in to the adsi properties of the computer
    As far as I know, a computer writes to servicePrincipalName attributes for its computer account in an Active Directory Domain Services (AD DS) domain in the following scenarios:
    Immediately after a Windows-based computer joins a domain, the computer tries to set the  servicePrincipalName attributes for its computer account in the new domain.
    When the security channel is established on a Windows-based computer that is already a member of an AD DS domain, the computer tries to update servicePrincipalName attributes for its computer account in the domain.
    On a Windows-based domain controller, the Netlogon service tries to update the servicePrincipalName attribute every 22 minutes.
    So the reboot is used for computer to write SPN after migration.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 31, 2017 7:56 AM
    Moderator
  • Thanks for your reply Wendy.

    I totally understand what you wrote and this is by design

    In any cases, I investigated a bit and looked for the specific logs in the Windows Event Viewer soon after the computer reboots itself due to trigger in ADMT

    I found ou that the computer tries to register to the new domain using  the previous primary dns suffix (OLD-PRIMARY-DNS-SUFFIX.COM) :o

    -------------------------------

    Log Name:      System
    Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
    Date:          30.03.2017 18:50:27
    Event ID:      1067
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      COMPUTERNAME.OLD-PRIMARY-DNS-SUFFIX.COM
    Description:
    The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The attribute syntax specified to the directory service is invalid.
    .

    I investigated again and I found out that the previous admin created a GPO to force the primary DNS suffix ...

    Now ADMT works like a charm :D

    I hope this help someone else who might encounter the same issue

    Regards


    • Proposed as answer by Wendy JiangModerator Wednesday, April 5, 2017 1:37 AM
    • Marked as answer by Selva_MSN Wednesday, April 5, 2017 8:06 AM
    • Edited by Selva_MSN Friday, July 14, 2017 6:40 PM
    Tuesday, April 4, 2017 11:42 AM
  • Hi,
    Great share and update, could you please help to mark the reply as answer? It will be greatly helpful to others who have the same question. Thank you.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 5, 2017 1:38 AM
    Moderator