none
"While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync" RRS feed

  • Question

  • I posted this in the Partner Forums (http://social.microsoft.com/Forums/en-US/partnermsgexchange/thread/38e8a17d-e991-432b-9611-2dad13418dca), but after 48 hours and no response, I'm reaching out to the general public on this one...

    First, a little background info: I am in the middle of a migration from SBS 2003 to SBS 2011. I had run the migration preparation tool on the source server but forgot to reboot and the migration install of the destination server failed before installing Exchange (although it had been promoted to a DC). The SBS wizard indicated the only option was to start over with a clean install. At this point, a restore of the source server was not feasible, so I did DNS and AD medata cleanup (via ntdsutil) and started over. The second time went smoothly, but I ended up with various AD replication issues after the destination server was setup. I resolved those by simply running Windows Update on both the source and destination servers and rebooting.

    My current problem is not necessarly Exchange specific, but it is keeping me from starting the Microsoft Exchange RDC Client Access service (technically it starts, then stops immediately). In the Event Viewer, I see Event 1002 (Source MSExchangeRPC) with the following info: "Failed to register service principal name ExchangeMDB. Failed with error code While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync (8525)."

    If I try to manually register the SPN (setspn -A ExchangeMDB/domain.local SERVER) it fails with the following error: "Failed to assign SPN on account 'CN=SERVER,OU=Domain Controllers,DC=domain,DC=local', error 0x214d/8525 -> While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync". The same problem is seen for the Remote Desktop Services Gateway (replacing ExchangeMDB with TERMSRV), so it is not limited to Exchange, but seems to be a permissions issue on the server.

    If I run setspn from the SBS 2003 machine, it works fine. If I do a 'setspn -L SERVER', I see the SPNs in question, so they are already there. If I go into ADSIEDIT on the SBS 2003 box, I can change security on the new server's DN, but when trying to do the same thing on the new SBS 2011 server, I just get the following non-descript error: "Unable to save permissions on SERVER. An operations error has occurred". I can do the exact same process from the same user account on the SBS 2003 machine, so I appear to have permission problems on the new SBS 2011 server...I just don't know where.

    Any and all help will be greatly appreciated as I have already spent several hours trying to resolve this to no avail.


    Sr System Engineer
    Thursday, March 31, 2011 12:09 AM

Answers

  • I opened a case with Microsoft Thursday evening and we worked on this for nearly 9 hours Friday.  I managed to locate a System State backup from the night before the migration started, so I have restarted the process and am currently working through a different set of issues.

    For anyone curious, the Microsoft support engineer pointed out that the ACL on the SBS 2011 computer object (viewable on the Security tab in either ADSIedit or ADUC) was missing at least 80% of the permissions that should have been there.  I had compared it to the ACL for the SBS 2003 server and assumed it was fine, but I never thought to compare to another SBS 2011 box.  Even after manually adding in the appropriate permissions and allowing time for replication the problem persisted, hence the restore and restart of the migration...


    Sr System Engineer
    Tuesday, April 5, 2011 1:40 PM

All replies

  • I found something new, kind of. As this is a small environment and we are migrating from a single SBS 2003 setup to a single SBS 2011 setup, I currently have two domain controllers. From the source server (SBS 2003), if I open ADSIEDIT and open the Properties for CN=OLDSERVER,OU=Domain Controllers,OU=mydomain,OU=local, I can set attributes and Apply them just fine. Likewise, I can do the same for CN=NEWSERVER,OU=Domain Controllers,OU=mydomain,OU=local. However, if I login to the destination server (SBS 2011), I can only apply the attribute changes on CN=OLDSERVER,OU=Domain Controllers,OU=mydomain,OU=local. When I try to modify anything at all for CN=NEWSERVER,OU=Domain Controllers,OU=mydomain,OU=local, I get an error.

    Error I receive when trying to save modified attributes (Attributes tab): Operation failed. Error code: 0x214d. While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync. 0000214D: SvcErr: DSID-033E0B5D, problem 5012 (DIR_ERROR), data 590340

    Error I receive when trying to save modified ACL (Security tab): Unable to save permission changes on NEWSERVER. An operations error has occurred.

    As this seems to be more of an Active Directory and/or DNS issue than it is an Exchange issue, is it possible to move this thread to a more appropriate forum? I tried but did not see a way to do so. This post has 11 views and the only response is from a moderator saying "we're looking into it", but in the meantime my SBS migration is at a standstill and my customer is eager to retire the old server.


    Sr System Engineer
    Thursday, March 31, 2011 12:10 AM
  • Hello, for SBS questions I recommand that you post in SBS forums:

    http://social.technet.microsoft.com/Forums/en-us/smallbusinessserver/threads

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Thursday, March 31, 2011 12:18 AM
  • This is not specific to any SBS functions, but my problems lie within Active Directory.  I first noticed the issue with Exchange services not starting, but RDS Gateway services are also effected.  I actually copied/pasted the above posts from the Partner forum, where it was originally posted in the Exchange section.
    Sr System Engineer
    Thursday, March 31, 2011 12:21 AM
  • On the destination server, if I open ADSIEDIT and leave the defaults (connect to local DC's default naming context), i can do anything I want except make changes to the destination server's compter object as stated before. If I connect to the source server (within the same snapin on the same server using the same credentials) and leave it to default naming context, then I can modify the destination server's computer object without error.

    I've tried diabling IPv6, pointing to the source server for DNS, and modifying the HOSTS file in hopes that it was just a DNS problem on the destination server, the problem still remains. An additional symptom I found today was that if I open ADUC on the destination server, I cannot change anything for the destination server's computer object (just like in ADSIEDIT), but if I connect to the source server from the same ADUC snapin, I can make changes, and they replicate back to the destination server just fine. All of my problems go back to the fact that my destination server cannot modify its own computer object attributes unless the LDAP query is connecting to the source server. This is a huge problem for my migration, so if anyone has any suggestions, please, I am all ears :)


    Sr System Engineer
    Thursday, March 31, 2011 12:21 AM
  • Is the secondary DC up'd to a Windows 2003 forest/domain level as well?
    Can you temporarily dcpromo it out?
     
    Thursday, March 31, 2011 3:31 AM
    Moderator
  • Don't disable ipv6, that's going to make it even worse.
     
    Thursday, March 31, 2011 3:31 AM
    Moderator
  • Are you 'run as admin' when you go into adsiedit on the SBS 2011?
     
    Can you email the sbssetup logs to susan-at-msmvps.com?
     
    Thursday, March 31, 2011 3:33 AM
    Moderator
  • I checked both the SBS 2003 and SBS 2011 machines; both show the domain and forest functional levels at 2003.  When you say to temporarily dcpromo it out, are you referring to the SBS 2003 box or SBS 2011?  I was following the SBS Migration guide in order, and I am currently at the User Mailbox migration step.  As long as dcmoting one of these won't introduce new problems, I can give it a shot.

    I had disabled IPv6 by unchecking it on the adapter and adding the DisabledComponents registry value, but when it made no difference, I reversed this so IPv6 was only very temporarily disabled.

    Yes, I am doing a Run As Admin for ADSIedit and ADUC on the SBS 2011 box, but I see the same problem when running these tools from the SBS 2003 box (only when I change the domain controller from the local machine to the SBS 2011 machine).

    I will send you the logs shortly; thanks for your help by the way!


    Sr System Engineer
    Thursday, March 31, 2011 1:13 PM
  • Hi,

     

    This issue can be caused if the Microsoft Exchange System Attendant service is not started or the DNS issue. For the detailed troubleshooting information, please refer to the following Microsoft TechNet article:

     

    Failed to register Service Principal Name. This may blocks specific users from accessing their mailboxes.

    http://technet.microsoft.com/en-us/library/ff359878(EXCHG.140).aspx

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support  in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com .


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, April 1, 2011 3:25 AM
    Moderator
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support  in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com .


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, April 5, 2011 7:38 AM
    Moderator
  • I opened a case with Microsoft Thursday evening and we worked on this for nearly 9 hours Friday.  I managed to locate a System State backup from the night before the migration started, so I have restarted the process and am currently working through a different set of issues.

    For anyone curious, the Microsoft support engineer pointed out that the ACL on the SBS 2011 computer object (viewable on the Security tab in either ADSIedit or ADUC) was missing at least 80% of the permissions that should have been there.  I had compared it to the ACL for the SBS 2003 server and assumed it was fine, but I never thought to compare to another SBS 2011 box.  Even after manually adding in the appropriate permissions and allowing time for replication the problem persisted, hence the restore and restart of the migration...


    Sr System Engineer
    Tuesday, April 5, 2011 1:40 PM