Sunday, May 29, 2016

Intra-forest domain change error "The security database on the server does not have a computer account for this workstation trust relationship"

Previously I had done intra-forest many domain changes for computer accounts, but this time I got a "The security database on the server does not have a computer account for this workstation trust relationship" after trying to change domain from child domain to parent domain.

As I understand this is a change in Windows Server 2012 R2 Active Directory.

So let's start from beggining.
I was migrating user and computer objects from child domain to parent domain in a domain consolidation process. There where no major issues with user migration.

So I tried to migrate computer account with ADMT. At first everything seemed to be ok, but after domain change when logging on to new domain it showed an error "The security database on the server does not have a computer account for this workstation trust relationship".

I found out that new computer object in AD was created but it's properties where not populated.

The root cause of the error was that Service Principal Names (SPNs) for the computer account in new domain were not registered. What happened is that ADMT prestaged the new computer account while the old account was still in place. Then ADMT tried to copy SPNs from old object to new and failed because in Windows Server 2012 R2 AD it is not possible to have to equal SPNs.

This is what I did to resolve the issue.
1. Found out that there is no much benefit if migrating computers with ADMT (except that it was possible to designate target OU where migrated account should be placed).
2. Developed a script which used netdom and consisted of three commands:
- Remove computer from domain
- Delete computer object in old domain;
- Add computer to the new domain.


No comments:

Post a Comment