Microsoft, Server Technologies

ADMT computer migration to new domain.

When using ADMT 3.1 (Active Directory Migration Tool) to migrate a computer from a domain to a new domain you may experience the error – “The security database on the server does not have a computer account for this workstation trust relationship.”

My environment is 2003 forest -> 2008 forest and 2008 child domain at 2003 native. I think this is irrelevent in this instance though.

However, it’s pretty important that if you ARE migrating between domains that you update (or set manually on the computer’s nic) DHCP server so that the DNS points at the new DNS server. If you have trusts and DNS configured properly this shouldn’t matter too much, but it certainly is best practice.

Also, probably more importantly. If you have any group policy configuration that sets the primary DNS suffix to OLDDOMAIN then this will stay in effect after the migration and probably cause the breakage discussed here.

Anyway, onto the fix.

If you fire up ADSIEdit.msc on the target domain after migration, check out properties of the computer object that you migrated and look for the variable – servicePrincipalName

You need to make sure that there are values in there of:
HOST/THECOMPUTERNAME
HOST/THECOMPUTERNAME.NEWDOMAIN
TERMSRV/THECOMPUTERNAME
TERMSRV/THECOMPUTERNAME.NEWDOMAIN

.. chances are only the TERMSRV records will exist.

This solved the trust issues here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s