Hello everyone,
We are doing an intra-forest migration using ADMT 3.2 (Version with 2012R2 Support as the colleague who installed it told me). Domain Controllers are running at Windows Server 2012 R2 and Windows Server 2003. Clients are running at Windows 7. When migrating computer objects we experience the following:
When the migrated computer boots and joins the destination domain it throws NETLOGON events 5788 and 5789. Therefore, the destination computer object hasn’t any single SPN registered. Because the HOST and RestrictedKrbHost SPNs are missing no user is able to log on to the machine.
After investigating the issue I think I found the cause of the problem.Please correct me if I’m wrong:
When ADMT migrates a computer account it does not clear the SPNs that are registered for the source computer account. Because of the new feature of Server 2012 R2 that does prevent the registration of duplicate SPNs in the forest described here http://technet.microsoft.com/en-us/library/dn535779.aspx this prevents the migrated computer to register its SPN during the first boot in the new domain (leads to 5788 and 5789).
Let’s assume we have a client called client1.emea.contoso.com. This client has the following SPNs registered:
- HOST/client1
- HOST/client1.emea.contoso.com
- RestrictedKrbHost/client1
- RestrictedKrbHost/client1.emea.contoso.com
When the client is migrated to us.contoso.com it will try to register the following SPNs for its account:
- HOST/client1
- HOST/client1.us.contoso.com
- RestrictedKrbHost/client1
- RestrictedKrbHost/client1.us.contoso.com
Because the SPNs HOST/client1 and RestrictedKrbHost/client1 are not unique in the forest their registration is blocked by the Server 2012 R2 DC. Also, the registration ofHOST/client1.us.contoso.com and RestrictedKrbHost/client1.us.contoso.com is blocked as well because the client tries to register the Service/Hostname and Service/FQDN -Record at the same time which both fail in the process. This leads to Kerberos failure for interactive logon. Because of the security feature of Windows Vista and above which prevents failback to NTLM for interactive logons mentioned here http://support.microsoft.com/kb/2015518 no logon is possible under this condition.
Note:
Windows Server 2008 R2 DCs that do not have the above mentioned feature of "SPN uniqueness testing" just let the newly booted client register the duplicate SPN for HTTP/client1 and RestrictedKrbHost/client1.
What are we ought to do now? Currently we work around this issue by manually deleting the SPNs at the computer object in the source domain. This does not seem to be the optimal solution for me. Am I missing something? Did I forget something?
Thanks and best regards,
Steven