Active Directory Migration Worked...Sort Of

[Rob Milman]

We recently migrated our NT 4.0 domain to Active
Directory. It went very well except some servers did not
get the new DNS suffix added to them. This has caused
some problems in our Citrix farm because some of the
servers were not authenticating users properly. They were
allowed to logon but could not do anything.

The Event Log on the affected servers had the following
error.

Event ID: 1000 - The logged on user's forest is different
than the machine's forest. Cross forest group policy
processing is disabled and loopback processing is disabled
and loopback processing has been enforced for this forest
for this user account.

The fix was to put the server into a workgroup and then
join it back to the domain. I'd like to know if I need to
do something different next time I perform a migration.

Thanks,

Rob

 

[Matjaz Ladava [MVP]]

This issue is described in
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q257623 for your
future reference.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Buz [MSFT]]

This is a common issue. It's also known as Disjointed Namespace.

Here is a sample script that will fix the domain suffix automatically for
you. It does require a reboot:

'*************************************************************
'* FixDomainSuffix.vbs
'*************************************************************

Const ADS_PROPERTY_CLEAR = 1

Answer = MsgBox("This script will change the Domain Suffix of this computer"
& vbCrLf &_
"to equal the AD Domain name that this DC is a member of."
& vbCrLf &_
"This script can only be run on a Windows 2000 DC by an"
& vbCrLf &_
"Administrator of the Domain. You must reboot this
computer" & vbCrLf &_
"after the script completes."
& vbCrLf &_

vbCrLf &_
"Choose ""OK"" to continue ""Cancel"" to stop processing the
script", vbOKCancel, _
"Change DNS Suffix to match AD Domain")

If Answer = vbCancel Then WScript.Quit

Set Cont = GetObject("LDAP://localhost")
strTemp = Cont.distinguishedName
strTemp = Mid(strTemp, 4, Len(strTemp))

Set regEx = New RegExp
regEx.Global = True
regEx.IgnoreCase = True
regEx.Pattern = ",DC="
strTemp = regEx.Replace(strTemp, ".")

Set WshShell = CreateObject("WScript.Shell")
WshShell.RegWrite
"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain", strTemp,
"REG_SZ"
WshShell.RegWrite
"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain",
strTemp, "REG_SZ"
WshShell.RegWrite
"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SyncDomainWithMembe
rship", 1, "REG_DWORD"

Set Cont = GetObject("LDAP://localhost/RootDSE")
Set Cont = GetObject("LDAP://"&Cont.serverName)
Set Cont = GetObject("LDAP://"&Cont.serverReference)
Cont.PutEx ADS_PROPERTY_CLEAR, "dNSHostName", vbNull
Cont.PutEx ADS_PROPERTY_CLEAR, "servicePrincipalName", vbNull
Cont.SetInfo

Answer = MsgBox("The computer needs to be rebooted for the changes to take
effect. Would you like the DC to be rebooted now?", _
vbYesNo, "Reboot now?")
If Answer = vbYes Then
Set OpSysSet = GetObject("winmgmts:{(Shutdown)}").ExecQuery("select *
from Win32_OperatingSystem where Primary=true")
For Each OpSys In OpSysSet
OpSys.Reboot()
Next
End If

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.