Computer Account Migration Issue
shednik
Member Posts: 2,005
Alright I got a good one for you....So I travel with the windows group to New Jersey for a major 600 user migration from one domain to another. Well things were going well until yesterday, we migrated about 115 accounts Tuesday nights, via ADMT and they all reported to have been migrated successfully. The next day probably about 40 of the migrated PCs are having issues with the computer account stating any one of the the error messages from MS about not being able to contact the domain, computer account missing etc... When looking in AD the computer account still exists, the way to fix the issue was a manual remove and re-add to the domain. There were a few we migrated manually that still had this issue. We concluded it was an issue with one of the DCs in the event log it shows a number of kerberos errors where the computer password didn't match or something similar to that. I don't have the error or access to the server at them moment, but I was wondering if anyone had experienced this and what they did to resolve it. Any input would be greatly appreciated.
Thanks
Thanks
Comments
No its still an object in the old domain, the client shows the new list of domain options but only a manual re-add seems to fix it. Its starting to make this project move alot slower, we fixed the issue so it won't happen by changing the priority but thats just for the time being.
#1
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 7
Date: 5/14/2008
Time: 9:05:01 AM
User: N/A
Computer: [Computer Name]
Description:
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was [Computer Name]$@DOMAIN and lookup type 0x28.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
#2
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 5/13/2008
Time: 6:58:32 PM
User: N/A
Computer: [DC With Issues]
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server [Computer Account That Was Migrated]$. The target name used was cifs/[Computer Account That Was Migrated]. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (Domain Name), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
We checked the link didn't have any more info...so if anyone has any ideas let me know
Usually a 0x18 is a bad computer password. But your second error indicates not a computer password, but a kerberos ticket encryption password.....
Silly question:
Did the existing domain already have computers with those names?
Nope the end goal was we want the company we acquired to become part of one of our domains and shut down theirs. I googled the errors for a bit and didn't come up with anything really.
Yep pretty much the ADMT tool does that and I believe it preforms the security translation for the user so when they log in with their new accounts they still have their old profile and through SID history will have the same rights as their previous accounts from the one way trust thats set up. A lot of the changes were a little over my head because of my lack of knowledge and experience with some MS products.