Computer Account Migration Issue

Alright I got a good one for you....So I travel with the windows group to New Jersey for a major 600 user migration from one domain to another. Well things were going well until yesterday, we migrated about 115 accounts Tuesday nights, via ADMT and they all reported to have been migrated successfully. The next day probably about 40 of the migrated PCs are having issues with the computer account stating any one of the the error messages from MS about not being able to contact the domain, computer account missing etc... When looking in AD the computer account still exists, the way to fix the issue was a manual remove and re-add to the domain. There were a few we migrated manually that still had this issue. We concluded it was an issue with one of the DCs in the event log it shows a number of kerberos errors where the computer password didn't match or something similar to that. I don't have the error or access to the server at them moment, but I was wondering if anyone had experienced this and what they did to resolve it. Any input would be greatly appreciated.

Thanks

Find more posts tagged with

Comments

gojericho0

If it was a kerberos issue it could be many things. I had a kerberos issue before where new PCs couldn't connect to the domain, but fortunately it was only a time skew issue. I've never used ADMT before, but does it remove the PC from the old domain first then try to join the new one? I was just wondering if the clients possibly thought they still belong to the old kerberos domain (Windows domain)

shednik

gojericho0 wrote:

If it was a kerberos issue it could be many things. I had a kerberos issue before where new PCs couldn't connect to the domain, but fortunately it was only a time skew issue. I've never used ADMT before, but does it remove the PC from the old domain first then try to join the new one? I was just wondering if the clients possibly thought they still belong to the old kerberos domain (Windows domain)

No its still an object in the old domain, the client shows the new list of domain options but only a manual re-add seems to fix it. Its starting to make this project move alot slower, we fixed the issue so it won't happen by changing the priority but thats just for the time being.

dynamik

So are you having problems with all the computer accounts? You made it sound like it was just a portion of them, which is what confused me.

gojericho0

If you get a chance could you post the event log error/warning?

shednik

Its only a portion of the migrated PCs, I'll take a look at the event log and post it soon.

shednik

Alright here are 2 event log messages, the 2nd one appears around 40 times which is close to the number of computer accounts we had issues with.

#1
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 7
Date: 5/14/2008
Time: 9:05:01 AM
User: N/A
Computer: [Computer Name]
Description:

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was [Computer Name]$@DOMAIN and lookup type 0x28.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

#2
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 5/13/2008
Time: 6:58:32 PM
User: N/A
Computer: [DC With Issues]

Description:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server [Computer Account That Was Migrated]$. The target name used was cifs/[Computer Account That Was Migrated]. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (Domain Name), and the client realm. Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

We checked the link didn't have any more info...so if anyone has any ideas let me know

sprkymrk

The 0x28 error code is listed as "Invalid msg type".

Usually a 0x18 is a bad computer password. But your second error indicates not a computer password, but a kerberos ticket encryption password.....

Silly question:
Did the existing domain already have computers with those names?

shednik

sprkymrk wrote:

The 0x28 error code is listed as "Invalid msg type".

Usually a 0x18 is a bad computer password. But your second error indicates not a computer password, but a kerberos ticket encryption password.....

Silly question:
Did the existing domain already have computers with those names?

Nope the end goal was we want the company we acquired to become part of one of our domains and shut down theirs. I googled the errors for a bit and didn't come up with anything really.

macdude

Let me see if i understand. You moved computer A from Domain A to Domain B and it still had the name of Computer A and you couldn't log on Domain B? Is that correct?

shednik

macdude wrote:

Let me see if i understand. You moved computer A from Domain A to Domain B and it still had the name of Computer A and you couldn't log on Domain B? Is that correct?

Yep pretty much the ADMT tool does that and I believe it preforms the security translation for the user so when they log in with their new accounts they still have their old profile and through SID history will have the same rights as their previous accounts from the one way trust thats set up. A lot of the changes were a little over my head because of my lack of knowledge and experience with some MS products.

royal

There's lots of info for those errors over on eventid.net. Lots of suggestions. Give it a try and maybe you'll come up with something that works.

macdude

What about User Accounts did they get moved over to the new domain or is this a child domain?