Step 1: Dcpromo down the server
Step 2: rename Server1 to Oldserver so there is no conflict
Step 3: rename new server as Server1
Step 4: Join Server1 to domain
So far, so good. However, after joining the domain we get this error:
The security database on the server does not have a security account for this workstation trust relationship
Verify that the computer account is there and try several combinations of different rejoining and deleting the computer account. No resolve.
After a bunch of searching, it turns out that there is a property of a computer account that cannot be repeated in other computer accounts. The servicePrincipalName propery cannot have conflicting values with other computer accounts. Each computer account should have values that correspond only to its own computer name. However, sometime when you rename computers, not all entries in the attribute get updated.
You can view the entries for a single computer account by using ADSI Edit. However, that doesn't really help you find conflicts. Instead you can you this command to list the SPNs for all computer accounts and then look for duplicates associated with another computer.
Ldifde -f C:\spn.txt -t 3268 -d dc=domainname,dc=local -l serviceprincipalname
-r (serviceprincipalname=*) -p subtree
Looking in this text file we found that the computer account for Oldserver still had references to Server1. We didn't need Oldserver. So, we deleted the computer account for Oldserver and all was good. We could also have used ADSI Edit to change the entries.
No comments:
Post a Comment