Intra-forest AD migration: One more pre-requisite to consider

After doing intra-forest migrations for many years, I recently discovered some new pre-requisite which I would like to share in this article. It all started with the following computer migration error: “Error 0x000021C7. The operation failed because SPN value provided for addition/modification is not unique forest-wide.” User migrations are failing as well referencing duplicate UPNs. This is where I started digging.

As it turns out, I was lucky to previously not encountering forests with 2012 R2 DCs during intra-forest migrations, or the proper setting was already configured in the forest. Basically starting with 2012 R2 Microsoft enabled SPN / UPN uniqueness check forest-wide upon every new object creation. This makes total sense because these values supposed to be unique in a single forest. And our migration product (QMM) certainly knows that, doing UPN “transfer” operation removing it from Source object while putting into the Target, or SPN attribute being either skipped or Source object deleted shortly after migration. However, AD would still complain not letting to proceed. Microsoft has it described here:

https://support.microsoft.com/en-us/help/3070083/duplicate-spn-check-on-windows-server-2012-r2-based-domain-controller

To temporarily disable this behavior forest-wide during migration:

  • Apply Microsoft hotfix KB 3070083 to each 2012 R2 DC in the forest (Reboot is required!). If no 2012 R2 DCs are in the environment, this step can simply be skipped which was my case with all Server 2016 DCs.
  • Change dSHeuristic attribute per these steps using ADSI Edit
    • In the left pane of ADSIEdit, right-click ADSI Edit and select Connect to from the menu.
    • Select Configuration from the Select a well-known Naming Context menu and click OK.
    • In the left pane, expand Configuration, CN=Services, CN=Windows NT. In the right pane, right-click CN=Directory Service, and select Properties from the menu.
    • In the CN=Directory Service Properties dialog box, select dSHeuristics on the Attribute Editor tab and click Edit.
    • In the String Attribute Editor dialog box, type 000000000100000000023 to disable NETBIOS based SPN and UPN uniqueness check, and click OK.
    • Click OK in the CN=Directory Service Properties dialog box and close ADSI Edit.

Tags:

Leave a Reply