Microsoft KB Archive/257623

= The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you upgrade a Windows NT 4.0 primary domain controller to Windows 2000 =

Article ID: 257623

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows Services for UNIX 2.0 Standard Edition
 * Microsoft Exchange Server 4.0 Standard Edition
 * Microsoft Mobile Information Server 2001 Enterprise Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q257623





Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



''After you upgrade a Microsoft Windows NT 4.0 Primary domain controller or member server to Microsoft Window 2000, the Domain Name System (DNS) suffix of the computer name of the new domain controller may not match the name of its domain. When this problem occurs, you may also experience a variety of other symptoms.

Typically, this problem occurs when the following conditions are true:''
 * You install the original release version of Windows 2000 on a Microsoft Windows NT 4.0 domain controller.
 * A DNS suffix is defined in the Network control panel item of the domain controller.

''To resolve this problem, upgrade the domain controller to Windows 2000 with the latest service pack or to Windows Server 2003. Alternatively, you may use one of the other methods that this article describes.''



SYMPTOMS
After you upgrade a Windows NT 4.0 Primary domain controller or member server to Windows 2000, the DNS suffix of the computer name of the new domain controller may not match the name of its domain.

Additionally, you may experience one or more of the following symptoms:  Active Directory replication does not succeed. The File Replication service (FRS) stops responding. When you try to join a computer that is running Microsoft Windows XP Professional to the domain, you receive an error message that is similar to the following:

A domain controller for the domain  could not be contacted.

If you click Details in the message window, you see text that is similar to the following:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain. The query was for the SRV record for _ldap._tcp.dc._msdcs.DomainName.LOCAL

 You cannot log on to the domain. When you try to install Active Directory on another member server, you receive an error message that is similar to one of the following messages:

Message 1

The specified domain either does not exist or cannot be contacted

Message 2

A Service Principal Name (SPN) could not be constructed because the provided hostname is not in the necessary format

Message 3

The Directory Service failed to create the server object for CN=NTDS Settings,CN=CLIENT01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=com on server DC01. Please ensure the network credentials provided have sufficient access to add a replica.

Message 4

The operation failed because: failed finding a suitable domain controller for the domain contoso.com. The specified domain either does not exist or could not be contacted."

 You receive the following errors when you try to use any Active Directory MMC snap-in:

Message 1

Naming information cannot be located because: The logon attempt failed

Message 2

Naming information could not be located because the object name has bad syntax

</li> The following events are logged in the System log of a client, member server, or domain controller: <ul>  Event ID: 5788

Source: Netlogon

Description: Attempt to update Service Principal Name (SPN) of the computer object in Active Directory failed. The following error occurred: The attribute syntax specified to the directory service is invalid. </li>  Event ID: 5789

Source: Netlogon

Attempt to update DNS Host Name of the computer object in Active Directory failed. The following error occurred: The parameter is incorrect. </li></ul> </li> The following events are logged in the Application log of a client, member server, or domain controller: <ul>  Event ID: 1000

Source: Userenv

Description: Windows cannot establish a connection to CONTOSO.COM with (1787). </li>  Event ID: 1000

Source: Userenv

Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine. </li>  Event ID: 1000

Source: Userenv

Description: Windows cannot determine the user or computer name. Return value (1326). </li>  Event ID: 5721

Source: Net Logon

Description: The session setup to the Windows NT or Windows 2000 Domain Controller for the domain contoso.com failed because the Domain Controller does not have an account for the computer. </li></ul> </li> You receive the following error message when you install the Recipient Update Service (RUS) in Microsoft Exchange Server:

Only one instance of the Recipient Update Service can update a Domain Controller and all Domain Controllers on contoso.com are being updated. ID No: c1039c6c."

</li>  In Microsoft Exchange 2000, the Microsoft Exchange System Attendant service does not start, and the following event is logged in the Application log: Event ID: 9157

Source: MSExchangeSA

Description: Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. System attendant will try again in approximately one minute. </li> You receive the following error message when you try to use the SetSpn command-line tool:

Requested name "contoso\DC01$" not found in directory."

</li> Pre-Boot Execution Environment (PXE) clients do not authenticate, even when you use valid domain administrator credentials. When this problem occurs, the Logon Error page in the Client Installation Wizard shows the following information:

00004e28.OSC error - The System cannot validate your User Name Password or Domain

The system cannot validate your user name, password, or domain name. Verify that your user name and domain name are correct, and then retype your password. Passwords must be typed using the correct case. Be sure the CAPS LOCK key is not pressed.

</li>  When you set up a Mobile Information Server (MIS) server, you receive the following error message after you enter the password for the message processor: The wizard was interrupted before Mobile Information Server could be completely installed. Your system has not been modified. Additionally, the following event is logged in the Application log: Event ID: 10005

Source: MSIInstaller

Description: Product: Mobile Information Server - error 29910 failed to validate user. Error no: 0x0 Error message: The operation completed successfully. </li> When you run the Active Directory Migration Tool (ADMT), the following error is logged in the Migration.log file:

2002-01-23 15:00:34 ERR2:7422 Failed to move object CN=Jsmith, hr=8009030d The credentials supplied to the package were not recognized

</li> The Domain Controller Diagnostic Tool (Dcdiag.exe) reports the following errors: <ul> <li>

Starting test: NetLogons


 * Network Logons Privileges Check

[DC01] An net use or LsaPolicy operation failed with error 1231, The network location cannot be reached

</li> <li>

Starting test: MachineAccount Could not open pipe with

[DC01]:failed with 1231: The network location cannot be reached. For information about network troubleshooting, see Windows Help. Could not get NetBIOSDomainName Failed can not test for HOST SPN

</li></ul> </li> <li>When you use the Small Business Personal Console or Active Directory Users and Computers to create users, and then you mailbox-enable the user, the following problems occur: <ul> <li>E-mail properties are not generated.</li> <li>SMTP addresses are not generated.</li> <li>The user does not appear in the global address list (GAL).</li> <li> The following event is logged in the directory service event log: Event ID: 1655

Source: NTDS

Description: The attempt to communicate with global catalog \\DC01 failed with the following status: A Service Principal Name (SPN) could not be constructed because the provided hostname is not in the necessary format. The operation in progress might be unable to continue. The directory service will use the locator to try find an available global catalog server for the next operation that requires one. </li></ul> </li> <li>When you install Windows Services for Unix 2.0, you receive the following error message:

error 26065 NIS Schema Upgrade Failed

</li></ul>

Note After Active Directory has been installed on a member server, you cannot rename the computer on the Network Identification tab of Computer Management properties.

<div class="cause_section">

CAUSE
These problems may occur when the following conditions are true:
 * You install the original release version of Microsoft Windows 2000 on a Microsoft Windows NT 4.0 domain controller.
 * A DNS suffix is defined in the Network control panel item of the domain controller.

When you install Windows 2000, the Windows 2000 Setup program automatically unchecks the Change primary DNS suffix when domain membership changes check box. Setup also sets the primary DNS suffix to the first suffix that is listed in the Network control panel item. After Active Directory is installed on a member server, the new domain controller tries to resolve the DNS records in the DNS zone that matches its primary DNS suffix.

This problem does not occur if one or more of the following conditions are true:
 * The Windows NT 4.0 domain controller does not have a DNS suffix defined before the upgrade.
 * You upgrade the Windows NT 4.0 domain controller to Windows 2000 with Service Pack 1 (SP1) or a later service pack.
 * You upgrade the Windows NT 4.0 domain controller to Microsoft Windows Server 2003.

If DNS is correctly configured, Windows 2000 and Windows Server 2003 both support a disjoint namespace as a valid configuration. However, this configuration is frequently unintentional.

<div class="resolution_section">

RESOLUTION
To resolve this problem, upgrade the domain controller to Windows 2000 with the latest service pack or to Windows Server 2003. For more information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Alternatively, use one of the following methods:

Method 1

 * 1) When you upgrade your computer to Windows 2000, quit the Active Directory Installation Wizard as soon as it starts.
 * 2) Click to select the Change primary DNS suffix when domain membership changes check box.
 * 3) Restart the Active Directory Installation Wizard.

Method 2
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Verify whether there is a disjoint namespace, and then fix the namespace. To do this, follow these steps: <ol> <li>Right-click My Computer, and then click Properties.</li> <li>In the Properties dialog box, click the Computer Name tab.

If the DNS suffix of the computer name does not match the domain name, there is a disjoint namespace. The following three examples illustrate disjoint namespaces: <ul> <li>Full computer name: dc01.fabrikam.com

Domain: contoso.com</li> <li>Full computer name: dc01.corp.contoso.com

Domain: contoso.com</li> <li>Full computer name: dc01

Domain: contoso.com</li></ul>

Alternatively, you can use the Netdiag.exe command-line tool to verify whether there is a disjoint namespace. If the DNS suffix in the DNS host name does not match the DNS domain name in Netdiag, there is a disjoint namespace. The following three examples illustrate disjoint namespaces: <ul> <li>DNS Host Name: dc01.fabrikam.com

DNS Domain Name: contoso.com</li> <li>DNS Host Name: dc01.corp.contoso.com

DNS Domain Name: contoso.com</li> <li>DNS Host Name: dc01

DNS Domain Name: contoso.com</li></ul> </li></ol>

If the DNS name has a single label, and your computer is running Windows 2000 with Service Pack 4 (SP4), Windows XP, or Windows Server 2003, use the AllowSingleLabelDnsDomain registry entry to resolve the problem. For example, if the domain name is "contoso" and is not "contoso.com," the DNS name has a single label. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

300684 Information about configuring Windows for domains with single-label DNS names

If there is a disjoint namespace, follow these steps to fix it: <ol> <li>Log on to the domain controller by using an account that has domain administrator credentials.</li> <li> Paste the following code into Notepad. Then, save the file as Fixdomainsuffix.vbs. Const ADS_PROPERTY_CLEAR = 1

Answer = MsgBox("This script will change the Domain Suffix of this computer" & vbCrLf &_                "to equal the AD Domain name that this DC is a member of."    & vbCrLf &_                "This script can only be run on a Windows 2000 DC by an"      & vbCrLf &_                "Administrator of the Domain.  You must reboot this computer" & vbCrLf &_                "after the script completes."                                 & vbCrLf &_                                                                                vbCrLf &_                "Choose ""OK"" to continue ""Cancel"" to stop processing the script", vbOKCancel, _                "Change DNS Suffix to match AD Domain")

If Answer = vbCancel Then WScript.Quit

Set Cont = GetObject("LDAP://localhost") strTemp = Cont.distinguishedName strTemp = Mid(strTemp, 4, Len(strTemp))

Set regEx = New RegExp regEx.Global = True regEx.IgnoreCase = True regEx.Pattern = ",DC=" strTemp = regEx.Replace(strTemp, ".")

Set WshShell = CreateObject("WScript.Shell") WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain", strTemp, "REG_SZ" WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain", strTemp, "REG_SZ" WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SyncDomainWithMembership", 1, "REG_DWORD"

Set Cont = GetObject("LDAP://localhost/RootDSE") Set Cont = GetObject("LDAP://"&Cont.serverName) Set Cont = GetObject("LDAP://"&Cont.serverReference) Cont.PutEx ADS_PROPERTY_CLEAR, "dNSHostName", vbNull Cont.PutEx ADS_PROPERTY_CLEAR, "servicePrincipalName", vbNull Cont.SetInfo

Answer = MsgBox("The computer needs to be rebooted for the changes to take effect. Would you like the DC to be rebooted now?", _                vbYesNo, "Reboot now?") If Answer = vbYes Then Set OpSysSet = GetObject("winmgmts:{(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where Primary=true") For Each OpSys In OpSysSet OpSys.Reboot Next End If Note This script automatically modifies the following registry subkey:

The following table lists the entries in this subkey. </li> <li>Double-click the file that you saved in step 2.</li> <li>Restart the domain controller.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
To use a disjoint namespace, the DNS servers that are used by domain controllers, member servers, and clients must be able to resolve records in the following DNS zones:
 * DNS zones that are the same as the fully qualified domain that the computer account resides in
 * The primary DNS suffix zones that are defined in the forest

Additional query words: win2000hotds disjointed non-contiguous noncontiguous domains and trusts sites and services group policy gpo

Keywords: kberrmsg kbtshoot kbdns kbactivedirectory kbnetwork kbprb kbdirservices KB257623

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.