Article ID: 257623
Article Last Modified on 12/3/2007
APPLIES TO
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
- Microsoft Windows Services for UNIX 2.0 Standard Edition
- Microsoft Exchange Server 4.0 Standard Edition
- Microsoft Mobile Information Server 2001 Enterprise Edition
- Microsoft Windows Small Business Server 2003 Standard Edition
This article was previously published under Q257623
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
After you upgrade a Microsoft Windows NT 4.0 Primary domain controller or member server to Microsoft Window 2000, the Domain Name System (DNS) suffix of the computer name of the new domain controller may not match the name of its domain. When this problem occurs, you may also experience a variety of other symptoms.
Typically, this problem occurs when the following conditions are true:
- You install the original release version of Windows 2000 on a Microsoft Windows NT 4.0 domain controller.
- A DNS suffix is defined in the Network control panel item of the domain controller.
To resolve this problem, upgrade the domain controller to Windows 2000 with the latest service pack or to Windows Server 2003. Alternatively, you may use one of the other methods that this article describes.
SYMPTOMS
After you upgrade a Windows NT 4.0 Primary domain controller or member server to Windows 2000, the DNS suffix of the computer name of the new domain controller may not match the name of its domain.
Additionally, you may experience one or more of the following symptoms:
- Active Directory replication does not succeed.
- The File Replication service (FRS) stops responding.
- When you try to join a computer that is running Microsoft Windows XP Professional to the domain, you receive an error message that is similar to the following:
If you click Details in the message window, you see text that is similar to the following:
DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain
DomainName.local
. The query was for the SRV record for _ldap._tcp.dc._msdcs.DomainName.LOCAL - You cannot log on to the domain.
- When you try to install Active Directory on another member server, you receive an error message that is similar to one of the following messages:
Message 1Message 2
Message 3
Message 4
- You receive the following errors when you try to use any Active Directory MMC snap-in:
Message 1Message 2
- The following events are logged in the System log of a client, member server, or domain controller:
Event ID: 5788
Source: Netlogon
Description: Attempt to update Service Principal Name (SPN) of the computer object in Active Directory failed. The following error occurred: The attribute syntax specified to the directory service is invalid.Event ID: 5789
Source: Netlogon
Attempt to update DNS Host Name of the computer object in Active Directory failed. The following error occurred: The parameter is incorrect.
- The following events are logged in the Application log of a client, member server, or domain controller:
Event ID: 1000
Source: Userenv
Description: Windows cannot establish a connection to CONTOSO.COM with (1787).Event ID: 1000
Source: Userenv
Description: Windows cannot query for the list of Group Policy objects . A message that describes the reason for this was previously logged by this policy engine.Event ID: 1000
Source: Userenv
Description: Windows cannot determine the user or computer name. Return value (1326).Event ID: 5721
Source: Net Logon
Description: The session setup to the Windows NT or Windows 2000 Domain Controller for the domain contoso.com failed because the Domain Controller does not have an account for the computerComputerName
.
- You receive the following error message when you install the Recipient Update Service (RUS) in Microsoft Exchange Server:
In Microsoft Exchange 2000, the Microsoft Exchange System Attendant service does not start, and the following event is logged in the Application log:
Event ID: 9157
Source: MSExchangeSA
Description: Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. System attendant will try again in approximately one minute.- You receive the following error message when you try to use the SetSpn command-line tool:
- Pre-Boot Execution Environment (PXE) clients do not authenticate, even when you use valid domain administrator credentials. When this problem occurs, the Logon Error page in the Client Installation Wizard shows the following information:
When you set up a Mobile Information Server (MIS) server, you receive the following error message after you enter the password for the message processor:
The wizard was interrupted before Mobile Information Server could be completely installed. Your system has not been modified.
Additionally, the following event is logged in the Application log:
Event ID: 10005
Source: MSIInstaller
Description: Product: Mobile Information Server - error 29910 failed to validate user. Error no: 0x0 Error message: The operation completed successfully.- When you run the Active Directory Migration Tool (ADMT), the following error is logged in the Migration.log file:
- The Domain Controller Diagnostic Tool (Dcdiag.exe) reports the following errors:
- When you use the Small Business Personal Console or Active Directory Users and Computers to create users, and then you mailbox-enable the user, the following problems occur:
- E-mail properties are not generated.
- SMTP addresses are not generated.
- The user does not appear in the global address list (GAL).
The following event is logged in the directory service event log:
Event ID: 1655
Source: NTDS
Description: The attempt to communicate with global catalog \\DC01 failed with the following status: A Service Principal Name (SPN) could not be constructed because the provided hostname is not in the necessary format. The operation in progress might be unable to continue. The directory service will use the locator to try find an available global catalog server for the next operation that requires one.
- When you install Windows Services for Unix 2.0, you receive the following error message:
Note After Active Directory has been installed on a member server, you cannot rename the computer on the Network Identification tab of Computer Management properties.
CAUSE
These problems may occur when the following conditions are true:
- You install the original release version of Microsoft Windows 2000 on a Microsoft Windows NT 4.0 domain controller.
- A DNS suffix is defined in the Network control panel item of the domain controller.
When you install Windows 2000, the Windows 2000 Setup program automatically unchecks the Change primary DNS suffix when domain membership changes check box. Setup also sets the primary DNS suffix to the first suffix that is listed in the Network control panel item. After Active Directory is installed on a member server, the new domain controller tries to resolve the DNS records in the DNS zone that matches its primary DNS suffix.
This problem does not occur if one or more of the following conditions are true:
- The Windows NT 4.0 domain controller does not have a DNS suffix defined before the upgrade.
- You upgrade the Windows NT 4.0 domain controller to Windows 2000 with Service Pack 1 (SP1) or a later service pack.
- You upgrade the Windows NT 4.0 domain controller to Microsoft Windows Server 2003.
If DNS is correctly configured, Windows 2000 and Windows Server 2003 both support a disjoint namespace as a valid configuration. However, this configuration is frequently unintentional.
RESOLUTION
To resolve this problem, upgrade the domain controller to Windows 2000 with the latest service pack or to Windows Server 2003. For more information about how to obtain the latest Windows 2000 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Alternatively, use one of the following methods:
Method 1
- When you upgrade your computer to Windows 2000, quit the Active Directory Installation Wizard as soon as it starts.
- Click to select the Change primary DNS suffix when domain membership changes check box.
- Restart the Active Directory Installation Wizard.
Method 2
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Verify whether there is a disjoint namespace, and then fix the namespace. To do this, follow these steps:
- Right-click My Computer, and then click Properties.
- In the Properties dialog box, click the Computer Name tab.
If the DNS suffix of the computer name does not match the domain name, there is a disjoint namespace. The following three examples illustrate disjoint namespaces:- Full computer name: dc01.fabrikam.com
Domain: contoso.com - Full computer name: dc01.corp.contoso.com
Domain: contoso.com - Full computer name: dc01
Domain: contoso.com
Alternatively, you can use the Netdiag.exe command-line tool to verify whether there is a disjoint namespace. If the DNS suffix in the DNS host name does not match the DNS domain name in Netdiag, there is a disjoint namespace. The following three examples illustrate disjoint namespaces:
- DNS Host Name: dc01.fabrikam.com
DNS Domain Name: contoso.com - DNS Host Name: dc01.corp.contoso.com
DNS Domain Name: contoso.com - DNS Host Name: dc01
DNS Domain Name: contoso.com
- Full computer name: dc01.fabrikam.com
If the DNS name has a single label, and your computer is running Windows 2000 with Service Pack 4 (SP4), Windows XP, or Windows Server 2003, use the AllowSingleLabelDnsDomain registry entry to resolve the problem. For example, if the domain name is "contoso" and is not "contoso.com," the DNS name has a single label. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
300684 Information about configuring Windows for domains with single-label DNS names
If there is a disjoint namespace, follow these steps to fix it:
- Log on to the domain controller by using an account that has domain administrator credentials.
Paste the following code into Notepad. Then, save the file as Fixdomainsuffix.vbs.
Const ADS_PROPERTY_CLEAR = 1 Answer = MsgBox("This script will change the Domain Suffix of this computer" & vbCrLf &_ "to equal the AD Domain name that this DC is a member of." & vbCrLf &_ "This script can only be run on a Windows 2000 DC by an" & vbCrLf &_ "Administrator of the Domain. You must reboot this computer" & vbCrLf &_ "after the script completes." & vbCrLf &_ vbCrLf &_ "Choose ""OK"" to continue ""Cancel"" to stop processing the script", vbOKCancel, _ "Change DNS Suffix to match AD Domain") If Answer = vbCancel Then WScript.Quit Set Cont = GetObject("LDAP://localhost") strTemp = Cont.distinguishedName strTemp = Mid(strTemp, 4, Len(strTemp)) Set regEx = New RegExp regEx.Global = True regEx.IgnoreCase = True regEx.Pattern = ",DC=" strTemp = regEx.Replace(strTemp, ".") Set WshShell = CreateObject("WScript.Shell") WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain", strTemp, "REG_SZ" WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NV Domain", strTemp, "REG_SZ" WshShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SyncDomainWithMembership", 1, "REG_DWORD" Set Cont = GetObject("LDAP://localhost/RootDSE") Set Cont = GetObject("LDAP://"&Cont.serverName) Set Cont = GetObject("LDAP://"&Cont.serverReference) Cont.PutEx ADS_PROPERTY_CLEAR, "dNSHostName", vbNull Cont.PutEx ADS_PROPERTY_CLEAR, "servicePrincipalName", vbNull Cont.SetInfo Answer = MsgBox("The computer needs to be rebooted for the changes to take effect. Would you like the DC to be rebooted now?", _ vbYesNo, "Reboot now?") If Answer = vbYes Then Set OpSysSet = GetObject("winmgmts:{(Shutdown)}").ExecQuery("select * from Win32_OperatingSystem where Primary=true") For Each OpSys In OpSysSet OpSys.Reboot() Next End If
Note This script automatically modifies the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
The following table lists the entries in this subkey.
Name Type Value Hostname REG_SZ computer name
NV Hostname REG_SZ computer name
NV Domain REG_SZ domain name
- Double-click the file that you saved in step 2.
- Restart the domain controller.
MORE INFORMATION
To use a disjoint namespace, the DNS servers that are used by domain controllers, member servers, and clients must be able to resolve records in the following DNS zones:
- DNS zones that are the same as the fully qualified domain that the computer account resides in
- The primary DNS suffix zones that are defined in the forest
Additional query words: win2000hotds disjointed non-contiguous noncontiguous domains and trusts sites and services group policy gpo
Keywords: kberrmsg kbtshoot kbdns kbactivedirectory kbnetwork kbprb kbdirservices KB257623