Microsoft KB Archive/258503

From BetaArchive Wiki

Article ID: 258503

Article Last Modified on 12/20/2007


APPLIES TO

  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP for Itanium-based Systems Version 2003
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium)
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Datacenter Server


This article was previously published under Q258503


SYMPTOMS

On a Microsoft Windows Server 2003-based, Microsoft Windows XP-based, or Microsoft Windows 2000-based computer, the following event messages are logged in the System log.

Event message 1 Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5788
Computer: Computer
Description:
Attempt to update Service Principal Name (SPN) of the computer object in Active Directory failed. The following error occurred: The attribute syntax specified to the directory service is invalid.

Event message 2 Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5789
Computer: Computer
Description:
Attempt to update DNS Host Name of the computer object in Active Directory failed. The following error occurred: The parameter is incorrect.


CAUSE

This behavior occurs if the DNS domain name on the computer has been changed and if the new DNS domain name does not match the Active Directory domain name.

Additionally, if the machine account does not have sufficient permission to complete an "LDAP modify" request of the dNSHostName and servicePrincipalName attributes for the computer account in Active Directory, event ID 5788 and event ID 5789 are logged.

When the security channel is reset on a Windows Server 2003-based, Windows XP-based, or Windows 2000-based computer that is a member of the Active Directory domain, the computer tries to update the dNSHostName and servicePrincipalName attributes. Additionally, after a Windows Server 2003-based or Windows XP-based member computer joins the domain, before the computer restarts, the computer tries to set or update the servicePrincipalName attribute.

Alternatively, on a Windows Server 2003-based or Windows 2000-based domain controller, the Net Logon service tries to update the servicePrincipalName attribute every 22 minutes.

Note If the computer account has sufficient permissions to modify the dNSHostName and servicePrincipalName attributes, or if the computer account has a NULL value for these attributes, the behavior that is mentioned in the "Symptoms" section does not occur.

RESOLUTION

To resolve this behavior, use one of the following methods.

Method 1: Manually create the service principal names

Important We recommend that an administrator or delegate resolve this behavior by manually creating the service principal names on the computer accounts. When this method is not used, mutual authentication is not guaranteed. Therefore, the computer may remain vulnerable. Use this method before you use the other methods that are described in this article.

For more information about how to manually create the service principal names, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/579246c8-2e32-4282-bce7-3209d1ea8bf11033.mspx?mfr=true


Method 2: Correct an unintentional disjoint namespace

If the disjoint namespace is unintended, follow these steps:

  1. On the computer that recorded the events, click Start, right-click My Computer , and then click Properties.
  2. On the Computer Name tab, click Change, and then click More.
  3. Click to select the Change primary DNS suffix when domain membership changes check box, and then click OK.
  4. If the Change primary DNS suffix when domain membership changes setting was applied by the DNS client Group Policy, remove the Group Policy setting or unlink the policy that contains the setting from the organizational unit (OU) that contains the computer account.
  5. Restart the computer.

Method 3: Disable the "Change primary DNS suffix when domain membership changes" setting

If you want the disjoint namespace and it is in a supported scenario, verify that the Change primary DNS suffix when domain membership changes setting is disabled. To do this, follow these steps:

  1. On the computer that recorded the events, click Start, right-click My Computer , and then click Properties.
  2. On the Computer Name tab, click Change, and then click More.
  3. Click to clear the Change primary DNS suffix when domain membership changes check box, and then click OK.
  4. Restart the computer.

Method 4: Enable members to update the dNSHostName and servicePrincipalName attributes in a Windows 2000-based domain

To enable members to update the dNSHostName and servicePrincipalName attributes in a Windows 2000-based domain, follow these steps:

  1. Start the Active Directory Users and Computers snap-in.
  2. In the console tree, right-click Active Directory Users and Computers, and then click Connect To Domain.
  3. In the Domain box, type the domain name or click Browse to find the domain in which you want to enable computers to use different DNS names, and then click OK.
  4. Right-click Active Directory Users and Computers, point to View, and then click Advanced Features.
  5. Right-click the name of the domain, and then click Properties.
  6. On the Security tab, click Add, click the Self group, click Add, and then click OK.
  7. Click Advanced, click Self, and then click Edit on the View menu.
  8. Click the Object tab, and then click Computer Objects in the Apply onto box.
  9. Under Permissions, click Validated write to DNS host name, and then click to select Allow.


Note You may have to click Validated write to service principal name, and then click to select Allow.

WARNING By modifying the default security in this manner, the computer that is joined to the selected domain could be operated by a malicious user and may be able to advertise itself under a different name through the servicePrincipalName attribute.

Method 5: Modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container in a Windows Server 2003-based domain

Use the Active Directory Service Interfaces (ADSI) Edit tool to modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container. To do this, follow these steps:

  1. Install Windows Server 2003 Support Tools if it is not installed on your computer. To install Windows Server 2003 Support Tools, follow these steps:
    1. Insert the Windows Server 2003 installation disk into the disk drive.
    2. Click Start, click Run, and then click Browse.
    3. Locate the following folder on the installation disk: \Support\Tools
    4. In the Files of Type list, click All Files.
    5. Click SUPTOOLS.MSI, click Open, and then click OK.
    6. Follow the direction in the Windows Support Tools Setup Wizard.
  2. Click Start, point to Programs, point to Windows Server 2003 Support Tools, point to Tools, and then click ADSI Edit.
  3. Double-click the domain directory partition for the domain that you want to modify.
  4. Right-click the domain container object, and then click Properties.
  5. On the Attribute Editor tab, in the Attributes box, double-click the msDS-AllowedDNSSuffixes attribute.
  6. In the Multi-valued String Editor dialog box, in the Value to add box, type a DNS suffix, and then click Add.
  7. After you have added all the DNS suffixes for the domain, click OK.
  8. Click OK to close the Properties dialog box for that domain.
  9. Right-click ADSI Edit in the results pane, and then click Connect to to modify the msDS-AllowedDNSSuffixes Active Directory attribute on the domain object container in another domain.
  10. Under Computer, click Select or type a domain or server.
  11. Type the name of the next domain that you want to modify, and then click OK.
  12. Repeat steps 3 to 8 to modify that domain.
  13. Repeat steps 9 to 12 to modify another domain.


MORE INFORMATION

A network trace of the response to the LDAP modify request displays the following information:

win:17368, src: 389 dst: 1044
LDAP: ProtocolOp: ModifyResponse (7)
LDAP: MessageID
LDAP: ProtocolOp = ModifyResponse
LDAP: Result Code = Constraint Violation
LDAP: Error Message = 0000200B: AtrErr: DSID-03151E6D


In this network trace, 200B hexadecimal is equal to 8203 decimal.

The net helpmsg 8203 command returns the following information: "The attribute syntax specified to the directory service is invalid." Network Monitor 5.00.943 displays the following result code: "Constraint Violation." Winldap.h maps error 13 to "LDAP_CONSTRAINT_VIOLATION."

The DNS domain name and the Active Directory domain name can differ if one or more of the following conditions are true:

  • The TCP/IP DNS configuration contains a DNS domain that differs from the Active Directory domain of which the computer is a member and the Change primary DNS suffix when domain membership changes option is disabled. To view this option, right-click My Computer, click Properties, and then click the Network Identification tab.
  • Windows Server 2003-based or Windows XP Professional-based computers may apply a Group Policy setting that sets the primary suffix to a value that differs from the Active Directory domain. The Group Policy setting is:

    Computer Configuration\Administrative Templates\Network\DNS Client : Primary DNS Suffix

  • The domain controller resides in a domain that has been renamed by the Rendom.exe utility. However, the administrator has not yet modified the DNS suffix from the previous DNS domain name. The domain rename process does not update the primary DNS suffix to match the current DNS domain name following renames of DNS domain names.

Domains in an Active Directory forest that do not have the same hierarchical domain name are in a different domain tree. When different domain trees are in a forest, the root domains are not contiguous. However, this configuration does not constitute a disjoint DNS namespace. You have multiple DNS or even AD DNS root domains. A disjoint namespace is characterized by a difference between the primary DNS suffix and the AD domain name that the computer is member of.

Disjoint namespace can be used with caution in some scenarios, but is not supported in all scenarios.

Disjoint namespace is supported in the following scenario:

  • Domain members are configured for different primary DNS suffixes, and only members of the domain use the primary DNS suffix.

Disjoint namespace is not supported in the following scenarios:

  • Domain members are configured for different primary DNS suffixes, but members of this domain and members of other domains in the forest use the primary DNS suffixes.
  • Domain members are configured for primary DNS suffixes that match the name of other Active Directory domains in the forest and in all domains and forests where trusts exist.
  • Domain controllers are configured for different primary DNS suffixes.
  • Certification Authority servers are configured for different primary DNS suffixes.

Note You cannot configure domain controllers and Certification Authority servers for a disjoint namespace by using the user interface. However, you can do this by using DNS client Group Policies.

Technical support for x64-based versions of Microsoft Windows

If your hardware came with a Microsoft Windows x64 edition already installed, your hardware manufacturer provides technical support and assistance for the Windows x64 edition. In this case, your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation by using unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you must have technical help with a Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware. If you purchased a Windows x64 edition such as a Windows Server 2003 x64 edition separately, contact Microsoft for technical support.

For product information about Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx


For product information about x64-based versions of Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx



Additional query words: event id 5789 5788 Winx64 Windowsx64 64bit 64-bit

Keywords: kbdns kberrmsg kbprb KB258503



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/258503&oldid=378832
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki