In order to reorganize an Active Directory forest, with multiple child domains into a single domain, I used the ADMT (Active Directory Migration Tool) 3.2 from Microsoft. This modification is an intraforest migration because all domains are in the same forest.
While ADMT supports an intraforest migration, I encountered a specific issue for migrated computers from a child domain to the parent domain: “The security database on the server does not have a computer account for this workstation trust relationship“
Well, I was very perplex by this error, because the ADMT agent reported an successfully operation, and the computer account existed in the new Active Directory domain.
In fact, you will get this error each time you want to migrate a computer with an intraforest and the target operating system is Windows Server 2012 R2. Let’s see why and how to resolve this issue.
Intraforest migration process
Doing the migration in the same forest is not exactly the same process than the interforest migration.
With an intraforest migration, users and groups are moved from the source domain into the target domain. A new SID is created for the user, but GUID is the same. Moreover the old SID is copied into the SID History without a specific configuration on the trust relationship.
But this process does not exist for computers, during the migration two steps are done:
- the ADMT server will create a new computer object and copy all properties into the new object.
- After that, the ADMT agent on the computer will join the new domain with the prestaged computer object. (Created by the ADMT server)
These two steps are correctly done by ADMT, but you still have the trust relationship issue.
After some hours to troubleshoot, the problem is due to the Service Principal Name (SPN). When ADMT created the computer object, it will also copied the SPN information, but Windows Server 2012 R2 does not allow anymore duplicate SPN in the forest. Information here.
If I try to register the same Service Principal name than CI10-1 into a new computer object, I get this error: “The operation failed because SPN value provided for addition/modification is not unique forest-wide“
Register Service Principal Name
To resolve the trust relationship issue, we need to register all old service principal name into the new computer object:
- On the source domain, go to the computer account and select Attribute Editor.
- Select servicePrincipalName and clic on Edit:
- Important: backup all SPN for the computer into a txt file.
- Remove each SPN:
- Wait the Active Directory replication process between child domain and parent domain. Global catalog need also to be replicated. You can check GC information here.
- Once the replication is done, go to the target domain.
- Select the computer object created by ADMT and edit ServicePrincipalName:
- Get the old SPN entries, and replace the old domain name by the new domain name.
- Exemple: HOST/CI10-1.child.alexandreviot.net becomes HOST/CI10-1.alexandreviot.net
- Add all SPN:
- On the problematic computer, reboot it and you can now login with an Active Directory account:
You can get more information about ADMT here.