We have a bunch of Windows 7 and Windows Vista clients that belong to domain contoso.com
. The clients are registered in DNS to client.contoso.com
. We have changed the DNS suffix via GPO from client.contoso.com
to contoso.com
. This worked fine for most of the clients - servicePrincipalNames
got updated automagically including the computer objects dNSHostName
attribute.
However some of the clients keep failing to update the attribute, which results in the following error messages:
Log Name: System
Source: NETLOGON
Event ID: 5789
Level: Error
Computer: someClient
Attempt to update DNS Host Name of the computer object in Active Directory failed. The updated value was 'someClient.contoso.com'. The following error occured: The requested resource is in use.
So far the only solution to this problem was removing the client from the domain and put it back in, which is kind of brute force method to solve this. The AD objects seems to have to correct permissions to update the mentioned attribute.
Set-ADComputer -Identity someClient -DNSHostName someClient.contoso.com
Set-ADComputer : While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync
At line:1 char:1
+ Set-ADComputer someClient -DNSHostName someClient.contoso.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (someClient:ADComputer) [Set-ADComputer], ADException
+ FullyQualifiedErrorId : While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync,Micros
oft.ActiveDirectory.Management.Commands.SetADComputer
get-adcomputer someCliemt
DistinguishedName : [...]
DNSHostName : someClient.client.contoso.com
Enabled : True
Name : someClient
ObjectClass : computer
ObjectGUID : fdddd6ec-44f3-5b63-xxxx-55229cexxxxx
SamAccountName : comeClient$
SID : S-1-5-21-1815460242-1203374957-4236298635-xxxxxx
UserPrincipalName :
Things I have tried so far:
- Running gpupdate /force several times... rebooting of course
- Verified the client receives the correct DNS suffix settings from the GPO
- Verified the built-in object
SELF
has theValidated write to DNS host Name
and theValidated write to Service principal Name
permissions
Any ideas on how to solve this, without having to rejoin the computers?
I found a simple solution to the problem. If I first "reset" the attribute to
$null
it works as expected...I analyzed it using dcdiag
This revealed an
RCP not available
error.There are a lot of documents how to deal with this error, but nothing helped. Finally I installed wireshark and were was some weird trafic from an unknown IP: My server had a second IP defined for the interface. After removing this second IP all went fine.