Mobile Accounts after Domain Rename.

[Zeheeba]

Hello all,

We are in the process of planning a domain rename for our Windows 2k3 environment. We have about 400 macs bound to this domain, with our employees having mobile/managed accounts.

I have managed to create a script that will handle the unbind and rebind,etc. Once a test rename is completed and the the scripts are run, I’m able to log into the mobile account with a problem. Unfortunately, no kerberos ticket for the new domain will be pulled. I have messed around with the Preferences in the Kerb app to no avail.

I enabled debugging on DS and did see some lines mention the old domain name, but not many. Any ideas on why these accounts would not pull Kerb tickets from the new domain?

Any help would be appreciated.

Regards,
D

Below are the debug lines that mentioned the old domain name “Name1.local”. The new domain is “Name2.local”.
[code]
2008-01-17 16:59:38 EST – Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16778649 : Node Name = /Active Directory/name1.local
2008-01-17 16:59:38 EST – Internal Dispatch, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16778653 : Node Name = /Active Directory/name1.local
2008-01-17 16:59:38 EST – Client: mcxd, PID: 807, API: dsDoMultipleAttributeValueSearchWithData(), NetInfo Used : DAC : 1 : Node Ref = 16778591 : Requested Attr Type = dsAttrTypeStandard:GroupMembership : Attr Match Strings = dantest;dan test;[email protected];[email protected];NAME1\dantest;NAME1\dan test;dan test : Attr Pattern Match:8196 = eDSContains : Requested Rec Types = dsRecTypeStandard:Groups;dsRecTypeNative:mcx_cache/groups
2008-01-17 16:59:38 EST – Client: mcxd, PID: 807, API: dsDoMultipleAttributeValueSearchWithData(), NetInfo Used : DAC : 1 : Node Ref = 16778591 : Requested Attr Type = dsAttrTypeStandard:GroupMembership : Attr Match Strings = dantest;dan test;[email protected];[email protected];NAME1\dantest;NAME1\dan test;dan test : Attr Pattern Match:8196 = eDSContains : Requested Rec Types = dsRecTypeStandard:Groups;dsRecTypeNative:mcx_cache/groups

[/code]

[Zeheeba]

Just a follow up to this… I was able to change the user accounts to allow them to pull Kerb tickets after the domain rename and rebind.

To fix this go into netinfo manager, look at the attributes for a AD user account and change everything that references the old domain to the new one, including the super long SID strings under authentication authority. Dont worry about the big number strings, those SIDS wont change with the rename.

Change all those and everything works perfectly. I scripted all this and it worked pretty well. Applescripting Entourage 2k4 to change all its settings was a bit more sketchy, doable, but sketchy.

Hope this will help someone else someday.

Regards,
Daniel

[Author]

Posts