-
Title
Error 0x21c7. The operation failed because SPN value provided for addition/modification is not unique forest-wide. -
Description
When moving computer as a part of intra-forest migration following error might occur:
Error 0x21c7. The operation failed because SPN value provided for addition/modification is not unique forest-wide.
Same error is thrown when computer is moved manually using computer management UI.
-
Cause
In Windows Server 2012 R2, MS introduced SPN uniqueness checks/blocks which ensure applications or administrators aren’t able to create objects in Active Directory with the same SPN as another object.
Active Directory migration tool or even the built in commands NETDOM and Move-ADObject. When these tools are used, the SPN uniqueness check prevents the application from fully moving or migrating computers and users, and will often error out.
-
Resolution
In order for these applications to work properly, the hotfix alters AD behavior via the dSHeuristics setting in Active Directory and allows the SPN uniqueness check to be bypassed.
This may be useful to individuals who are running all Windows Server 2012 R2 domain controllers, and need to do an intra-forest migration using Active Directory migration tools.
Hotfix: https://support.microsoft.com/en-us/kb/3070083
dSHeuristics description: https://msdn.microsoft.com/en-us/library/cc223560.aspx
To check dSHeuristics value using get-adobject- (get-adobject “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Contoso,DC=com” –Properties dsheuristics).dsheuristics
- For disabling UPN uniqueness check, set the 21st character of dSHeuristics to “1”.
- Set-adobject ‘CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Contoso,DC=com’ –replace @{dsheuristics=’000000000100000000021‘}
- For disabling SPN uniqueness check, set the 21st character of dSHeuristics to “2”.
- Set-adobject ‘CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Contoso,DC=com’ –replace @{dsheuristics=’000000000100000000022‘}
- For disabling UPN and SPN uniqueness checks, set the 21st character of dSHeuristics to “3”.
- Set-adobject ‘CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Contoso,DC=com’ –replace @{dsheuristics=’000000000100000000023‘}
- For setting dSHeuristics back to the default value of <not set>
- Set-adobject ‘CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Contoso,DC=com’ –clear dsheuristics
You need to use credentials with Organisation Administrator membership in order to apply this changes
- Set-adobject ‘CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Contoso,DC=com’ –clear dsheuristics
https://blogs.technet.microsoft.com/askpfeplat/2015/07/27/third-party-active-directory-migration-tools-and-kb-3070083/