Q. Why do I get logon errors while I migrate Windows Vista SP1 boxes to a new domain?

A. I recently had a client in the middle of a domain migration and started to upgrade some Vista machines to SP1. After migrating the SP1 machines to the new domain, the computers couldn’t log on, and the screen displayed the error message The security database on the server does not have a computer account for this workstation trust relationship..

This is usually caused by Vista SP1's security changes and the computer DNS suffix not matching the new domain name. To match a computer's DNS suffix to the new domain name, add the workstation's Service Principal Name (SPN) in Active Directory (AD) using the following steps:

  1. Start adsiedit.msc by opening the Start menu, selecting Run, entering adsiedit.msc, then pressing Enter.
  2. Browse the domain partition, and select the machine to which you want to add the new SPN.
  3. Right-click the machine account, and select Properties.
  4. Double-click ServicePrincipleName.
  5. Add the new value with the format HOST/Client_mahine. and press Add, as the following figure shows.

  6. Click Apply, and press Enter.
To make the change for an entire domain, use the following steps:
  1. Start adsiedit.msc.
  2. Browse the domain partition, right-click the domain, and select Properties.
  3. Click msDS-AllowedDNSSuffixes.
  4. Add the suffixes for the old domain and the new domain, then click OK.
  5. Close adsiedit.msc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.