The ADMT service account needs to have proper permission in source and target domains. You don’t need to use 2 separate accounts. You can use a single service account for the entire migration. Here is the procedure:
1. Create an account in the Target Domain
2. Add this account to the Domain Admins group in the Target Domain
3. In Source Domain, add this account (from target) to the built-in administrator group (not Domain Admin)
If you get the following error message, make sure you have the proper permissions in both source and target domains.
Unable to establish a session with the password export server. Access is denied
Other Related Articles:
Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html
Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html
User Account Migration and Merging Using ADMT - http://www.sivarajan.com/
30 comments:
Can you please elaborate on how to accomplish step 3. in Windows 2003 Server?
Specifically, how do you add in SOURCE domain (Win2003) an account that exists on TARGET domain (also Win2003)?
I've got bidirectional trust relationships in place, but can't figure out how to accomplish step 3.
Thanks!
Fernando
Make sure you are adding it to the Built-in Administrator not to Domain Admin. Let me know if you have any more questions.
Thanks for responding.
After reviewing and checking all permissions, DNS configurations, trusts, etc. the ADMTool finally ran smoothly on the TARGET server and the migration was completed. The only issue that I've not been able to solve (no matter how I combined the options on the ADMTool wizard) is that users' group membership is not migrated. For example, for any given migrated user his only membership on the TARGET server after migration is "Domain users", all other memberships (e.g. "Remote desktop users", "Administrators", etc. etc.) are not migrated. This basically renders all the migration process useless until I find a way to migrate group membership.
What settings did you configure on the ADMTool such that every user is migrated together with his/her membership?
Thanks.
PS: Password migration is OK.
Hi Santhosh,
we have recently created two way trust relation ship in our domain and we have delegated full rights for specific OU to the other domain administrator, but when he try to migrate the users from his domain he is getting the "ERR2:7697 Unable to get global catalog server name for forest . The specified domain either does not exist or could not be contacted.
2011-02-21 13:29:00 ERR3:7585 The account replicator is unable to continue. The specified domain either does not exist or could not be contacted." error message.
Note: we have just delegated rights for specif OU and he is not meber of our domain admin or any built in admin group. should we give any more rights to him to migrate the users between the OU
Sounds like a name resolution or firewall issue. From ADMT server make sure you can access the source domain. Open ADUC from ADMT server and try to connect to the source domain.
If I do intra-site migration, how do I get the password migrated?, I want the users to use same password after the migration of the user to new domain..My scenario is migrating the users from Sales domain to Marketting domain, both the domais are under Company forest.
Hi Sudha,
You can migrate password using ADMT. Here are the details - http://technet.microsoft.com/en-us/library/cc755730(WS.10).aspx
If you have more technical questions, please post them in the forum - http://www.sivarajan.com/forum/
Thanks Santhosh, will do. Appreciate your help.
You are welcome!
Hi Santosh,
I'm trying to migrate the AD from 2003 to 2008 R2, 2 way trust has been created between them but I can,t seem to add the migration admin user from target domain to the source domain. On source domain in built in,members/add I can see the target domain but not the users.
Please kindly advise.
Thank you.
Hi again,
I've tried to redo the 2 way trust and when I try to add the DNS record(name server record) to the target domain, it says 'the server with this ip address is not authoritative for the required zone".
But on the source server there is no error, the DNS record of the target can be added fine.
Is there something that I missed?
Thank you.
How did you configure the DNS zone? Did you validate the trust?
Sounds like DNS or name resolution issue. Do you have any firewall between these domains? Make sure all required RPC ports are open.
Hi Santosh,
Thanks for the reply.
I have validated the trust between both machines and there is no error.It says validated, in place and active.
There is no firewall and RPC ports are open.
I'm stumped.
You were right regarding the firewall. There was KAV installed on the 1st server, which I overlooked.
As soon as I disabled it, both sides could see each other.
Thanks again.
Great! Thanks for the update.
Hi again Santosh,
Sorry to be such a bother.
I've finally got the migration done and everything looks good except for one issue,
Logging in to the new domain with the existing user names from the old server is fine.
Only thing is, the computer names of the workstations still contain the old domain and does not show that it is part of the new domain.
The computer DNS name in the AD is still of the old server and not the new one eg. workstation1.olddomain.local instead of workstation1.newdomain.local
Do I have to unjoin each of the PCs from the old domain and rejoin them to the new domain? (That would be quite a task if there were 100 over pcs).
Please kindly advise, did I miss something?
Thank you for your time.
Found out it was a DNS issue which prevented the agent being pushed to the client pcs. :)
Thanks for the update. Somehow I missed this comment. What DNS configuration did you change? What was the exact issue?
When we are migrating users with password from external domain to our child domain, we are getting the error "unable to establish a session with the password export server. The RPC server is unavailable". But users without password is migrating successfully.
The PES server is configured properly in source domain DC and its running fine.
The DNS resolution is happening properly.
The two-way trust is in place.
Also, we found the migrated user (without password) is going to parent domain and not the child domain.
Please help us.
Thanks
Bals
Also, windows firewall is disabled in source and destination DC's
Regards
Bals
Can you access the PES from ADMT server?
>>> Also, we found the migrated user (without password) is going to parent domain and not the child domain.
What do you mean by “going to parent domain”? Did you select the child domain from ADMT console as the target domain?
How do we check PES access alone from ADMT? But, we able to access the PES server from ADMT server.
Yes, I selected child target domain only, but I saw the user account migrated to parent target domain :(.
Also, conditional forwarders configured properly and its running fine.
You need to provide more information about your ADMT configuration. Where did you install the ADMT server? Root or Child domain?
I don’t believe it related to a name resolution issue. Something going on with your configuration itself.
I have installed ADMT in child domain DC only.
Do we have to install ADMT in root domain and migrate users from source domain to child domain?
PES server service is running fine in Source DC and no permission issue.
Computer migration is also successful.
Are there any tools to check/monitor the ports?
Regards
Bals
You can use Port Query tool to check the ports and connectivity issues.
http://www.microsoft.com/download/en/details.aspx?id=17148
Hi.. Santosh,
I need your help in Migration DC 2003 to Dc 2008
i have two domain controller in single forest
my first domain is iacm.com which is DNS integrated
and second domain is contoso.com which is tree child domain of test.com. Trust is transitive.
I followed these steps:-
Step 1:- Export password on target domain by this command c:\windows\admt\admt key /opt:create /sd:contoso.com /kfc:c:\contoso.pes /pwd and share it contoso.pes file
Step 2:-open pes.msi for export password in source domain(test.com)and export sucessfully
Step 3:- Installed ADMT in target domain and open console user account migration and typed source and target domain name, followed other instruction , when i click on finish i got a popup which is showing completed with one error
the error is :-
[Settings Section]
Task: User Migration (1)
ADMT Console
User: CONTOSO\Administrator
Computer: WIN-OQ0B0X3O644.contoso.com (WIN-OQ0B0X3O644)
Domain: contoso.com (CONTOSO)
OS: Windows Server (R) 2008 Enterprise 6.0 (6001) Service Pack 1
Source Domain
Name: iacm.com (IACM)
DC: mig2003.iacm.com (MIG2003)
OS: Windows Server 2003 5.2 (3790) Service Pack 2
OU:
Target Domain
Name: contoso.com (CONTOSO)
DC: WIN-OQ0B0X3O644.contoso.com (WIN-OQ0B0X3O644)
OS: Windows Server® 2008 Enterprise 6.0 (6001) Service Pack 1
OU: LDAP://contoso.com/OU=Migrating Account,DC=contoso,DC=com
Intra-Forest: Yes
Update Rights: Yes
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Migrate groups: Yes
Update Migrated Objects: Yes
Migrate service accounts: Yes
[Object Migration Section]
2011-12-06 20:03:55 Starting Account Replicator.
2011-12-06 20:03:56 Removing CN=pop (LDAP://mig2003.iacm.com/CN=pop,CN=Users,DC=iacm,DC=com) from the global groups it is a member of :
2011-12-06 20:03:56 ERR2:7422 Failed to move source object 'CN=pop'. hr=0x80070005 Access is denied.
2011-12-06 20:03:56 Updated user rights for CN=pop
Hi, Santosh
In a cenario we had one windows 2003 ent server,Know we had install windows 2008 server.We want to migrate users and group.
The step we had follow are as below,
1)We had in ADMT 3.1 toll on Win2k8 server and Password Export Server tool also.
2)Created an user on both the Domain and also added in Domain Admin in Win2k8 server and Bulitin Administrator Group in Win2003 server.
3)Install Password Service and aslo started the services manually.
Error.
While Migration on users we select
(What type of password do you want to use ?
therw we select Migrate Password
Then we get error
Unable to establish a session with the password export server.The specified service does not exit as an installed service.
Pl provide the solution for this.
Thanks
Pradip Tech,
The error message is “ERR2:7422 Failed to move source object 'CN=pop'. hr=0x80070005 Access is denied”. It is an Access is denied error. How did you configure the ADMT service account permission? Did you follow this article?
Hi Santhosh,
I have troubleshooted further using network monitor and portqry, now I am getting the error "unable to establish a session with the password export server. A security package specific error occured".
I have configured PES service in source domain with target domain account. This account is part of source and target domain Built-in administrators group and as well as target domain "domain admins" group.
Please advise
Thanks
Bals
Post a Comment