Friday, April 9, 2010

ADMT Service Account - Permission and Configuration

The ADMT service account needs to have proper permission in source and target domains.  You don’t need to use 2 separate accounts.  You can use a single service account for the entire migration.  Here is the procedure:

1.    Create an account in the Target Domain
2.    Add this account to the Domain Admins group in the Target Domain

image


3.    In Source Domain, add this account (from target) to the built-in administrator group (not Domain Admin)

image

If you get the following error message, make sure you have the proper permissions in both source and target domains. 

Unable to establish a session with the password export server. Access is denied

Other Related Articles:

Active Directory Migration Using ADMT - http://www.sivarajan.com/admt.html

Computer Migration - Things to Consider - http://www.sivarajan.com/cm.html

User Account Migration and Merging Using ADMT - http://www.sivarajan.com/

58 comments:

Can you please elaborate on how to accomplish step 3. in Windows 2003 Server?
Specifically, how do you add in SOURCE domain (Win2003) an account that exists on TARGET domain (also Win2003)?
I've got bidirectional trust relationships in place, but can't figure out how to accomplish step 3.

Thanks!
Fernando

Make sure you are adding it to the Built-in Administrator not to Domain Admin. Let me know if you have any more questions.

Thanks for responding.
After reviewing and checking all permissions, DNS configurations, trusts, etc. the ADMTool finally ran smoothly on the TARGET server and the migration was completed. The only issue that I've not been able to solve (no matter how I combined the options on the ADMTool wizard) is that users' group membership is not migrated. For example, for any given migrated user his only membership on the TARGET server after migration is "Domain users", all other memberships (e.g. "Remote desktop users", "Administrators", etc. etc.) are not migrated. This basically renders all the migration process useless until I find a way to migrate group membership.

What settings did you configure on the ADMTool such that every user is migrated together with his/her membership?

Thanks.
PS: Password migration is OK.

Hi Santhosh,

we have recently created two way trust relation ship in our domain and we have delegated full rights for specific OU to the other domain administrator, but when he try to migrate the users from his domain he is getting the "ERR2:7697 Unable to get global catalog server name for forest . The specified domain either does not exist or could not be contacted.
2011-02-21 13:29:00 ERR3:7585 The account replicator is unable to continue. The specified domain either does not exist or could not be contacted." error message.

Note: we have just delegated rights for specif OU and he is not meber of our domain admin or any built in admin group. should we give any more rights to him to migrate the users between the OU

Sounds like a name resolution or firewall issue. From ADMT server make sure you can access the source domain. Open ADUC from ADMT server and try to connect to the source domain.

If I do intra-site migration, how do I get the password migrated?, I want the users to use same password after the migration of the user to new domain..My scenario is migrating the users from Sales domain to Marketting domain, both the domais are under Company forest.

Hi Sudha,

You can migrate password using ADMT. Here are the details - http://technet.microsoft.com/en-us/library/cc755730(WS.10).aspx

If you have more technical questions, please post them in the forum - http://www.sivarajan.com/forum/

Thanks Santhosh, will do. Appreciate your help.

Hi Santosh,

I'm trying to migrate the AD from 2003 to 2008 R2, 2 way trust has been created between them but I can,t seem to add the migration admin user from target domain to the source domain. On source domain in built in,members/add I can see the target domain but not the users.

Please kindly advise.

Thank you.

Hi again,

I've tried to redo the 2 way trust and when I try to add the DNS record(name server record) to the target domain, it says 'the server with this ip address is not authoritative for the required zone".
But on the source server there is no error, the DNS record of the target can be added fine.

Is there something that I missed?

Thank you.

How did you configure the DNS zone? Did you validate the trust?

Sounds like DNS or name resolution issue. Do you have any firewall between these domains? Make sure all required RPC ports are open.

Hi Santosh,

Thanks for the reply.
I have validated the trust between both machines and there is no error.It says validated, in place and active.
There is no firewall and RPC ports are open.

I'm stumped.

You were right regarding the firewall. There was KAV installed on the 1st server, which I overlooked.
As soon as I disabled it, both sides could see each other.

Thanks again.

Hi again Santosh,

Sorry to be such a bother.

I've finally got the migration done and everything looks good except for one issue,
Logging in to the new domain with the existing user names from the old server is fine.
Only thing is, the computer names of the workstations still contain the old domain and does not show that it is part of the new domain.

The computer DNS name in the AD is still of the old server and not the new one eg. workstation1.olddomain.local instead of workstation1.newdomain.local

Do I have to unjoin each of the PCs from the old domain and rejoin them to the new domain? (That would be quite a task if there were 100 over pcs).

Please kindly advise, did I miss something?

Thank you for your time.

Found out it was a DNS issue which prevented the agent being pushed to the client pcs. :)

Thanks for the update. Somehow I missed this comment. What DNS configuration did you change? What was the exact issue?

When we are migrating users with password from external domain to our child domain, we are getting the error "unable to establish a session with the password export server. The RPC server is unavailable". But users without password is migrating successfully.

The PES server is configured properly in source domain DC and its running fine.

The DNS resolution is happening properly.

The two-way trust is in place.

Also, we found the migrated user (without password) is going to parent domain and not the child domain.

Please help us.

Thanks
Bals

Also, windows firewall is disabled in source and destination DC's

Regards
Bals

Can you access the PES from ADMT server?

>>> Also, we found the migrated user (without password) is going to parent domain and not the child domain.

What do you mean by “going to parent domain”? Did you select the child domain from ADMT console as the target domain?

How do we check PES access alone from ADMT? But, we able to access the PES server from ADMT server.

Yes, I selected child target domain only, but I saw the user account migrated to parent target domain :(.

Also, conditional forwarders configured properly and its running fine.

You need to provide more information about your ADMT configuration. Where did you install the ADMT server? Root or Child domain?


I don’t believe it related to a name resolution issue. Something going on with your configuration itself.

I have installed ADMT in child domain DC only.

Do we have to install ADMT in root domain and migrate users from source domain to child domain?

PES server service is running fine in Source DC and no permission issue.

Computer migration is also successful.

Are there any tools to check/monitor the ports?

Regards
Bals

You can use Port Query tool to check the ports and connectivity issues.

http://www.microsoft.com/download/en/details.aspx?id=17148

Hi.. Santosh,
I need your help in Migration DC 2003 to Dc 2008
i have two domain controller in single forest
my first domain is iacm.com which is DNS integrated
and second domain is contoso.com which is tree child domain of test.com. Trust is transitive.
I followed these steps:-
Step 1:- Export password on target domain by this command c:\windows\admt\admt key /opt:create /sd:contoso.com /kfc:c:\contoso.pes /pwd and share it contoso.pes file
Step 2:-open pes.msi for export password in source domain(test.com)and export sucessfully
Step 3:- Installed ADMT in target domain and open console user account migration and typed source and target domain name, followed other instruction , when i click on finish i got a popup which is showing completed with one error
the error is :-
[Settings Section]
Task: User Migration (1)
ADMT Console
User: CONTOSO\Administrator
Computer: WIN-OQ0B0X3O644.contoso.com (WIN-OQ0B0X3O644)
Domain: contoso.com (CONTOSO)
OS: Windows Server (R) 2008 Enterprise 6.0 (6001) Service Pack 1
Source Domain
Name: iacm.com (IACM)
DC: mig2003.iacm.com (MIG2003)
OS: Windows Server 2003 5.2 (3790) Service Pack 2
OU:
Target Domain
Name: contoso.com (CONTOSO)
DC: WIN-OQ0B0X3O644.contoso.com (WIN-OQ0B0X3O644)
OS: Windows Server® 2008 Enterprise 6.0 (6001) Service Pack 1
OU: LDAP://contoso.com/OU=Migrating Account,DC=contoso,DC=com
Intra-Forest: Yes
Update Rights: Yes
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Migrate groups: Yes
Update Migrated Objects: Yes
Migrate service accounts: Yes

[Object Migration Section]
2011-12-06 20:03:55 Starting Account Replicator.
2011-12-06 20:03:56 Removing CN=pop (LDAP://mig2003.iacm.com/CN=pop,CN=Users,DC=iacm,DC=com) from the global groups it is a member of :
2011-12-06 20:03:56 ERR2:7422 Failed to move source object 'CN=pop'. hr=0x80070005 Access is denied.
2011-12-06 20:03:56 Updated user rights for CN=pop

Hi, Santosh
In a cenario we had one windows 2003 ent server,Know we had install windows 2008 server.We want to migrate users and group.
The step we had follow are as below,
1)We had in ADMT 3.1 toll on Win2k8 server and Password Export Server tool also.
2)Created an user on both the Domain and also added in Domain Admin in Win2k8 server and Bulitin Administrator Group in Win2003 server.
3)Install Password Service and aslo started the services manually.
Error.
While Migration on users we select
(What type of password do you want to use ?
therw we select Migrate Password

Then we get error
Unable to establish a session with the password export server.The specified service does not exit as an installed service.

Pl provide the solution for this.

Thanks

Pradip Tech,

The error message is “ERR2:7422 Failed to move source object 'CN=pop'. hr=0x80070005 Access is denied”. It is an Access is denied error. How did you configure the ADMT service account permission? Did you follow this article?

Hi Santhosh,

I have troubleshooted further using network monitor and portqry, now I am getting the error "unable to establish a session with the password export server. A security package specific error occured".

I have configured PES service in source domain with target domain account. This account is part of source and target domain Built-in administrators group and as well as target domain "domain admins" group.

Please advise

Thanks
Bals

Hi santosh i need ur help.
now am doing a migration from sbs2003 to 2008std. I dont creat a trust between thos server, i just add dns forwarders only. i migrated user successfully but i cant migrate computer and password.
I all ready installed ADMT 3.1 in target server and installed PES in source server.
when i try to migrate password i got a error "unable to establish a session with the password export server the rpc server is unavailable".(PES service is running in source server and RPC is working and both firewall service desabled )
and another things the computer migration.what i can do

Bals,
Can you access the source DC (\\sourcedc\whatever) from ADMT server using the logged in account (ADMT service account)?

Ajish,
Please provide more information about your migration procedure? Migrating from SBS to new Windows 2008 Domain using ADMT? and not trust? Please provide the complete configurations details.

Samer,
How did you configure the permission in source and target domain? Can you access the source DC from the ADMT server?

Dear Santhosh,

I want to migrate windows 2003 SBS server to windows 2008 Standard server.The SBS server is not supporting trust relationship.I used to install ADMT in Target Server (windows 2008std)and able to migrate users but password and computers etc i cant.

Hello all,

I'm in a middle of migration process, ADMT to user and groups passed without any error. (but it took a lot of time when i migrate the SID History, without SID History it was very fast)

but the clients migration i get a lot of problems.
the Agent migrate the client to the new domain but the user profile doesn't migrate and it create new profile.

I use only one way trust.
the migrator user from target domain (SOURCE\ADMT) is a member of the local administrators group on the source domain.
i also create GPO that add the SOURCE\ADMT user to local administrators of the client computer (GPO-Startup scripts run command: net localgroup "administrators" "source\admt" /add and i verify this user is a member of the local administrators)

can you help ??

by the way - why does migration with SIDs take much longer time?

Thanks in advanced
Shlomi

Mr.Blue.
Try to configure two way trust b/w your source and target domain.

>>>> Agent migrate the client to the new domain but the user profile doesn't migrate and it create new profile.

Please post the ADMT log file here.

>>> why does migration with SIDs take much longer time?

How much is this is “longer time”?

>>>>I want to migrate windows 2003 SBS server to windows 2008 Standard server.
Migrating to a new forest?

Dear Santhosh I dont want to migrate forest. I want to be migrate Users, Password and Computers including the local profile and mailboxes from win2003SBS to win2008Std.

I understand that. That is called an Inter Forest migration. :)

Please describe the migration issue details here.

Hi Santosh,

I am up against this situation:
Current: domain A and domain B in forest F1 with full trust.
Target: break domain B from F1 to new forest F2 - cross forest Domain move/ migration. Néw domain B in F2 has been created and ADMT 3.2 to be used to migrate all AD objects - accounts, services, groups, passwords, etc. The idea is to do this over a weekend so that the domain B when they come back to work and switch their laptop PCs will be able to login to the new B domain in F2 without noticing a change when they login, i.e., they authenticate to "same" domain B, default domain, and use old same password. I don't want to visit/touch migrated user PCs ( 20 PCs at different offices). Is this possible and how? What relative articles should I read?
Many thanks,

YOUSIF

Hi Santosh,
I am migrating a test PC from root to child. I successfully migrated users and groups, so the DNS and authentication is fine. When I migrate PC using ADMT computer migration wizard, it shows as successful, the PC doesn't reboot automatically. It also shows up in both DC. I am not able to login the PC to child domain, it still login fine on root. I manually rebooted the PC twice, still no luck. Any help is appreciated.

Thanks

Joe

Santhosh,

You are describing ADMT service account. Is this account used to start any service or is it just the migrator account? Thanks.

Jay

Jay,
This is for AD resource migration.

For computer migration, need you have local admin privilege on the workstation. You can see the details here –

www.sivarajan.com/cm.html

Raj/Joe
>>>> I am not able to login the PC to child domain,
What error message are you getting?

>>> I am not able to login the PC to child domain, it still login fine on root.

Is it still part of the root domain?
Please post the ADMT log file details here.

Hi Santhosh,

I am using ADMT for interforest migration i have created the a two-trust on newly created trust for newdomain and the old-domain. Now i can see the source domain and source domain controllers in ADMT wizard.

I am facing error "ADMT is unable to connect to domain controller abc.olddomain.com on domain olddomain.com . Access is denied "

When i try to add a user account in builtin administrator group of olddomain.com, that is a member of domain admin group on newdomain.com as you have stated above. i cannot find that specific user in newdomain.com

Please help.

Yousif,

It is possible using a migration tool. Review the following articles:

ADMT - www.sivarjan.com/admt.html

Computer Migration - www.sivarajan.com/cm.html

Keep in mind that ADMT can perform only AD migration. If you are thinking about Exchange/mailbox migration, you need to try different options or scripts:

http://portal.sivarajan.com/2010/06/gui-interface-for-cross-forest-mailbox.html

Rashid Ali,

>>> i cannot find that specific user in newdomain.com

Which user are you talking about? Did you validate the trust?

Thanks for your reply. It was a minor issue. We didn't completely finish the process.

No problem. Thanks for the udpate.

Hi Santhosh,

I am following the steps you mentioned above in this article i am creating a 2-way trust from the new domain to my existing domain.

Then i create a new user in newdomain (target domain) and make it a member of domain admin group.

Now when i go to existing domain(source domain) to add the user created in newdomain in built-in administrator groups. then i cannot find any user of newdomain.

i did an alternate test as well that i install ADMT on my existing domain, in this domain it dont show me the option of External Trust / forest trust when i go to make a trust.what settings i need to change to create a trust with my new domain.

Regards,
Rashid

It sounds like a name resolution or firewall issue.

Did you validate the trust?

How did you configure the DNS zone between these 2 forests?

Do you have any firewall between these 2 locations? All RPC ports open? - http://support.microsoft.com/kb/179442

hi,

santhosh yes i have firewall in placed between the forests.

Regards,

hi santhosh,

Please help me for the following scenario:

I have built up a separate test environment and there is no firewall in place, i have set up the trust and DNS, both domains are connected properly on same subnet.

i want to transfer the users with password. i have installed PES on source domain controller and create .pes file in target and copy it on source domain controller. but unable to import the .pes file on source.

I have set the permission as u mentioned above.

ADMT is installed on target domain, when i go to transfer user using "Migrate password" option it gives an error "unable to establish a session with the PES. Access is denied"

Please help me in this regard.

Thank you.

hi,
i am trying to migrate the user account with SID as per your documents, but getting following error:


Settings Section]
Task: User Migration (1)
ADMT Console
User: MYTEST2\admigration
Computer: Win2k8-DC3.mytest2.local (WIN2K8-DC3)
Domain: mytest2.local (MYTEST2)
OS: Windows Server (R) 2008 Enterprise 6.0 (6002) Service Pack 2
Source Domain
Name: mytest.local (MYTEST)
DC: Win2K8DC1.mytest.local (WIN2K8DC1)
OS: Windows Server® 2008 Enterprise 6.0 (6002) Service Pack 2
OU:
Target Domain
Name: mytest2.local (MYTEST2)
DC: Win2k8-DC3.mytest2.local (WIN2K8-DC3)
OS: Windows Server® 2008 Enterprise 6.0 (6002) Service Pack 2
OU: LDAP://mytest2.local/OU=Users,OU=IT,DC=mytest2,DC=local
Intra-Forest: No
Password Option: Copy passwords, only for new objects = No
Password Export Server: Win2K8DC1.mytest.local
Migrate Security Identifiers: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Source Disable Option: Leave source account
Source Expiration: Expire source account in 30 days
Target Disable Option: Set target same as source
Migrate groups: No
Migrate service accounts: Yes

[Object Migration Section]
2012-09-06 11:12:49 Starting Account Replicator.
2012-09-06 11:12:51 CN=bpatil - Created
2012-09-06 11:12:51 ERR2:7447 SID History cannot be updated for bpatil. The credentials entered (MYTEST\\admigration) must have Administrator privileges on the source domain.
2012-09-06 11:12:51 WRN1:7392 SIDHistory could not be updated due to a configuration or permissions problem. The Active Directory Migration Tool will not attempt to migrate the remaining objects.
2012-09-06 11:12:51 Operation Aborted.
2012-09-06 11:12:52 Operation completed.

can you please put the step by step process if possible

how to create multi tenant environment for windows server 2012 active directory

Please provide more information.

Are you performing a migration? What are you trying to accomplish?

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More