Link to home
Start Free TrialLog in
Avatar of dan118
dan118Flag for Australia

asked on

Issues in domain migration

I'm using ADMTv3 to migrate from domain abc.org (w2k) to msfirewall.org (w2k3). Trust between the two different domains has been created. However, i have few issues here.
1. Delegation done sucessfully on msfirewall domain but not on abc.org. Attached is the error screen shot.
2. As i add the domain admins from msfirewall.org (w2k3) as member of abc.org builtin administrator group, error "You do not have permissions to modify the group abc.org/Builtin/Administrators". Meanwhile, as i add the domain admins from abc.org (w2k) as member of msfirewall.org builtin administrator group, i click to browse msfirewall.org and the error "Unspecified error", could even can browse.
3. As i migrate the user SID, error "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate SID's. Access is denied". Even i have created the TcpipClientSupport and set the DWORD value to 1 on source domain and reboot.
Pls advice!
Avatar of merowinger
merowinger
Flag of Germany image

hi,
sorry...there's no screenshot...

Independed of your problems...first check those settings

1. On all DC's failure auditing must be enabled:
 --> Policy -> Computer configuration -> windows settings -> security policy -> local policy -> auditing policy -> Audit Accountmanagement (failure and success)
2. On the destination and the source DC the following group policy should be configured simmilar:
 --> Policy -> Computer configuration -> windows settings -> security policy -> local policy -> security options -> Network Security: LAN Manager Authentication
3. Set the registry key hkey_local_machine\system\currnetcontrolset\control\lsa\tcpipclientsupport to 1 on the source dc
4. Disable SID Filtering with netdom.exe and commandline
-->On target dc:
netdom trust {FQDN of target domain} /domain:{FQDN of source domain} /enablesidhistory:yes
netdom trust {FQDN of target domain} /domain:{FQDN of source domain} /quarantine:no
-->On source dc:
netdom trust {FQDN of source domain} /domain:{FQDN of target domain} /enablesidhistory:yes
netdom trust {FQDN of source domain} /domain:{FQDN of target domain} /quarantine:no
5. On the source DC create a local security group in the domain
--> Name: NetBiosNameoftheDomain$$$$ for examble: subdomain$$$
6. gpupdate /force on both domains
7. Test the trust in AD Domains and Trusts
Avatar of dan118

ASKER

i have applied these steps but seems no different.

1. The error message is "The logon attempt failed"

Wat else could be the cause? anyone?
The error message is "The logon attempt failed"

Is the account enabled, is the password correct?

Isd the account you are using in the source domain?
Avatar of dan118

ASKER

i logon to source domain (abc.org) as an administrator. But i failed to delegate permission as when i try to select msfirewall.org from the Select Users, Computers or Groups drop down list, now i received the error "Unspecified error". Delegation done successfully on target domain (msfirewall.org). Please advice!
Avatar of dan118

ASKER

Sometimes the error is "The logon attempt failed" Please advice! Anyone?
Have you followed all the following:
http://support.microsoft.com/kb/260871

What do you mean when you say "i failed to delegate permission"

You must log on to the computer on which you run ADMT with an account that has the following rights:
"      Domain Administrator rights in the target domain
"      Is a member of the Administrators group in the source domain
"      Administrator rights on each computer you migrate
"      Administrator rights on each computer on which you translate security
Therefore, logging into the PDC that is the FSMO role holder in the target domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.
Also when you put in the username for authentication (in ADMT) are you prefixing the account wiht the domainname.

It could also be a name resolution problem try creating a lmhosts file as per the following article (paying attention to the 15th character)

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/prcc_tcp_gclb.mspx?mfr=true
Avatar of dan118

ASKER

First of all, i'm using ADMT v3 to migrate from abc.org (w2k) to msfirewall.org (w2k3). I have configured the two way trusts. I have also done the auditing and registry part as mentioned in the article.

However, i received error "You do not have permissions to modify group abc.org/Builtin/Administrator when i add the Domain Admins from the target domain to Administrator group in the source domain. Meanwhile i received "Unspecified error" or "The logon attempt failed" as i browse msfirewall.org to add Domain Admins from the source domain to Administrator group in the target domain.
Avatar of dan118

ASKER

Prefixing the account with the domain name and the configuration to lmhosts file also doesn't help. Wat else could be the couse?
Is there a firewall anywhere between the link? It would seem that there is something restricting the program from working.
Avatar of dan118

ASKER

I've check, there is no firewall blocking. Very weird, wat could be the problem..? Anyone can advice..Many thanks!
Avatar of dan118

ASKER

By the way, I have another issue with password migration. I have installed PES on the source dc. I run pwdmig.msi with abc/Administrator and password. After installation completed, i restart the source dc and intended to start the PES service but couldn't find this service. I received error "Unable to establish a session w password export server. The specified service does not exist as an installed services" when i try to migrate password from target dc. Please advice!
This would point to the service not being installed - try re-installing it.
Avatar of dan118

ASKER

I have try reinstalling many times, still the same.
do you still ahve this problem:

3. As i migrate the user SID, error "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate SID's. Access is denied". Even i have created the TcpipClientSupport and set the DWORD value to 1 on source domain and reboot.
Avatar of dan118

ASKER

yup..i still have this problem. None of the above problem solve yet.
ASKER CERTIFIED SOLUTION
Avatar of fishadr
fishadr
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Dont forget Merowingers suggestion or you will not be able to migrate SID History:

4. Disable SID Filtering with netdom.exe and commandline
-->On target dc:
netdom trust {FQDN of target domain} /domain:{FQDN of source domain} /enablesidhistory:yes
netdom trust {FQDN of target domain} /domain:{FQDN of source domain} /quarantine:no
-->On source dc:
netdom trust {FQDN of source domain} /domain:{FQDN of target domain} /enablesidhistory:yes
netdom trust {FQDN of source domain} /domain:{FQDN of target domain} /quarantine:no

Avatar of dan118

ASKER

Hi fishadr,

I think i will redo the steps again from fresh. Mayb i really miss out something. I'll let u kno the status after my testing. Many thanks for your advice!
Avatar of dan118

ASKER

Hi fishadr,

I manage to migrate the SID now. However, i still have problem with password migration. After i install admt on source DC (w2k), run admt key sourcedomain path password. A PES file created but somehow after reboot and want to start the PES service but it's not there. I try few time already. Did i miss out anything? Please advice!
Hi,

Never had any problems with the PES but here are some guides from another forum:
http://www.petri.co.il/forums/showthread.php?t=5292

Use the Password Export Server (PES) service to migrate passwords when you perform an interforest migration. The PES service can be installed on any domain controller in the source domain that supports 128-bit encryption.

The PES service installation in the source domain requires an encryption key, but you must create the encryption key on the computer running the Active Directory Migration Tool version 3 (ADMT v3) in the target domain. When you create the encryption key in the target domain, save it to a floppy disk so that it can be stored in a secure location and reformatted after the migration is complete.

To create an encryption key
At a command line, type the following:

admt key /option:create /sourcedomain: SourceDomain /keyfile:KeyFilePath /keypassword:{password|*}

Parameter Description
SourceDomain
Specifies the name of the source domain in which the PES service is being installed. Can be specified as either the Domain Name System (DNS) or NetBIOS name.

KeyFilePath
Specifies the path to the location where the encrypted key is stored.

{password|*}
A password, which provides key encryption, is optional. To protect the shared key, type either the password or an asterisk on the command line. The asterisk causes you to be prompted for a password that is not displayed on the screen.


After you create the encryption key, configure the PES service on a domain controller in the source domain.

ADMT provides the option to run the PES service under the Local System account or by using the credentials of an authenticated user in the target domain. It is recommended that you run the PES service as an authenticated user in the target domain.

Note:
If you run the PES service under the Local System account, ensure that the Pre-Windows 2000 Compatible Access group in the target domain contains the Everyone group and the Anonymous Logon group.



To configure the PES service in the source domain
On the domain controller that runs the PES service in the source domain, insert the encryption key disk.

In the Pwdmig folder, run Pwdmig.msi. If you set a password during the key generation process on the domain controller in the target domain, the Key Password Required dialog box appears. Provide the password that was given when the key was created, and then click Next.

Specify the account to run the PES service.

After installation completes, restart the domain controller.

After the domain controller restarts, to start the PES service, point to Start, point to All Programs, point to Administrative Tools, and then click Services. In the details pane, right-click Password Export Server Service, and then click Start.

Note:
Run the PES service only when you migrate passwords. Stop the PES service after you complete the password migration.
Avatar of dan118

ASKER

Hi,

The encryption key was created in target domain using ADMT v3. In the source domain, i run Pwdmig.msi and insert the encryption key and key in the password as in during the key generation. Then i reboot the source dc. Then i go to services.msc, but there is no password export server services or PES service appear. My target dc is w2k3 R2 SP2 and source dc is w2k SP4. Is my step correct? Or i miss out anything?
You need to run the installation from the same location as the other files e.g.

pwdmig.msi ,pwdmig.ini, pwdmig.exe and instmsiw.exe and then re-run

This should sort it out
Avatar of dan118

ASKER

Hi fishadr,

I indeed run the installation from the same location as those files u mentioned. The result still the same.
I wonder if my step is wrong.
1) Install ADMT v3 in target dc. Create the encryption key and copy over to source dc.
2) In source dc, i run the pwdmig.msi from the folder where pwdmig.exe, pwdmig.ini and instmsiw.exe located. Insert the encryption key with the password as in during the key generated.
3) Reboot the source dc.
4) Go to services, and look for the password export server services but does not exist.
Please advice!