ojgarciah
asked on
Can't migrate passwords using ADMT v3
Hello Guys
I would really appreciate your help with my problem.
Im making a migration of domain, Im migrating from mydomain.com to mydomain2.com. I have prepare the new server 2k3, the old server was also a 2k3. Im trying to use ADMT v3 to do the job but I have had a few problems.
Actually Im able to migrate users, but not to migrate passwords which are very important for me. On the target domain I have created the certificate and then installed the migration password tool (from ADMT v3), after that, I have restarted the server and change the AllowPasswordExport key in the regedit, after that, I restarted the server again and started the service password export, however, when I try to migrate a user I always get the error Cant not connect to the service. If I migrate a user without migrating the password it works fine.
I dont know what to do, I have done every step in the ADMT guide from Microsoft. Im sure Im doing something wrong but I dont know what.
Hope you can give a hint.
Thanks.
I would really appreciate your help with my problem.
Im making a migration of domain, Im migrating from mydomain.com to mydomain2.com. I have prepare the new server 2k3, the old server was also a 2k3. Im trying to use ADMT v3 to do the job but I have had a few problems.
Actually Im able to migrate users, but not to migrate passwords which are very important for me. On the target domain I have created the certificate and then installed the migration password tool (from ADMT v3), after that, I have restarted the server and change the AllowPasswordExport key in the regedit, after that, I restarted the server again and started the service password export, however, when I try to migrate a user I always get the error Cant not connect to the service. If I migrate a user without migrating the password it works fine.
I dont know what to do, I have done every step in the ADMT guide from Microsoft. Im sure Im doing something wrong but I dont know what.
Hope you can give a hint.
Thanks.
ASKER
Hello Men
It is already disabled. I don't thing a password complexity is the way, because the error i get is:
Unable to establish a session with the password export server. Access Denied.
Hope you can help.
It is already disabled. I don't thing a password complexity is the way, because the error i get is:
Unable to establish a session with the password export server. Access Denied.
Hope you can help.
In addition to AllowPasswordExport key you must set TcpipClientSupport with a DWORD value of 1 to allow RPC access to SAM
HKLM\System\CurrentControl Set\Contro l\LSA\Tcpi pClientSup port
Start the PES service manually, it is disabled by default.
Regards
HKLM\System\CurrentControl
Start the PES service manually, it is disabled by default.
Regards
I am having a similar issue with the access denied. I have followed the steps outlined above but have a question about them. The registry entries that need to be modified above, I can change the value for the AllowPasswordExport key. But the TcpipClientSupport dword does not exist, so I created it and assigned the said value.
I have rebooted the server and I do have a 2-way trust between the domains in question.
Thanks in advance!
I have rebooted the server and I do have a 2-way trust between the domains in question.
Thanks in advance!
bhnmi, what is your question?
This must be done in the domain controller with the PDC emulator role.
This must be done in the domain controller with the PDC emulator role.
The source must also be the PDC?
Good question. Is not required in the destination domain but I always stick with the PDC on both domains.
Hmmmm, okay I both the target and source DC's are the the PDC emulators.
Still same error...
Still same error...
MS article http://support.microsoft.com/kb/832221
- Create local groups (without members) in the source domain named sourcedomain$$$ and targetdomain$$$.
- Configure the source domain PDC emulator to allow RPC access to the SAM. Create a key HKLM\System\CurrentControl Set\Contro l\LSA\Tcpi pClientSup port with a DWORD value of 1.
- Restart the PDC Emulator after you make this change.
- Logon on the dc in which ADMTv3 is installed and at a command prompt run
"admt key /option:create /sourcedomain:SourceDomain /keyfile:KeyFilePath /keypassword:password"
- Copy the generated .pes file to the designated PDC emulator in the source domain.
- Install the Password Migration DLL on the PDC emulator by running the Pwdmig.exe tool found in %SystemRoot%\admt\pes where ADMT v3 was installed.
- Create the key HKLM\System\CurrentControl Set\Contro l\LSA\Allo wPasswordE xportSet with a DWORD value of 1
- Restart the server.
- Create local groups (without members) in the source domain named sourcedomain$$$ and targetdomain$$$.
- Configure the source domain PDC emulator to allow RPC access to the SAM. Create a key HKLM\System\CurrentControl
- Restart the PDC Emulator after you make this change.
- Logon on the dc in which ADMTv3 is installed and at a command prompt run
"admt key /option:create /sourcedomain:SourceDomain
- Copy the generated .pes file to the designated PDC emulator in the source domain.
- Install the Password Migration DLL on the PDC emulator by running the Pwdmig.exe tool found in %SystemRoot%\admt\pes where ADMT v3 was installed.
- Create the key HKLM\System\CurrentControl
- Restart the server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
we normally create 10 test users and run through it several times before migrating
any domain users, which is after we ran through it in the lab
you can remove an account if needed and migrate again as a test
Hope this helps
Cheers:)
Kamal