• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1930
  • Last Modified:

Can't migrate passwords using ADMT v3

Hello Guys
I would really appreciate your help with my problem.

Im making a migration of domain, Im migrating from mydomain.com to mydomain2.com. I have prepare the new server 2k3, the old server was also a 2k3. Im trying to use ADMT v3 to do the job but I have had a few problems.

Actually Im able to migrate users, but not to migrate passwords which are very important for me. On the target domain I have created the certificate and then installed the migration password tool (from ADMT v3), after that, I have restarted the server and change the AllowPasswordExport key in the regedit, after that, I restarted the server again and started the service password export, however, when I try to migrate a user I always get the error Cant not connect to the service. If I migrate a user without migrating the password it works fine.

I dont know what to do, I have done every step in the ADMT guide from Microsoft. Im sure Im doing something wrong but I dont know what.

Hope you can give a hint.
Thanks.
0
ojgarciah
Asked:
ojgarciah
  • 4
  • 3
  • 2
  • +1
1 Solution
 
kamalgopiCommented:
try turning off password complexity in the 2003 domain

we normally create 10 test users and run through it several times before migrating
any domain users, which is after we ran through it in the lab

you can remove an account if needed and migrate again as a test

Hope this helps
Cheers:)
Kamal
0
 
ojgarciahAuthor Commented:
Hello Men

It is already disabled. I don't thing a password complexity is the way, because the error i get is:
Unable to establish a session with the password export server. Access Denied.

Hope you can help.
0
 
Walter PadrónCommented:
In addition to AllowPasswordExport key you must set TcpipClientSupport with a DWORD value of 1 to allow RPC access to SAM

HKLM\System\CurrentControlSet\Control\LSA\TcpipClientSupport

Start the PES service manually, it is disabled by default.

Regards
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
bhnmiCommented:
I am having a similar issue with the access denied. I have followed the steps outlined above but have a question about them. The registry entries that need to be modified above, I can change the value for the AllowPasswordExport key. But the TcpipClientSupport dword does not exist, so I created it and assigned the said value.

I have rebooted the server and I do have a 2-way trust between the domains in question.

Thanks in advance!
0
 
Walter PadrónCommented:
bhnmi, what is your question?

This must be done in the domain controller with the PDC emulator role.
0
 
bhnmiCommented:
The source must also be the PDC?
0
 
Walter PadrónCommented:
Good question. Is not required in the destination domain but I always stick with the PDC on both domains.
0
 
bhnmiCommented:
Hmmmm, okay I both the target and source DC's are the the PDC emulators.

Still same error...
0
 
Walter PadrónCommented:
MS article http://support.microsoft.com/kb/832221


- Create local groups (without members) in the source domain named sourcedomain$$$ and targetdomain$$$.

- Configure the source domain PDC emulator to allow RPC access to the SAM. Create a key HKLM\System\CurrentControlSet\Control\LSA\TcpipClientSupport with a DWORD value of 1.

- Restart the PDC Emulator after you make this change.

- Logon on the dc in which ADMTv3 is installed and at a command prompt run
"admt key /option:create /sourcedomain:SourceDomain /keyfile:KeyFilePath /keypassword:password"

- Copy the generated .pes file to the designated PDC emulator in the source domain.

- Install the Password Migration DLL on the PDC emulator by running the Pwdmig.exe tool found in %SystemRoot%\admt\pes where ADMT v3 was installed.

- Create the key HKLM\System\CurrentControlSet\Control\LSA\AllowPasswordExportSet with a DWORD value of 1

- Restart the server.
0
 
ojgarciahAuthor Commented:
definitely i couldn't do it. I had to generate complex password.

I really don't know why I couldn't connect.
How should i close this question?
 
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now