Link to home
Start Free TrialLog in
Avatar of ojgarciah
ojgarciah

asked on

Can't migrate passwords using ADMT v3

Hello Guys
I would really appreciate your help with my problem.

Im making a migration of domain, Im migrating from mydomain.com to mydomain2.com. I have prepare the new server 2k3, the old server was also a 2k3. Im trying to use ADMT v3 to do the job but I have had a few problems.

Actually Im able to migrate users, but not to migrate passwords which are very important for me. On the target domain I have created the certificate and then installed the migration password tool (from ADMT v3), after that, I have restarted the server and change the AllowPasswordExport key in the regedit, after that, I restarted the server again and started the service password export, however, when I try to migrate a user I always get the error Cant not connect to the service. If I migrate a user without migrating the password it works fine.

I dont know what to do, I have done every step in the ADMT guide from Microsoft. Im sure Im doing something wrong but I dont know what.

Hope you can give a hint.
Thanks.
Avatar of kamalgopi
kamalgopi

try turning off password complexity in the 2003 domain

we normally create 10 test users and run through it several times before migrating
any domain users, which is after we ran through it in the lab

you can remove an account if needed and migrate again as a test

Hope this helps
Cheers:)
Kamal
Avatar of ojgarciah

ASKER

Hello Men

It is already disabled. I don't thing a password complexity is the way, because the error i get is:
Unable to establish a session with the password export server. Access Denied.

Hope you can help.
In addition to AllowPasswordExport key you must set TcpipClientSupport with a DWORD value of 1 to allow RPC access to SAM

HKLM\System\CurrentControlSet\Control\LSA\TcpipClientSupport

Start the PES service manually, it is disabled by default.

Regards
I am having a similar issue with the access denied. I have followed the steps outlined above but have a question about them. The registry entries that need to be modified above, I can change the value for the AllowPasswordExport key. But the TcpipClientSupport dword does not exist, so I created it and assigned the said value.

I have rebooted the server and I do have a 2-way trust between the domains in question.

Thanks in advance!
bhnmi, what is your question?

This must be done in the domain controller with the PDC emulator role.
The source must also be the PDC?
Good question. Is not required in the destination domain but I always stick with the PDC on both domains.
Hmmmm, okay I both the target and source DC's are the the PDC emulators.

Still same error...
MS article http://support.microsoft.com/kb/832221


- Create local groups (without members) in the source domain named sourcedomain$$$ and targetdomain$$$.

- Configure the source domain PDC emulator to allow RPC access to the SAM. Create a key HKLM\System\CurrentControlSet\Control\LSA\TcpipClientSupport with a DWORD value of 1.

- Restart the PDC Emulator after you make this change.

- Logon on the dc in which ADMTv3 is installed and at a command prompt run
"admt key /option:create /sourcedomain:SourceDomain /keyfile:KeyFilePath /keypassword:password"

- Copy the generated .pes file to the designated PDC emulator in the source domain.

- Install the Password Migration DLL on the PDC emulator by running the Pwdmig.exe tool found in %SystemRoot%\admt\pes where ADMT v3 was installed.

- Create the key HKLM\System\CurrentControlSet\Control\LSA\AllowPasswordExportSet with a DWORD value of 1

- Restart the server.
ASKER CERTIFIED SOLUTION
Avatar of ojgarciah
ojgarciah

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial