Link to home
Start Free TrialLog in
Avatar of shard26
shard26

asked on

ADMT version 3.1 Computer Migration

using ADMT version 3.1
source domain: SBS 2003
destination domain: Server 2008 Standard Edition

users and groups migrate fine.
computers = not so much

migration log looks fine, but "agent detail:" has this:
"2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1   The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

Any ideas?



Avatar of advserver
advserver
Flag of United States of America image

is the user you are logged in as a domain admin of the sbs domain? you need this to be able to migrate the computers. furthermore the user that is migrating needs to be a local administrator on all workstations in the source forest, i am guessing that may be your issue.
Avatar of shard26
shard26

ASKER

i am logged in on the 2008 server where I am a domain admin.  I am running ADMT from the 2008 server.  are you saying the 2008 server domain admins need to be added to the domain admins group on the sbs 2000 server? I am not sure how to do that.

yep that is it....kind of.....depending on how many workstations you have which it is less then 75 (SBS limit)
all you really need to do is add the 2008 domain admin account (if that is what you are using to do the migration) to the local administrators group on the workstations in the source domain.

this can be done either via script, or through a GPO on the sbs server. If you do it through the gpo, all other local admins are removed...so depending on size is how you would approach it.

Make sense?
Avatar of shard26

ASKER

i dont think you can do that. What you are saying implies a Trust between the 2 domains which isn't possible with SBS.  
http://support.microsoft.com/kb/555073

here is the MS of how to do this.
i am pretty sure i did a one way trust..from sbs to source forest before, but i could be wrong on that one.

sorry sbs to destination
Avatar of shard26

ASKER

"trust cannot be created because: this operation is not supported on a microsoft small business server"
Avatar of shard26

ASKER

perhaps i am doing it wrong?
Avatar of shard26

ASKER

more from my log file:

Local Machine
    Computer:   ******-xp.******.local (******-XP)
        Domain:     ******.local (******)
        OS:         Microsoft Windows XP 5.1 (2600) Service Pack 2
2008-08-18 15:30:14 Starting Security Translator.
2008-08-18 15:30:14 Agent is running in local mode.
2008-08-18 15:30:14 Read 4 accounts from C:\WINDOWS\OnePointDomainAgent\Accounts000012.txt
2008-08-18 15:30:14 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes Profiles:Yes RecycleBin:Yes TranslationMode:Replace ******.local ******-new.local
2008-08-18 15:30:14 Starting
2008-08-18 15:30:14 Translating local machine.
2008-08-18 15:30:15 Skipping A:\, rc=21   The device is not ready.
2008-08-18 15:30:15 Processing C:\
2008-08-18 15:30:18 Processing recycle bin files and folders on C:\.
2008-08-18 15:30:18 Skipping D:\.  D:\ is a CD-ROM drive.
2008-08-18 15:30:18 Processing shares on local machine.
2008-08-18 15:30:18 Processing printer security...
2008-08-18 15:30:18 Translating local groups.
2008-08-18 15:30:18 Translating user rights.
2008-08-18 15:30:18 ADMT only performs user rights translation in Append mode.
2008-08-18 15:30:18 Translating security on registry keys.
2008-08-18 15:30:43 This profile translation automatically switches from replace mode to add mode if the user is currently logged on or if the profile is in use for other reasons.  In order to disable the switching, you need to set the registry HKLM\Software\Microsoft\ADMT\DisallowFallbackToAddInProfileTranslation (REG_DWORD) to 1 on the ADMT machine.
2008-08-18 15:30:43 ------Account Detail---------
2008-08-18 15:30:43 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
2008-08-18 15:30:43 -----------------------------
2008-08-18 15:30:43 3 users, 1 groups
2008-08-18 15:30:43 4 accounts selected.  4 resolved, 0 unresolved.
2008-08-18 15:30:43            Examined        Changed     Unchanged
2008-08-18 15:30:43 Files          11805              0         11805
2008-08-18 15:30:43 Dirs             979              0           979
2008-08-18 15:30:43 Shares             0              0             0
2008-08-18 15:30:43 Members            9              0             9
2008-08-18 15:30:43 User Rights       60              0            60
2008-08-18 15:30:43 Exchange Objects          0              0             0
2008-08-18 15:30:43 Containers         0              0             0
2008-08-18 15:30:43 DACLs         123094              0        123094
2008-08-18 15:30:43 SACLs              2              0             2
2008-08-18 15:30:43            Examined        Changed     No Target   Not Selected     Unknown
2008-08-18 15:30:43 Owners       123094              0        123094              0           0
2008-08-18 15:30:43 Groups       123094              0        123094              0           0
2008-08-18 15:30:43 DACEs       1015051              0       1015051        1015051           0
2008-08-18 15:30:43 SACEs             4              0             4              4           0
2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1   The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
2008-08-18 15:30:43 Wrote result file C:\WINDOWS\OnePointDomainAgent\000012_******-XP.result
2008-08-18 15:30:43 Operation completed.
Avatar of Jeffrey Kane - TechSoEasy
SBS does not support domain trusts.

The proper way to migrate from an SBS 2003 domain to a stand-alone Server 2008 domain would be to buy the Transition Pack (http://sbsurl.com/transition).  This will remove the restriction on trusts, and more importantly, it will provide the best value for converting the SBS CALs to standard CALs.  It will also allow you to move Exchange to another server.  Instructions on how to use the Transition Pack can be found here:  http://sbsurl.com/tphowto

If you don't use the Transition Pack, then you need to join the new Server 2008 to your existing SBS 2003 domain as an additional Domain Controller.  There is a very good overview of how to accomplish this, which you'll find here:
http:Q_23615337.html#22143909

Jeff
TechSoEasy
Avatar of shard26

ASKER

So is it possible to use ADMT to grab the computer accounts and change thier domain memberships if they are currently joined to an sbs domain?  the users and groups migrated fine.
I really don't know for sure with regards to migrating to Server 2008, but normally you can use ADMT to migrate computer accounts without establishing a domain trust as long as the administrator passwords matched.  Since Server 2008 disables the built-in adminsitrator account by default, you may need to re-enable it and set the password to match that of your SBS's built-in administrator account.

You also need to create DNS forwarders on each server for it to work properly.  

The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work.

I'm assuming that you aren't migrating Exchange then?

Jeff
TechSoEasy
Avatar of shard26

ASKER

"I really don't know for sure with regards to migrating to Server 2008, but normally you can use ADMT to migrate computer accounts without establishing a domain trust as long as the administrator passwords matched. "

They do match.

"Since Server 2008 disables the built-in adminsitrator account by default, you may need to re-enable it and set the password to match that of your SBS's built-in administrator account."

The Administrattor account is enabled and the passwords match.

"You also need to create DNS forwarders on each server for it to work properly.  "

done.

"The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work."

it is actually sbs2000 -> server 2008. i mis-typed it originally

"I'm assuming that you aren't migrating Exchange then?"

no, we are just dumping out to pst and then importing into the 2008 server.
we will then be de-comissioning the sbs2000 server.
Avatar of shard26

ASKER

followed directions and still fails on computer migration.
it creates the computer account on the new domain, but it does not change the domain of the PC
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of shard26

ASKER

I was reading the doc in your link and it says to "dcpromo down SBS server", is that possible?

I think it was with SBS2000 (its definitely not a possible action on an SBS 2003), but I never really worked with SBS2000, and don't have any around that I could check with.  That's why I actually stated you need to "SEIZE" the roles and "FORCEBLY" remove it from the domain.

Jeff
TechSoEasy
1. Log on to a Windows Server 2008-based domain controller.
2. Click Start, click Run, type gpmc.msc, and then click OK.
3. In the Group Policy Management console, expand Forest: DomainName , expand DomainName , expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5. In the Properties dialog box, click the Enabled option, and then click OK.

Reference When a Windows NT 4.0-based computer tries to use the NETLOGON service to establish a security channel to a Windows Server 2008-based domain controller, the operation may fail http://support.microsoft.com/kb/942564.
b_sander... would you mind explaining what that has to do with this question?  There is no NT 4.0-based computer in this scenario.

Jeff
TechSoEasy
The machines migrate to the new domain like they should. Everything seems to be working fine. The tool says it completed successfully, but the profiles are not being created. Any idea why?
Avatar of shard26

ASKER

you cant' migrate the PC's from SB Serverto non SB Server with ADMT. You have to do it manually.
hi shard26,

After you migrate Waorkstation fail, in AD of Server 2008 Standard Edition will appear a new workstation (has just migrated).

Select Property of That Workstation and move to "Member of" tab. Add into SBS 2003\administrators group.

Then, Migrate again (ovewrite migrate action before. Everything will be OK).

In the End, remove SBS 2003\administrators group on this Workstation (in AD of Server 2008 Standard Edition).

Thanks & Best regards.