shard26
asked on
ADMT version 3.1 Computer Migration
using ADMT version 3.1
source domain: SBS 2003
destination domain: Server 2008 Standard Edition
users and groups migrate fine.
computers = not so much
migration log looks fine, but "agent detail:" has this:
"2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."
Any ideas?
source domain: SBS 2003
destination domain: Server 2008 Standard Edition
users and groups migrate fine.
computers = not so much
migration log looks fine, but "agent detail:" has this:
"2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."
Any ideas?
is the user you are logged in as a domain admin of the sbs domain? you need this to be able to migrate the computers. furthermore the user that is migrating needs to be a local administrator on all workstations in the source forest, i am guessing that may be your issue.
ASKER
i am logged in on the 2008 server where I am a domain admin. I am running ADMT from the 2008 server. are you saying the 2008 server domain admins need to be added to the domain admins group on the sbs 2000 server? I am not sure how to do that.
yep that is it....kind of.....depending on how many workstations you have which it is less then 75 (SBS limit)
all you really need to do is add the 2008 domain admin account (if that is what you are using to do the migration) to the local administrators group on the workstations in the source domain.
this can be done either via script, or through a GPO on the sbs server. If you do it through the gpo, all other local admins are removed...so depending on size is how you would approach it.
Make sense?
all you really need to do is add the 2008 domain admin account (if that is what you are using to do the migration) to the local administrators group on the workstations in the source domain.
this can be done either via script, or through a GPO on the sbs server. If you do it through the gpo, all other local admins are removed...so depending on size is how you would approach it.
Make sense?
ASKER
i dont think you can do that. What you are saying implies a Trust between the 2 domains which isn't possible with SBS.
http://support.microsoft.com/kb/555073
here is the MS of how to do this.
i am pretty sure i did a one way trust..from sbs to source forest before, but i could be wrong on that one.
here is the MS of how to do this.
i am pretty sure i did a one way trust..from sbs to source forest before, but i could be wrong on that one.
sorry sbs to destination
ASKER
"trust cannot be created because: this operation is not supported on a microsoft small business server"
ASKER
perhaps i am doing it wrong?
ASKER
more from my log file:
Local Machine
Computer: ******-xp.******.local (******-XP)
Domain: ******.local (******)
OS: Microsoft Windows XP 5.1 (2600) Service Pack 2
2008-08-18 15:30:14 Starting Security Translator.
2008-08-18 15:30:14 Agent is running in local mode.
2008-08-18 15:30:14 Read 4 accounts from C:\WINDOWS\OnePointDomainA gent\Accou nts000012. txt
2008-08-18 15:30:14 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes Profiles:Yes RecycleBin:Yes TranslationMode:Replace ******.local ******-new.local
2008-08-18 15:30:14 Starting
2008-08-18 15:30:14 Translating local machine.
2008-08-18 15:30:15 Skipping A:\, rc=21 The device is not ready.
2008-08-18 15:30:15 Processing C:\
2008-08-18 15:30:18 Processing recycle bin files and folders on C:\.
2008-08-18 15:30:18 Skipping D:\. D:\ is a CD-ROM drive.
2008-08-18 15:30:18 Processing shares on local machine.
2008-08-18 15:30:18 Processing printer security...
2008-08-18 15:30:18 Translating local groups.
2008-08-18 15:30:18 Translating user rights.
2008-08-18 15:30:18 ADMT only performs user rights translation in Append mode.
2008-08-18 15:30:18 Translating security on registry keys.
2008-08-18 15:30:43 This profile translation automatically switches from replace mode to add mode if the user is currently logged on or if the profile is in use for other reasons. In order to disable the switching, you need to set the registry HKLM\Software\Microsoft\AD MT\Disallo wFallbackT oAddInProf ileTransla tion (REG_DWORD) to 1 on the ADMT machine.
2008-08-18 15:30:43 ------Account Detail---------
2008-08-18 15:30:43 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
2008-08-18 15:30:43 -------------------------- ---
2008-08-18 15:30:43 3 users, 1 groups
2008-08-18 15:30:43 4 accounts selected. 4 resolved, 0 unresolved.
2008-08-18 15:30:43 Examined Changed Unchanged
2008-08-18 15:30:43 Files 11805 0 11805
2008-08-18 15:30:43 Dirs 979 0 979
2008-08-18 15:30:43 Shares 0 0 0
2008-08-18 15:30:43 Members 9 0 9
2008-08-18 15:30:43 User Rights 60 0 60
2008-08-18 15:30:43 Exchange Objects 0 0 0
2008-08-18 15:30:43 Containers 0 0 0
2008-08-18 15:30:43 DACLs 123094 0 123094
2008-08-18 15:30:43 SACLs 2 0 2
2008-08-18 15:30:43 Examined Changed No Target Not Selected Unknown
2008-08-18 15:30:43 Owners 123094 0 123094 0 0
2008-08-18 15:30:43 Groups 123094 0 123094 0 0
2008-08-18 15:30:43 DACEs 1015051 0 1015051 1015051 0
2008-08-18 15:30:43 SACEs 4 0 4 4 0
2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
2008-08-18 15:30:43 Wrote result file C:\WINDOWS\OnePointDomainA gent\00001 2_******-X P.result
2008-08-18 15:30:43 Operation completed.
Local Machine
Computer: ******-xp.******.local (******-XP)
Domain: ******.local (******)
OS: Microsoft Windows XP 5.1 (2600) Service Pack 2
2008-08-18 15:30:14 Starting Security Translator.
2008-08-18 15:30:14 Agent is running in local mode.
2008-08-18 15:30:14 Read 4 accounts from C:\WINDOWS\OnePointDomainA
2008-08-18 15:30:14 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes Profiles:Yes RecycleBin:Yes TranslationMode:Replace ******.local ******-new.local
2008-08-18 15:30:14 Starting
2008-08-18 15:30:14 Translating local machine.
2008-08-18 15:30:15 Skipping A:\, rc=21 The device is not ready.
2008-08-18 15:30:15 Processing C:\
2008-08-18 15:30:18 Processing recycle bin files and folders on C:\.
2008-08-18 15:30:18 Skipping D:\. D:\ is a CD-ROM drive.
2008-08-18 15:30:18 Processing shares on local machine.
2008-08-18 15:30:18 Processing printer security...
2008-08-18 15:30:18 Translating local groups.
2008-08-18 15:30:18 Translating user rights.
2008-08-18 15:30:18 ADMT only performs user rights translation in Append mode.
2008-08-18 15:30:18 Translating security on registry keys.
2008-08-18 15:30:43 This profile translation automatically switches from replace mode to add mode if the user is currently logged on or if the profile is in use for other reasons. In order to disable the switching, you need to set the registry HKLM\Software\Microsoft\AD
2008-08-18 15:30:43 ------Account Detail---------
2008-08-18 15:30:43 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
2008-08-18 15:30:43 --------------------------
2008-08-18 15:30:43 3 users, 1 groups
2008-08-18 15:30:43 4 accounts selected. 4 resolved, 0 unresolved.
2008-08-18 15:30:43 Examined Changed Unchanged
2008-08-18 15:30:43 Files 11805 0 11805
2008-08-18 15:30:43 Dirs 979 0 979
2008-08-18 15:30:43 Shares 0 0 0
2008-08-18 15:30:43 Members 9 0 9
2008-08-18 15:30:43 User Rights 60 0 60
2008-08-18 15:30:43 Exchange Objects 0 0 0
2008-08-18 15:30:43 Containers 0 0 0
2008-08-18 15:30:43 DACLs 123094 0 123094
2008-08-18 15:30:43 SACLs 2 0 2
2008-08-18 15:30:43 Examined Changed No Target Not Selected Unknown
2008-08-18 15:30:43 Owners 123094 0 123094 0 0
2008-08-18 15:30:43 Groups 123094 0 123094 0 0
2008-08-18 15:30:43 DACEs 1015051 0 1015051 1015051 0
2008-08-18 15:30:43 SACEs 4 0 4 4 0
2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
2008-08-18 15:30:43 Wrote result file C:\WINDOWS\OnePointDomainA
2008-08-18 15:30:43 Operation completed.
SBS does not support domain trusts.
The proper way to migrate from an SBS 2003 domain to a stand-alone Server 2008 domain would be to buy the Transition Pack (http://sbsurl.com/transition). This will remove the restriction on trusts, and more importantly, it will provide the best value for converting the SBS CALs to standard CALs. It will also allow you to move Exchange to another server. Instructions on how to use the Transition Pack can be found here: http://sbsurl.com/tphowto
If you don't use the Transition Pack, then you need to join the new Server 2008 to your existing SBS 2003 domain as an additional Domain Controller. There is a very good overview of how to accomplish this, which you'll find here:
http:Q_23615337.html#22143909
Jeff
TechSoEasy
The proper way to migrate from an SBS 2003 domain to a stand-alone Server 2008 domain would be to buy the Transition Pack (http://sbsurl.com/transition). This will remove the restriction on trusts, and more importantly, it will provide the best value for converting the SBS CALs to standard CALs. It will also allow you to move Exchange to another server. Instructions on how to use the Transition Pack can be found here: http://sbsurl.com/tphowto
If you don't use the Transition Pack, then you need to join the new Server 2008 to your existing SBS 2003 domain as an additional Domain Controller. There is a very good overview of how to accomplish this, which you'll find here:
http:Q_23615337.html#22143909
Jeff
TechSoEasy
ASKER
So is it possible to use ADMT to grab the computer accounts and change thier domain memberships if they are currently joined to an sbs domain? the users and groups migrated fine.
I really don't know for sure with regards to migrating to Server 2008, but normally you can use ADMT to migrate computer accounts without establishing a domain trust as long as the administrator passwords matched. Since Server 2008 disables the built-in adminsitrator account by default, you may need to re-enable it and set the password to match that of your SBS's built-in administrator account.
You also need to create DNS forwarders on each server for it to work properly.
The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work.
I'm assuming that you aren't migrating Exchange then?
Jeff
TechSoEasy
You also need to create DNS forwarders on each server for it to work properly.
The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work.
I'm assuming that you aren't migrating Exchange then?
Jeff
TechSoEasy
ASKER
"I really don't know for sure with regards to migrating to Server 2008, but normally you can use ADMT to migrate computer accounts without establishing a domain trust as long as the administrator passwords matched. "
They do match.
"Since Server 2008 disables the built-in adminsitrator account by default, you may need to re-enable it and set the password to match that of your SBS's built-in administrator account."
The Administrattor account is enabled and the passwords match.
"You also need to create DNS forwarders on each server for it to work properly. "
done.
"The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work."
it is actually sbs2000 -> server 2008. i mis-typed it originally
"I'm assuming that you aren't migrating Exchange then?"
no, we are just dumping out to pst and then importing into the 2008 server.
we will then be de-comissioning the sbs2000 server.
They do match.
"Since Server 2008 disables the built-in adminsitrator account by default, you may need to re-enable it and set the password to match that of your SBS's built-in administrator account."
The Administrattor account is enabled and the passwords match.
"You also need to create DNS forwarders on each server for it to work properly. "
done.
"The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work."
it is actually sbs2000 -> server 2008. i mis-typed it originally
"I'm assuming that you aren't migrating Exchange then?"
no, we are just dumping out to pst and then importing into the 2008 server.
we will then be de-comissioning the sbs2000 server.
ASKER
followed directions and still fails on computer migration.
it creates the computer account on the new domain, but it does not change the domain of the PC
it creates the computer account on the new domain, but it does not change the domain of the PC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was reading the doc in your link and it says to "dcpromo down SBS server", is that possible?
I think it was with SBS2000 (its definitely not a possible action on an SBS 2003), but I never really worked with SBS2000, and don't have any around that I could check with. That's why I actually stated you need to "SEIZE" the roles and "FORCEBLY" remove it from the domain.
Jeff
TechSoEasy
Jeff
TechSoEasy
1. Log on to a Windows Server 2008-based domain controller.
2. Click Start, click Run, type gpmc.msc, and then click OK.
3. In the Group Policy Management console, expand Forest: DomainName , expand DomainName , expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5. In the Properties dialog box, click the Enabled option, and then click OK.
Reference When a Windows NT 4.0-based computer tries to use the NETLOGON service to establish a security channel to a Windows Server 2008-based domain controller, the operation may fail http://support.microsoft.com/kb/942564.
2. Click Start, click Run, type gpmc.msc, and then click OK.
3. In the Group Policy Management console, expand Forest: DomainName , expand DomainName , expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5. In the Properties dialog box, click the Enabled option, and then click OK.
Reference When a Windows NT 4.0-based computer tries to use the NETLOGON service to establish a security channel to a Windows Server 2008-based domain controller, the operation may fail http://support.microsoft.com/kb/942564.
b_sander... would you mind explaining what that has to do with this question? There is no NT 4.0-based computer in this scenario.
Jeff
TechSoEasy
Jeff
TechSoEasy
The machines migrate to the new domain like they should. Everything seems to be working fine. The tool says it completed successfully, but the profiles are not being created. Any idea why?
ASKER
you cant' migrate the PC's from SB Serverto non SB Server with ADMT. You have to do it manually.
hi shard26,
After you migrate Waorkstation fail, in AD of Server 2008 Standard Edition will appear a new workstation (has just migrated).
Select Property of That Workstation and move to "Member of" tab. Add into SBS 2003\administrators group.
Then, Migrate again (ovewrite migrate action before. Everything will be OK).
In the End, remove SBS 2003\administrators group on this Workstation (in AD of Server 2008 Standard Edition).
Thanks & Best regards.
After you migrate Waorkstation fail, in AD of Server 2008 Standard Edition will appear a new workstation (has just migrated).
Select Property of That Workstation and move to "Member of" tab. Add into SBS 2003\administrators group.
Then, Migrate again (ovewrite migrate action before. Everything will be OK).
In the End, remove SBS 2003\administrators group on this Workstation (in AD of Server 2008 Standard Edition).
Thanks & Best regards.