ADMT version 3.1 Computer Migration

using ADMT version 3.1
source domain: SBS 2003
destination domain: Server 2008 Standard Edition

users and groups migrate fine.
computers = not so much

migration log looks fine, but "agent detail:" has this:
"2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1   The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you."

Any ideas?



LVL 4
shard26Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

advserverCommented:
is the user you are logged in as a domain admin of the sbs domain? you need this to be able to migrate the computers. furthermore the user that is migrating needs to be a local administrator on all workstations in the source forest, i am guessing that may be your issue.
0
shard26Author Commented:
i am logged in on the 2008 server where I am a domain admin.  I am running ADMT from the 2008 server.  are you saying the 2008 server domain admins need to be added to the domain admins group on the sbs 2000 server? I am not sure how to do that.

0
advserverCommented:
yep that is it....kind of.....depending on how many workstations you have which it is less then 75 (SBS limit)
all you really need to do is add the 2008 domain admin account (if that is what you are using to do the migration) to the local administrators group on the workstations in the source domain.

this can be done either via script, or through a GPO on the sbs server. If you do it through the gpo, all other local admins are removed...so depending on size is how you would approach it.

Make sense?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

shard26Author Commented:
i dont think you can do that. What you are saying implies a Trust between the 2 domains which isn't possible with SBS.  
0
advserverCommented:
http://support.microsoft.com/kb/555073

here is the MS of how to do this.
i am pretty sure i did a one way trust..from sbs to source forest before, but i could be wrong on that one.

0
advserverCommented:
sorry sbs to destination
0
shard26Author Commented:
"trust cannot be created because: this operation is not supported on a microsoft small business server"
0
shard26Author Commented:
perhaps i am doing it wrong?
0
shard26Author Commented:
more from my log file:

Local Machine
    Computer:   ******-xp.******.local (******-XP)
        Domain:     ******.local (******)
        OS:         Microsoft Windows XP 5.1 (2600) Service Pack 2
2008-08-18 15:30:14 Starting Security Translator.
2008-08-18 15:30:14 Agent is running in local mode.
2008-08-18 15:30:14 Read 4 accounts from C:\WINDOWS\OnePointDomainAgent\Accounts000012.txt
2008-08-18 15:30:14 SecurityTranslation Files:Yes Shares:Yes LGroups:Yes UserRights:Yes Printers:Yes Profiles:Yes RecycleBin:Yes TranslationMode:Replace ******.local ******-new.local
2008-08-18 15:30:14 Starting
2008-08-18 15:30:14 Translating local machine.
2008-08-18 15:30:15 Skipping A:\, rc=21   The device is not ready.
2008-08-18 15:30:15 Processing C:\
2008-08-18 15:30:18 Processing recycle bin files and folders on C:\.
2008-08-18 15:30:18 Skipping D:\.  D:\ is a CD-ROM drive.
2008-08-18 15:30:18 Processing shares on local machine.
2008-08-18 15:30:18 Processing printer security...
2008-08-18 15:30:18 Translating local groups.
2008-08-18 15:30:18 Translating user rights.
2008-08-18 15:30:18 ADMT only performs user rights translation in Append mode.
2008-08-18 15:30:18 Translating security on registry keys.
2008-08-18 15:30:43 This profile translation automatically switches from replace mode to add mode if the user is currently logged on or if the profile is in use for other reasons.  In order to disable the switching, you need to set the registry HKLM\Software\Microsoft\ADMT\DisallowFallbackToAddInProfileTranslation (REG_DWORD) to 1 on the ADMT machine.
2008-08-18 15:30:43 ------Account Detail---------
2008-08-18 15:30:43 The account detail section uses the following format: AccountName(OwnerChanges, GroupChanges, DaclChanges, SaclChanges).
2008-08-18 15:30:43 -----------------------------
2008-08-18 15:30:43 3 users, 1 groups
2008-08-18 15:30:43 4 accounts selected.  4 resolved, 0 unresolved.
2008-08-18 15:30:43            Examined        Changed     Unchanged
2008-08-18 15:30:43 Files          11805              0         11805
2008-08-18 15:30:43 Dirs             979              0           979
2008-08-18 15:30:43 Shares             0              0             0
2008-08-18 15:30:43 Members            9              0             9
2008-08-18 15:30:43 User Rights       60              0            60
2008-08-18 15:30:43 Exchange Objects          0              0             0
2008-08-18 15:30:43 Containers         0              0             0
2008-08-18 15:30:43 DACLs         123094              0        123094
2008-08-18 15:30:43 SACLs              2              0             2
2008-08-18 15:30:43            Examined        Changed     No Target   Not Selected     Unknown
2008-08-18 15:30:43 Owners       123094              0        123094              0           0
2008-08-18 15:30:43 Groups       123094              0        123094              0           0
2008-08-18 15:30:43 DACEs       1015051              0       1015051        1015051           0
2008-08-18 15:30:43 SACEs             4              0             4              4           0
2008-08-18 15:30:43 ERR3:7075 Failed to change domain affiliation, hr=800704f1   The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
2008-08-18 15:30:43 Wrote result file C:\WINDOWS\OnePointDomainAgent\000012_******-XP.result
2008-08-18 15:30:43 Operation completed.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
SBS does not support domain trusts.

The proper way to migrate from an SBS 2003 domain to a stand-alone Server 2008 domain would be to buy the Transition Pack (http://sbsurl.com/transition).  This will remove the restriction on trusts, and more importantly, it will provide the best value for converting the SBS CALs to standard CALs.  It will also allow you to move Exchange to another server.  Instructions on how to use the Transition Pack can be found here:  http://sbsurl.com/tphowto

If you don't use the Transition Pack, then you need to join the new Server 2008 to your existing SBS 2003 domain as an additional Domain Controller.  There is a very good overview of how to accomplish this, which you'll find here:
http:Q_23615337.html#22143909

Jeff
TechSoEasy
0
shard26Author Commented:
So is it possible to use ADMT to grab the computer accounts and change thier domain memberships if they are currently joined to an sbs domain?  the users and groups migrated fine.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I really don't know for sure with regards to migrating to Server 2008, but normally you can use ADMT to migrate computer accounts without establishing a domain trust as long as the administrator passwords matched.  Since Server 2008 disables the built-in adminsitrator account by default, you may need to re-enable it and set the password to match that of your SBS's built-in administrator account.

You also need to create DNS forwarders on each server for it to work properly.  

The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work.

I'm assuming that you aren't migrating Exchange then?

Jeff
TechSoEasy
0
shard26Author Commented:
"I really don't know for sure with regards to migrating to Server 2008, but normally you can use ADMT to migrate computer accounts without establishing a domain trust as long as the administrator passwords matched. "

They do match.

"Since Server 2008 disables the built-in adminsitrator account by default, you may need to re-enable it and set the password to match that of your SBS's built-in administrator account."

The Administrattor account is enabled and the passwords match.

"You also need to create DNS forwarders on each server for it to work properly.  "

done.

"The basic instructions can be found in http://sbsurl.com/migrate, but again, this is not written for migrating from SBS 2003 to Server 2008, so I don't know for sure if it will work."

it is actually sbs2000 -> server 2008. i mis-typed it originally

"I'm assuming that you aren't migrating Exchange then?"

no, we are just dumping out to pst and then importing into the 2008 server.
we will then be de-comissioning the sbs2000 server.
0
shard26Author Commented:
followed directions and still fails on computer migration.
it creates the computer account on the new domain, but it does not change the domain of the PC
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
"it is actually sbs2000 -> server 2008. i mis-typed it originally"

Well, that's a completely different scenario. You can't do it the way you are attempting. You should instead install the Server 2008 into your existing domain, then you would need to seize the FSMO roles from the SBS 2000 and forcebly remove it from the domain. The steps are outlined in this blog post: http://danfrax.wordpress.com/2007/09/12/migrating-microsoft-small-business-server-2000-to-exchange-2007/

(even though it's centered on migrating Exchange, the same process is what's required to migrate the entire domain).
If you want to change the name of your internal domain, then you can do it once you've removed the SBS from the domain.  
Be aware, as well, that you cannot use your SBS CALs in your new environment.

Jeff
TechSoEasy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shard26Author Commented:
I was reading the doc in your link and it says to "dcpromo down SBS server", is that possible?

0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I think it was with SBS2000 (its definitely not a possible action on an SBS 2003), but I never really worked with SBS2000, and don't have any around that I could check with.  That's why I actually stated you need to "SEIZE" the roles and "FORCEBLY" remove it from the domain.

Jeff
TechSoEasy
0
b_sanderCommented:
1. Log on to a Windows Server 2008-based domain controller.
2. Click Start, click Run, type gpmc.msc, and then click OK.
3. In the Group Policy Management console, expand Forest: DomainName , expand DomainName , expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5. In the Properties dialog box, click the Enabled option, and then click OK.

Reference When a Windows NT 4.0-based computer tries to use the NETLOGON service to establish a security channel to a Windows Server 2008-based domain controller, the operation may fail http://support.microsoft.com/kb/942564.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
b_sander... would you mind explaining what that has to do with this question?  There is no NT 4.0-based computer in this scenario.

Jeff
TechSoEasy
0
WincitCommented:
The machines migrate to the new domain like they should. Everything seems to be working fine. The tool says it completed successfully, but the profiles are not being created. Any idea why?
0
shard26Author Commented:
you cant' migrate the PC's from SB Serverto non SB Server with ADMT. You have to do it manually.
0
FISSOFTCommented:
hi shard26,

After you migrate Waorkstation fail, in AD of Server 2008 Standard Edition will appear a new workstation (has just migrated).

Select Property of That Workstation and move to "Member of" tab. Add into SBS 2003\administrators group.

Then, Migrate again (ovewrite migrate action before. Everything will be OK).

In the End, remove SBS 2003\administrators group on this Workstation (in AD of Server 2008 Standard Edition).

Thanks & Best regards.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.