Solved

AD Migration

Posted on 2009-05-19
9
290 Views
Last Modified: 2012-05-07
I am migrating a domain into another.  They are both 2003 and I am using ADMT v3.  I am having difficulty getting the groups to migrate.  I keep getting the following error:

2009-05-19 15:10:12 Starting Account Replicator.
2009-05-19 15:10:42 ERR2:7816 Cannot determine if source object 'LDAP://legends.com/CN=MigTestGroup,OU=Migration,DC=legends,DC=com' matches an object in the target forest or domain.  The handle is invalid.
2009-05-19 15:10:42 ERR2:7301 Failed to migrate source object 'CN=MigTestGroup' to domain 'PCH.local'. The target object could not be created. hr=0x80070006  The handle is invalid.
2009-05-19 15:10:42 Operation completed

Can anyone please help me with this issue?
0
Comment
Question by:PC4N6
  • 5
  • 4
9 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24428146
have you ensured you have delegate access to MigTestGroup OU?
I'd ensure the destination domain administrators group is added to your local group of your domain.

exert:
I resolved it by adding a target Domain Admin user account to the built-in
Administrators group in the source domain (it's impossible to add an account
to the Domain Admins group from another domain, trusted or not). Then I
logged into the target ADMT server using this Domain Admin account from the
target domain. I migrated a group successfully with ADMT and supplied the
credentials of the source domain admin account when requested.

also this registry settings needs to be checked:
Please Added the following registry key to the Source Domain Controller
that ADMT was pointed to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
DWORD: TCIPClientSupport = 1

Hope that helps
0
 

Author Comment

by:PC4N6
ID: 24430943
Well I don't have a MigTestGroup OU...it is only a security group.  But yes the OU that I am moving it into has delegated control.  I have also added the target administrator account to the builtin administrators group in the source.  I also have that registry key in place.  I still get the same error.  Do you have any other ideas?
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24437649
are you migrating in this order?

Domain Global Group
Domain Local Group
User Account
Computer Account

There are some recommended settings for each step too:

For group migration set:
[Group Options]
Copy group members Not Checked
Fix membership of group Checked

For user migration set:
[User Options]
Migrate associated user groups Not Checked
Fix users'' group memberships Checked

Are you selecting these options?
0
 

Author Comment

by:PC4N6
ID: 24437696
right now I am still trying to get a test group to go through.  I have created the group MigTestGroup.  It fails everytime and gives me the error above in the thread.  But yes that is the order that I am going in.  Still on Domain Global Group.  Any ideas how I can get this test group to go through?
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24437752
have you checked replication status? maybe some reps are outstanding..

If you've just made the group, is it possible that all DC are not stable yet...

Its the sort of project to do in lab environment, using this on an active system would be dangerous at best...


0
 

Author Comment

by:PC4N6
ID: 24437771
Yes the group has been there for 24 hours.  I am using a test pc, and test group, as to not mess with production environment.
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24437885
have you got the output of the migration log to post?
0
 

Author Comment

by:PC4N6
ID: 24441203
Yes, look up  at the the top of the question that is pasted from the log file.
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 500 total points
ID: 24446701
And the event logs on source and destination domain controllers...

I cant see too much information about this specific issue, and it may be some custom settings that ADMT cant cope with, I suspect we are getting close to 'if in doubt rip it out...' part of the solution.

But first some AD checks, like Ntdsutil and ensure nothing is using AD while your doing the migration.



0

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now