Solved

AD Migration

Posted on 2009-05-19
9
295 Views
Last Modified: 2012-05-07
I am migrating a domain into another.  They are both 2003 and I am using ADMT v3.  I am having difficulty getting the groups to migrate.  I keep getting the following error:

2009-05-19 15:10:12 Starting Account Replicator.
2009-05-19 15:10:42 ERR2:7816 Cannot determine if source object 'LDAP://legends.com/CN=MigTestGroup,OU=Migration,DC=legends,DC=com' matches an object in the target forest or domain.  The handle is invalid.
2009-05-19 15:10:42 ERR2:7301 Failed to migrate source object 'CN=MigTestGroup' to domain 'PCH.local'. The target object could not be created. hr=0x80070006  The handle is invalid.
2009-05-19 15:10:42 Operation completed

Can anyone please help me with this issue?
0
Comment
Question by:PC4N6
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24428146
have you ensured you have delegate access to MigTestGroup OU?
I'd ensure the destination domain administrators group is added to your local group of your domain.

exert:
I resolved it by adding a target Domain Admin user account to the built-in
Administrators group in the source domain (it's impossible to add an account
to the Domain Admins group from another domain, trusted or not). Then I
logged into the target ADMT server using this Domain Admin account from the
target domain. I migrated a group successfully with ADMT and supplied the
credentials of the source domain admin account when requested.

also this registry settings needs to be checked:
Please Added the following registry key to the Source Domain Controller
that ADMT was pointed to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
DWORD: TCIPClientSupport = 1

Hope that helps
0
 

Author Comment

by:PC4N6
ID: 24430943
Well I don't have a MigTestGroup OU...it is only a security group.  But yes the OU that I am moving it into has delegated control.  I have also added the target administrator account to the builtin administrators group in the source.  I also have that registry key in place.  I still get the same error.  Do you have any other ideas?
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24437649
are you migrating in this order?

Domain Global Group
Domain Local Group
User Account
Computer Account

There are some recommended settings for each step too:

For group migration set:
[Group Options]
Copy group members Not Checked
Fix membership of group Checked

For user migration set:
[User Options]
Migrate associated user groups Not Checked
Fix users'' group memberships Checked

Are you selecting these options?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:PC4N6
ID: 24437696
right now I am still trying to get a test group to go through.  I have created the group MigTestGroup.  It fails everytime and gives me the error above in the thread.  But yes that is the order that I am going in.  Still on Domain Global Group.  Any ideas how I can get this test group to go through?
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24437752
have you checked replication status? maybe some reps are outstanding..

If you've just made the group, is it possible that all DC are not stable yet...

Its the sort of project to do in lab environment, using this on an active system would be dangerous at best...


0
 

Author Comment

by:PC4N6
ID: 24437771
Yes the group has been there for 24 hours.  I am using a test pc, and test group, as to not mess with production environment.
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24437885
have you got the output of the migration log to post?
0
 

Author Comment

by:PC4N6
ID: 24441203
Yes, look up  at the the top of the question that is pasted from the log file.
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 500 total points
ID: 24446701
And the event logs on source and destination domain controllers...

I cant see too much information about this specific issue, and it may be some custom settings that ADMT cant cope with, I suspect we are getting close to 'if in doubt rip it out...' part of the solution.

But first some AD checks, like Ntdsutil and ensure nothing is using AD while your doing the migration.



0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question