Solved

ADMT 3.2 & PES 3.1:  Unable to establish a session with the password export server.  Access is denied.

Posted on 2010-09-20
3
6,850 Views
Last Modified: 2012-05-10
I am trying to migrate my domain and am encountering a problem with the ADMT PES account migration.  When I try to migrate a user password it fails with the above listed message.  I have the PES server on a different DC than the one I'm targetting for migration, and i have my ADMT server on a different server than the 1 DC in our target domain.  Everything is virtualized with ESX 4.0.

When I skip the PES password migration to see if I can migrate without bringing over the password it gives me a different error on the "Account Transition Options" page saying "Could not verify auditing and TcpipClientSupport on domains.  Will not be able to migrate SIDs.  Access is denied."

I can ping FQDNs and host names via each server involved in this process.  This is a Inter-Forest migration (between 2 seperate forests) and the trust is setup already and is working.  I have a user called PES that is a Domain Admin in the source domain and a member of the built-in Administrators group in the target domain.  I have an ADMT user that is in the Domain Admins of the target domain and is a member of the built-in Administrators group of the source domain.  The trust is working.  Auditing has been enabled and is showing up on the servers it should be when I run rsop.msc.  The following registry keys have been updated to show the following:  On PES:      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport = 1
On Target DC:      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous = 0

Any ideas as to why this might not still be working?
0
Comment
Question by:ChocolateRain
  • 2
3 Comments
 
LVL 4

Expert Comment

by:geieea
Comment Utility
ADMT is free and therefore, a major PITA to set up. I've found that if you miss any one of the steps in the ADMT set up, it will fail. Run through the ADMT/PES checklist again and execute them in the exact order as it instructs. Also, use the same server for the PES as the target migration DC.
0
 
LVL 1

Author Comment

by:ChocolateRain
Comment Utility
Thanks for the advice.  The book I've finished reading "Mastering Windows Server 2008 R2" from Sybex said the same thing: "ADMT is a nightmare".

I've been through the steps so many times I'm blue in the face.  I emailed Microsoft and am now working on it with them.  If I get an answer specifically as to why it wasn't working I'll post it here.
0
 
LVL 1

Accepted Solution

by:
ChocolateRain earned 0 total points
Comment Utility
Below is the log with MS that fixed our problem.

Namrata Saha has joined the support session. (1:02 PM)
Chocolaterain has joined the support session. (1:03 PM)
Chocolaterain is now sharing. (1:04 PM)
Namrata Saha: TcpipClientSupport
Namrata Saha: DWORD value of 1
Namrata Saha: Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.  
Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.  
Create a new local group in the source domain called Source Domain $$$.
Namrata Saha: Enable auditing for the success and failure of user and group management on the source domain.  
Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
On the PDC in the source domain, add the
    TcpipClientSupport:REG_DWORD:0x1
(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA )
Namrata Saha: Run the following command on the destination server where we have installed the ADMT :

ADMT KEY /OPT:CREATE /SD:<SOURCE DOMAIN> /KF:<LOCAL PATH>\KEY.PES
Namrata Saha: Copy the KEY.PES file to the source domain or make it available over a network share.
Copy the C:\WINDOWS\ADMT\PES folder from the target domain to the source domain.
On the source domain , run PWDMIG.MSI and follow the wizard..
Namrata Saha: When you run the ADMT Password Migration DLL Installation Wizard, you are prompted for the path of the .pes file that you moved to the Source domain. You must specify a local path for this file. You are also prompted for the password that you used when you created this file.
When you are ready to migrate passwords from the Source domain, change the AllowPasswordExport registry value to 1.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
AllowPasswordExport = 1
Microsoft has requested to share control. (1:47 PM)
Chocolaterain has granted control to Namrata Saha. (1:47 PM)
Microsoft: http://technet.microsoft.com/en-us/library/cc772816(WS.10).aspx
Microsoft: Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No
Microsoft: v-2nams@mssupport.microsoft.com
Microsoft has exited the support session. (2:13 PM)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now