• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7408
  • Last Modified:

ADMT User Migration error - Source Domain Selection - Access is Denied. (0x80070005)

Hi All,

We are experiencing an error attempting a user account migration. On the Domain Selection screen the Domain Controllers of the Source domain do not show in the Source Domain Controllers drop down and on clicking OK we receive the following error:

ADMT is unable to connect to the domain controller \\{RandomDomainController}.source.com, in source.com. Access is Denied. (0x80070005)

We are using ADMT 3.2.

I have confirmed that the trust is working both ways.

I have confirmed that the targets Domain Administrator (the user we are using for the migrate) is in the Source Domains Administrators group (and just to make sure we've also done vica-verse (Source Domain Admin into Target Domain Administrators group).

I have confirmed that Target\Administrator can access a UNC (c$) path on one of the Source Domain Controllers.

ADMT server was created from scratch using the following website:


Machine O.S's are as follows:

ADMT PC = Win 2008 R2

Target DC1 = Win 2012
Target DC2 = Win 2012

Source DC1 = Win 2008 (not R2)
Source DC2 = Win 2008 (not R2)
Source DC3 = Win 2008 R2
Source DC4 = Win 2008 R2

Source Forest Functionality Level: Win 2008
Target Forest Functionality Level: Win 2008R2

Any help would be appreciated.

Thank you in advance.
  • 4
1 Solution
deepslalliAuthor Commented:
Noted this error in the ADMT servers System Event Log ever time I attempted the Domain check.

Source: LsaSvr
Event ID: 40960

The Security System detected an authentication error for the server ldap/{DCservername.source.com) The failure code from authentication protocol Kerberos was "The name or SID of the domain specified is inconsistent with the trust information for that domain.
deepslalliAuthor Commented:
Hi all,

I have just found that our there is a conflict in the trust (in AD Domains and Trusts) under the Routing Name Suffixes tab our Targets Domain name is marked as Conflict: target.com (conflict).

The source domain has a UNP Suffix added that is the same as our target domain name.

Can anyone advise if this issue would cause the error I'm seeing above with ADMT?

VirastaRUC Tech Consultant Commented:

Check this

Routing name suffixes across forests
http://technet.microsoft.com/en-us/library/cc784334(v=ws.10).aspx (Also applies to Windows Server 2008)

Domain Selection Problem ADMT 0x80070005 Permissions

Hope that helps :)
deepslalliAuthor Commented:
Hi virastar

Thank you for your reply.

I was able to resolve this this morning by deleting the target.com domain suffix from UPN Suffixes section in the Source domain (Active Directory Domains and Trusts). I then validated the trust.

This then cleared the trust conflict and I enabled the *.target.com suffix in the Incoming Trust section, Name Suffix Routing tab.

I then was able to reach the source.com DC's through ADMT.

What was happening?

Having the same UPN Suffix of the Target.com domain in the Source.com domain was causing the Source.com domain to attempt to authenticate the target.com domains administrator (ADMT user) itself without passing it back to the Target.com domain for authentication. The Source.com domain DC would then come back with a fail due to the account either not existing or the SAM codes not matching.
deepslalliAuthor Commented:
It was the correct answer and I came up with the solution of my own accord.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now