ADMT User Migration error - Source Domain Selection - Access is Denied. (0x80070005)

Hi All,

We are experiencing an error attempting a user account migration. On the Domain Selection screen the Domain Controllers of the Source domain do not show in the Source Domain Controllers drop down and on clicking OK we receive the following error:

ADMT is unable to connect to the domain controller \\{RandomDomainController}.source.com, in source.com. Access is Denied. (0x80070005)

We are using ADMT 3.2.

I have confirmed that the trust is working both ways.

I have confirmed that the targets Domain Administrator (the user we are using for the migrate) is in the Source Domains Administrators group (and just to make sure we've also done vica-verse (Source Domain Admin into Target Domain Administrators group).

I have confirmed that Target\Administrator can access a UNC (c$) path on one of the Source Domain Controllers.

ADMT server was created from scratch using the following website:

http://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html

Machine O.S's are as follows:

ADMT PC = Win 2008 R2

Target DC1 = Win 2012
Target DC2 = Win 2012

Source DC1 = Win 2008 (not R2)
Source DC2 = Win 2008 (not R2)
Source DC3 = Win 2008 R2
Source DC4 = Win 2008 R2

Source Forest Functionality Level: Win 2008
Target Forest Functionality Level: Win 2008R2

Any help would be appreciated.

Thank you in advance.
deepslalliAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

deepslalliAuthor Commented:
Noted this error in the ADMT servers System Event Log ever time I attempted the Domain check.

Source: LsaSvr
Event ID: 40960

The Security System detected an authentication error for the server ldap/{DCservername.source.com) The failure code from authentication protocol Kerberos was "The name or SID of the domain specified is inconsistent with the trust information for that domain.
 (0xc000019b)".
0
deepslalliAuthor Commented:
Hi all,

I have just found that our there is a conflict in the trust (in AD Domains and Trusts) under the Routing Name Suffixes tab our Targets Domain name is marked as Conflict: target.com (conflict).

The source domain has a UNP Suffix added that is the same as our target domain name.

Can anyone advise if this issue would cause the error I'm seeing above with ADMT?

Thanks.
0
VirastaRUC Tech Consultant Commented:
Hi,

Check this

Routing name suffixes across forests
http://technet.microsoft.com/en-us/library/cc784334(v=ws.10).aspx (Also applies to Windows Server 2008)

Domain Selection Problem ADMT 0x80070005 Permissions
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0a7d314d-c155-43c7-a04a-70aa359dc89f/domain-selection-problem-admt-0x80070005-permissions

Hope that helps :)
0
deepslalliAuthor Commented:
Hi virastar

Thank you for your reply.

I was able to resolve this this morning by deleting the target.com domain suffix from UPN Suffixes section in the Source domain (Active Directory Domains and Trusts). I then validated the trust.

This then cleared the trust conflict and I enabled the *.target.com suffix in the Incoming Trust section, Name Suffix Routing tab.

I then was able to reach the source.com DC's through ADMT.

What was happening?

Having the same UPN Suffix of the Target.com domain in the Source.com domain was causing the Source.com domain to attempt to authenticate the target.com domains administrator (ADMT user) itself without passing it back to the Target.com domain for authentication. The Source.com domain DC would then come back with a fail due to the account either not existing or the SAM codes not matching.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
deepslalliAuthor Commented:
It was the correct answer and I came up with the solution of my own accord.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.