Link to home
Start Free TrialLog in
Avatar of Pavel Reuk
Pavel Reuk

asked on

Can't migrate computers using ADMT 3.2 from Windows Server 2012 to Windows Server 2016 *** HELP ***

I'm trying to perform a migration for one of the computers from a windows server 2012 to a windows server 2016 but for some reason keep getting a pre-check failure message ( Unable to access server service on the machine 'WORKSTATION-WIN'. Make sure netlogon and workstation services are running and you can authenticate yourself to the machine ) ?

I have successfully migrated the users but when trying to perform a computer migration which should migrate all folders and files that are being redirected but can't understand why it's not working.

I also noticed i can't login to the new server 2016 any longer as it shows the message "The trust relationship between this workstation and the primary domain failed." ?

Please let me know what's going on as i was able to login before to the new windows server 2016 but just didn't have the folder redirection migrated.

Is is the workstation that is having issues or is it windows server 2016 and what can i do to make the migration process working?

Currently using ADMT version 3.2

Thanks.
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Is DNS pointing ONLY to the new server
Avatar of Pavel Reuk
Pavel Reuk

ASKER

I checked and looks like when i ran the ipconfig /all on the workstation it showed my new server DNS information for Windows IP Configuration but also showed my old server DNS under the LAN Adapter that it's using. Is that the issue why i can't login to the domain any longer?

Thanks.
If the servers are on the same domain, and have a trust between them you shouldn't have a problem, but if not DNS will need to point only to the correct server and you will probably need to use for a username  domainname\username.
The servers have different domain names, different domain controllers on the same network. First server is under 10.0.1.15 and the other server is 10.0.1.16 and both are setup with different domain forests.
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This might definitely work better than the migration tool as i have been having a lot of problems with it as they have different domain controllers.

Thanks for letting me know!
Just a reminder; if you disjoin a machine from the domain you will need a local admin account.  None of the domain accounts will work any longer. So, if you don't already have a local admin account, create one first.
Not a problem. Thanks a lot for your help!
Hi,

Looks like the Forensit user migration tool does not migrate folders that have redirection, could you please let me know how to get all users folders migrated to the new server which have folder redirection in place?

Thanks.
I don't imagine you can retain redirection because it is a new domain.  A lot of this is going to be manual.
 Redirected folders are controlled by group policy which is domain dependant.
Was it necessary to create a new domain.  If not, it is very easy. You just add a domain controller, assume FSMO roles, and demote old server.
The company is moving into 2 different locations and wanted to create a new domain and create a separate domain for the second server to connect using VPN. I believe that was the only option is to create a separate forest and have VPN connection enabled. Do you know if that is a good option?
You can easily have two or 100 locations connected by VPN with same forest and domain.  Very common and easy to manage. You don't even need a second server at the second location but it is recommended for performance and redundancy.

You could also have the same forest with 2 domains and a trust between them.  Though I am not familiar with doing so, you may be able to use ADMT in that situation.
How about if there is an internet issue, will it cause issues with the 2 servers having workstations connecting or will the workstations for each workstation still connect to the server?

Will i still need to setup a trust between the 2 servers using vpn and will it cause any issues if there is any internet issues between the 2 servers?

Thanks.
The reason you want a second domain controller at the second site is just for that reason.  If the VPN or Internet goes down you can still resolve domain names.  Thus you would normally just add a second domain controller, in the same domain, at the second site, in doing so include the set up of DNS, make it a "global catalogue server", configure AD sites and services with the 2 locations, and away you go.  You do not need to set up a trust between the 2 servers in this case because they are in the same domain.  Ideally each site keeps their own files at their site but you can access resources at the other site as well, so long as the VPN is up.  You could also consider DFSR which replicates file shares at the second site.  There are some limitations with multiple users accessing and editing the same file at the same time.

Another totally different option you might want to read up on is Direct Access.
So it will work the way i'm setting it up, 2 different domain controllers for both locations connecting using VPN ?

The only reason i would connect using VPN is to access the mapped drives on one of the servers.

Thanks for the information!
It will work, but a nuisance as user at site 2 will have to enter credentials to access site 1, and vise versa.
I think you are making this more complicated than it needs to be.
I wasn't aware it would require entering credentials to access the sites over VPN. Would you happen to have some instructions on setting up the option you referenced before on setting up 2 domain controllers using the same domain, setting up the DNS and to make it a global catalogue server. If the internet is down on both locations all local users will still be able to connect to there own servers this way, correct?

Thanks!
Yes they would have to do so, though you could save credentials. It's because of the reason I mentioned before.  Servers see  Domain1\JohnSmith as a totally different user than Domain2\JohnSmith.

I trust your VPN is a hardware solution using 2 VPN capable routers?

I am afraid outlining all the steps in detail would be a rather lengthy response for this venue. Briefly though:
You can set up the second server at the primary site, the same as adding a PC, and change the IP later, or do so over the VPN.  If doing so over the VPN see my blog:  https://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/  and use the first part referring to site-to-site VPN
Once joined install active directory on the second DC and choose to add to existing AD structure, and install DNS at the same time.
You need to make it a Global Catalogue server in AD Sites and Services (this basically allows it to function on its own if the other server is unavailable)
At this point the server should be moved to the second location if not already as it becomes IP dependent.
Set a static IP on the second server, being a VPN this needs to be in a different subnet
Configure the NIC’s DNS on both servers to point to the other for primary and local as secondary ( allot of people will argue the opposite, I have never found a definitive answer)
In AD Sites and services add the Server, IP, and location  (not overly important as there is only one connection between the two sites but good to do)
Though you can use a router for client DHCP, you may want to install DHCP on the second server.  Regardless have all clients point to the local server for DNS, and remote server as a secondary. DO NOT add a router or ISP as an alternate DNS server.  
All users should no be able to log into their machine and connect to either server using IP or DNS names.

I hope that is of some help.
Thank you. I will try it this way and see how it goes!
Hi Rob,

I have setup a couple servers to do some testing on but they do reside on the same network. I have created the first server AD domain controller called hightop.local with the NIC IP as 10.0.10.2, Subnet 255.255.255.0, Default: 10.0.10.1 and Preferred DNS: 10.0.10.3, Alternate DNS: 10.0.10.2. Second Server NIC IP is 10.0.10.3, subnet 255.255.255.0, Default: 10.0.10.1 and Preferred DNS: 10.0.10.2, Alternate DNS: 10.0.10.3. During the AD DC deployment option on the second server i have selected Add a domain controller to an existing domain and the Domain set at hightop.local with specified username and credentials but for some reason it keeps giving me an error stating You must supply a user account name, which i supplied the servers local Administrator account with password, do you know why it's not letting me joing the second server to the first server domain name ?

Thanks.
Sounds like a DNS issue likely automatically using  server2name\administrator as a username by default.  Try as a user name  hightop\Administrator.
Assuming that works, it won't be an issue once domain joined.
That definitely worked!

Thanks.
Should i replicate from any domain controller or from SERVER2016.hightop.local ?

Thanks.
If you have multiple, "any" is fine.  That way if one is down it can replicate with another.
Rob,

Currently after migrating the user profiles from the old windows server to the new windows server and than when one of our users log in to the new server, it's showing messages that the folders are corrupt and cannot be accessed and it showed the old server folder redirection url, such as \\TOP-SERVER-12\Folder Redirection\Nick\Desktop is corrupt. The TOP-SERVER-12 is the old server which all the profiles were migrated from and the new server that it's currently logged in at is FIELD-SERVER-15. After the migration using the Forensit it should have changed all the profile locations to point to the new location \\FIELD-SERVER-12\Folder Redirection\Nick\Desktop ?

I have added a folder redirection policy group which should be redirecting and creating new folders for the user Nick but even after doing a gpupdate /force and re-logging in it still shows errors. Is there a way to fix this issue for all the users so that i don't have to manually go in for each redirected folder ( desktop, documents, pictures, favorites, links ) and change the location to the new location?

I have over 50 users and would like this automated prior to logging into the new server with the migrated user profiles.

It should use the new server group policy if i'm not mistaking even if there was a previous old server redirection in place before that.

I hope that explains what i'm trying to fix?

Thanks.
Do you have a new domain or Just new server?
I have a new domain for the new server.
Since you are moving from one domain with one set of group policies to a new domain and a new set of group policies. It creates all sorts of issues.  Once a machine is migrated the old redirected folders will be unreadable as the account used to access them before no longer exists.  I have had to go into the registry of each on occasion and manually change the "pointers".

I highly doubt you can move the profile from one redirected location to another with Profwiz or any other tool.  I would suggest you need to move the profile from the redirected location back to the local user profile and then migrate.  To do so in the original GP for redirected folders, for each redirected folder, under settings, make sure it is set to “Redirect the folder back to the local user profile location when the policy is removed”.  Run GPupdate a couple of times and log off and back in a couple of times (Redirected folders policy usually requires 2 logins to apply).  Remove the policy, then repeat GPupdate, log off, then verify the policy has been updated and the properties of the redirected folder show it as a local file.  Now do your migration with Profwiz.  I think on the new domain you could set up redirected folders first, then use profwiz, but you would have to test.

Changing the domain name really complicates things.  Personally in that situation.  I start fresh, i.e. no migration.  I think for a long time you will find some “things” continue to point to the old domain.  You posted earlier you were going to add the server to the existing domain.
To redirect the folder back to the local user profile location i would have to remove the folder redirection policy from the old server, correct?

Then, once i run gpupdate /force a couple times on the actual workstation it should configure the folder location back to using the local folder?

Thanks.
Yes, assuming the policy is set to restore to old location and the computer is still joined to that domain.
Thanks for the info!
Just removed the redirect policy from the server and did a gpupdate /force a few times on the server and on the connected workstation but windows 10 workstation is still displaying remote folder location instead of local files?

Do you know why it didn't work as i did remove the folder redirection policy from the server?

Thanks.
Is it still connected to the old domain?  Will not work if not the case.
Also was the policy set to restore to old location or leave?

A very common question on EE is why will folder redirection not revert back, or to another server.
As mentioned I have had to sometimes do it manually in properties or registry
It's connected to the new domain. The Target folder location is set as Create a folder for each user under the root path and Settings are Basic - Redirect everyone's folder to the same location, than for the settings portion Policy Removal area is Redirect the folder back to the local userprofile location when policy is removed.
If connected to the new domain changes to the old GP will make no difference at all.  You will likely have to manually change to point to new domain
So, i would have to login to each user profile and change the regedit for the shell folders, correct?

Also, would it be a lot smoother migration if it was the same domain name?

Thanks.
Yes if removed from old domain you would have to log into each profile.   Alternatively delete the profiles and start fresh.

Yes much easier maintaining the same domain name as mentioned earlier.  You just add the new server, no migration of users or computers.  If you want to change the location of the redirected folders, just change GPO while old server still present.
I would like to change the location of the redirected folders after adding the new server with the same domain, would i just change the old server GPO to point to the new server redirect folder location?

Thanks.
Yes.  Supposed to work, but doesn't always.  Will require a few logins.
This assumes server added to existing domain, not a new server with the same domain name
If i add the server to the same domain and than decommission the old server, will that automatically establish the same domain name on the new server?
It will already have the same domain name.
It is important you do it correctly by seizing the FSMO roles.
To be honest this is all relatively basic, but I appreciate those that manage one site/domain may seldom do any of this.  You might be best to hire an IT firm to do the migration for you and then manage it yourself once done.
Thanks for the information!
I came to a conclusion on what we would like to do with the 2 servers we have, by joining the new server to the same domain name and utilizing the workload to 2 servers rather than just one, let me know if that is a plausible and efficient option?

Also,

Rob, how would you recommend to distribute the workload to 2 servers connected to the same domain? perhaps having one server running strictly the DHCP, Active Directory and DNS and the other server to be strictly for file sharing.

Both servers have sufficient amount of space around 4 TB each and could both be implemented as file sharing servers but need to find out what the most efficient and fastest option to take in setting the servers up.

Thanks so much for your info!
Are these going to be at the same site?  i.e. on the same LAN?  I thought there were going to be 2 sites connected by VPN?
Looks like the business is going to stay put and use both servers for the same onsite business, all on the same LAN.
AD, DNS, DHCP, and file and print, do not require a lot of "horsepower", especially with just 50 users.  Thus adding a second server really only increases support costs.  Thus the only reason I could see adding a second server would be for redundancy, which is a good idea.  If one server goes down you have a second.  At a minimum I would have both servers as AD and DNS servers, though you can have redundant DHCP and enable DFSR so files are replicated on the second server.

Have you considered virtualizing these?  Very few servers these days run directly on the hardware. Making them virtual allows a lot more flexibility and makes them "portable".

Regardless, this question was closed quite a while ago and this is a totally new scenario.  You would be best to open a new question and should get more feed back from others as well.
Thanks for the info. I believe the redundancy would be a good idea, sorry if it was off topic.

The last issue i had during the migration testing is when performing the migration from the old server to the new server with different domains using the forensit tool  it showed an error before the automated remoted it showed the message "Requested registry access is not allowed.". Is that perhaps the regedit was trying to change on the workstation redirect folder location to relate to the new server redirect folder location?
Sorry for delay I was out of the office today.

Yes quite possibly.  Was the machine still connected to the old domain when running Forensit?  It would have to have been in order to change the registry if redirected folders was still enabled.  Thus better to change the GP and move folders to local directory first.
Thanks for your reply!