Results 1 to 6 of 6

Thread: ADMT V3 migration errors.

  1. #1
    MS Guest

    ADMT V3 migration errors.

    I was trying migrating a group with one user in a test scenerio. The source
    is W2K and target is W2K3. At the end of group migration wizard i get the
    error ' Unable to establish a session with the password export server. the
    RPC server is unavailable' . I tried googling and couldn't find anything
    solid. Any help is appreciated.

  2. #2
    Ada Pan [MSFT] Guest

    RE: ADMT V3 migration errors.

    Based on my experience, this issue may occur if one or more of the
    following conditions are true:

    1. The PES server is not DNS client of the target domain
    2. RPC Port was blocked.

    Suggestions:
    1. The PES server should be dns client of the target domain
    2. Opened the RPC Port at the Firewall end. Installed the Password Export
    Server Service at the Source domain.

    For more information, please reference the following article:

    How to use Active Directory Migration Tool version 2 to migrate from
    Windows 2000 to Windows Server 2003
    http://support.microsoft.com/kb/326480/en-us

    How to Troubleshoot Inter-Forest Password Migration with ADMTv2
    http://support.microsoft.com/kb/322981/en-us

  3. #3
    MS Guest
    I have configured a 2-way trust between source and target. Added source dns
    as secondary zone on target domain and vice versa.
    The source domain DC and target domain DC is directy connected over a
    crossover cable.
    Source domain DC holds all the FSMO roles.

    I am not getting 'PES server should be dns client of the target domain'.
    How do I make this happen.
    My PES server is the source(W2K) domain DC. I am running ADMT V3 on the
    target(W2K3) domain.
    Regarding firewall, I do not have a firewall installed.
    I also tried regsvr32 winnt\system32\pwmig.dll but I get the error
    'pwmig.dll was loaded, butDllRegisterServer entry point was not found'.

    I'll try your suggestion. But, may be, its a dumb question. but still. Do
    i have to run adprep or something.

    My new domain is freshly created windows 2003 R2 domain. So I guess i don
    not have to run the adprep.
    Now, one another issue, once I migrate one test user to the new domain, I do
    not see the exchange alias in the ADUC user properties. Why does this
    happen?

  4. #4
    Vincent Xu [MSFT] Guest
    From your description, I suspect :

    1. You didn't follow the KB 326480 to install PES server before you try to
    migrate the password.

    2. When you try to follow the KB 326480 to install the PES server, you are
    unable to register the DLL file. Am I right?

    For your current situation, we have two workarounds:

    1. Not to migrate the password but you can choose to generate a complex
    password instead. After the user account was migrated, you can ask each
    user to change the password themselves.

    2. For the error message when you try to register the dll, it appears that
    the dll has been altered or damaged. You can choose to download a ADMT
    again and extact this dll from the package.

    Please understand ADMT is used to consolidate Domain structure and transfer
    objects to new domain. Before you use ADMT , you must have a new,
    well-prepared domain. Therefore, adprep should be already performed on the
    target doamin and no need to run on source domain.

  5. #5
    Ada Pan [MSFT] Guest

    Re: ADMT V3 migration errors.

    I would like to suggest we check the procedure of PES setup and check how
    things are working:

    Part 1: PES setup.
    ================
    When performing inter-forest migrations using ADMT v.3, we need to setup
    Password Export Server (PES) service in the source domain DC and install
    ADMT in the target domain DC. The two DCs share the same key to ensure the
    passwords are migrated in a secure way.

    The PES service can be installed on any domain controller in the source
    domain that supports 128-bit encryption. ADMT v.3 provides the option to
    run the PES service under the Local System account or by providing the
    credentials of an authenticated user in the target domain.

    Note: To improve security, run the PES service as an authenticated user in
    the target domain rather than under the Local System account.

    If you choose to run the PES service under the Local System account, you
    must ensure that the built-in Pre-Windows 2000 Compatible Access group
    contains the Everyone group in the target domain. The Everyone group will
    not be in the Windows 2000 Compatible Access group if you selected
    Permissions compatible only with Windows 2000 or Windows Server 2003
    operating systems when you installed Active Directory in the target domain.

    If the Everyone group is not in the Windows 2000 Compatible Access group,
    you will receive an Access Denied error message. You must then manually add
    the Everyone group to the Windows 2000 Compatible Access group to enable
    support for password migration. To do this, type the following at the
    command line on a target domain controller:

    NET LOCALGROUP"Pre-Windows 2000 Compatible Access" Everyone /ADD

    If your target domain is a Windows Server 2003 domain, you must also add
    the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group.
    To do this, type the following at the command line on a target domain
    controller:

    NET LOCALGROUP"Pre-Windows 2000 Compatible Access""ANONYMOUS LOGON" /ADD.

    After this update to the Pre-Windows 2000 Compatible Access group
    replicates, restart the Server service on all domain controllers in the
    target domain.

    The PES service installation requires an encryption key created on the
    computer running ADMT in the target domain. The key must be available on a
    local drive. This can be a floppy drive or a folder on the local hard disk,
    but not a network mapped drive or shared folder. For security reasons, it
    is best to use a floppy disk so that the key can be stored in a secure
    location or reformatted after the migration is complete.

    The encryption key is created by using admt key from a command line.

    TASK1: To create an encryption key.

    1. Log onto the computer in the target domain on which you installed ADMT
    by using your ADMT migration account.

    2. Open a command window and navigate to the drive on which ADMT is
    installed, and at the command line, type:

    ADMT KEY /option:create /sourcedomain:"source domain" /keyfile:"key file
    path" /keypassword:{password|*}

    The source domain can be specified as either the DNS or NetBIOS name. A
    password, which provides key encryption, is optional. To protect the shared
    key, type either the password or an asterisk on the command line. The
    asterisk causes you to be prompted for a password that is not displayed on
    the screen.

    Note: To ensure maximum security, providing a password is strongly
    recommended.

    After you create the encryption key, configure the PES service on a domain
    controller in the source domain.

    TASK 2: To enable password migration on the source domain.

    1. On the PES in the source domain, insert the encryption key disk.

    2. In the Pwdmig directory, run Pwdmig.msi. If you set a password during
    the key generation process on the domain controller in the target domain,
    the Key Password Required dialog box appears. Provide the password that was
    given when the key was created. Click Next.

    3. Specify the account to run the PES service.

    Note: To improve security, run the PES service as an authenticated user in
    the target domain rather than under the Local System account.

    4. After the installation completes, restart the domain controller.

    5. After the domain controller restarts, start the PES service by clicking
    Start, Administrative Tools, and then Services. In the details pane,
    right-click Password Export Server Service and select Start.

    Note: Only run the PES service when migrating passwords. Stop the PES
    service after completing password migrations for maximum security.

    Part 2: ADMT Side issues.

    From your post, the error message occurs when performing group migration, I
    would like to suggest that we:

    1. Run ADMT 3.0. Choose the two DCs you used when setting up PES.
    2. Migrate the groups and users separately (do not migrate the associated
    members when migrating groups).

    During the group migration, please use the following configurations

    [Group Options]

    Copy group members * Not Checked
    Fix membership of group * Checked

    During the user migration, please use the following configurations:

    [User Options]

    Migrate associated user groups * Not Checked
    Fix users' group memberships * Checked

    Regarding the additional Exchange issue, I would like to suggest that we
    migrate the user accounts using ADMT first. After that, you can use
    Exchange side tool to migrate the Exchange related information. If you
    want, you can submit questions in our Exchange newsgroups such as:

    microsoft.public.exchange.admin

    There is more qualified pool of respondents who can give you suggestions on
    the Exchange side. Meanwhile, other users who visit the newsgroups
    regularly can either share their knowledge or learn from your interaction
    with us.

  6. #6
    Join Date
    May 2010
    Posts
    1
    I was trying to migrate from 2003 to 2003 in different forest.. with admt v3 tool … there was an error Password Export Service is not running.. and there is no service installed in services.msc..
    I install new Password Export Service 3 from microsoft rather using windows CD2003 .. It resolve the issue while migrating passwords, SID

Similar Threads

  1. ADMT PC will not restart after migration
    By Spuddly77 in forum Windows Server Help
    Replies: 1
    Last Post: 03-02-2012, 07:34 PM
  2. Replies: 13
    Last Post: 26-01-2012, 09:58 PM
  3. More ADMT errprs during SID migration
    By Mark in forum Windows Server Help
    Replies: 8
    Last Post: 13-01-2012, 02:29 AM
  4. ADMT-security translation and user migration
    By suganthik in forum Active Directory
    Replies: 1
    Last Post: 22-05-2011, 01:30 AM
  5. Computer Migration, w2003-w2003, ADMT v3
    By Francisco Vaz in forum Windows Server Help
    Replies: 4
    Last Post: 23-01-2008, 09:05 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,709,824.48205 seconds with 17 queries