ADMT Errors ERR2:7816 and ERR2:7301

[Alan]

I am trying to use ADMT3 to pull an NT4 domain in to our 2K3 based AD. I
have created a trust between domain and set up the required prerequisites on
the source domain (i.e. the $$$ acount, Aduditing and the TcpipClientSupport
registry key). ADMT is running on a server that is a member of the Target
W2K3 domain but logged on as a user who is a Domain Admin in the Source NT4
domain. This user is also a local admin on the server running ADMT. The
account has also been given Full Delegate Permissions over the destination OU
in the Target Domain as well as the Migrate SID History permission. When I
run the initial Global Group migration however I get the following errors

[Object Migration Section]
2008-03-03 16:47:47 Starting Account Replicator.
2008-03-03 16:47:50 ERR2:7816 Cannot determine if source object
'WinNT://NT4DOM/NT4Group' matches an object in the target forest or domain.
The handle is invalid.
2008-03-03 16:47:50 ERR2:7301 Failed to migrate source object 'NT4Group' to
domain 'w2k3.com'. The target object could not be created. hr=0x80070006 The
handle is invalid.
2008-03-03 16:47:50 Operation completed.

If I instead try to run the migration logged on to the ADMT box as an
Administrator of the Target Domain I get an error stating that the Auditing
and TcpipClientSupport settings can't be confirmed in both domains and SID
history won't be migrated. In this case the croup is migrated (but it isn't
much use to me without its SID history).

It looks like I'm missing permissions in 1 or both domains but I'm not sure
how to rectify this.

Any suggestions on where I am going wrong would be a great help!

Thanks

Alan

[David Shen [MSFT]]

Hello Alan,

Thanks for posting here. Based on the issue, this seems to be related to
the domain administrator credentials.

We recommend that the ADMT should be installed on the target domain
controller and it's better to use administrator credential of source domain
to logon the target domain from source domain controller.

Suggestion Step:
==================

1. As always, domain migrations are complicated tasks. Please perform
complete backup first for recovery purposes.

2. We are able to establish a trust relationship between the two root
domains in different forests, and then use ADMT with the following three
wizards to migrate the group accounts, user accounts, client computers and
file permissions:

Group Account Migration Wizard
User Account Migration Wizard
Computer Migration Wizard
Security Translation Wizard

3. It is recommended that we install ADMT on target domain's PDC Emulator.
And it is recommended that we use administrator credential of source domain
to logon the target domain from source domain controller.

4. ADMT checks its database file for information regarding the previously
migrated user objects and then determines how to migrate user profiles and
NTFS folders permissions when migrating computers. Therefore, it is better
to only install one ADMT host machine.

5. The account that runs ADMT must have administrator privileges on both
domains, and also need to be a member of the local administrators group
when migrating computer objects.

6. It is recommended to perform the migration in the following order:

Domain Global Group
Domain Local Group
User Account
Computer Account

7. Please migrate the groups and users separately (do not migrate the
associated group members when migrating the groups).

During the group migration, please use the following configurations

[Group Options]
Copy group members Not Checked
Fix membership of group Checked

During the user migration, please use the following configurations:

[User Options]
Migrate associated user groups Not Checked
Fix users'' group memberships Checked

8. You may use the Microsoft File Server Migration Toolkit to migrate the
file server.

For more references, please refer to:

Microsoft File Server Migration Toolkit
http://www.microsoft.com/windowsserv...ocs/msfsc.mspx

How to establish trusts with a Windows NT-based domain in Windows Server
2003
http://support.microsoft.com/kb/325874

Hope it helps. Thanks.

David Shen
Microsoft Online Partner Support

[Alan]

Thanks for the feedback David. Please excuse the ignorance of the following
question but I'm use to dealing with a single domain/forest...

Point 5 states 5. The account that runs ADMT must have administrator
privileges on both domains, and also need to be a member of the local
administrators group when migrating computer objects.

How do I create an account that is mamber of both domains? Is it enough to
create an account with the same name and password in each domain and add it
to the Domain Admins group? I was under the impression that the Domain
Admins group was global and that I could only add members from the local
domain to it.

Cheers

Alan


"David Shen [MSFT]" wrote:

> Hello Alan,
>
> Thanks for posting here. Based on the issue, this seems to be related to
> the domain administrator credentials.
>
> We recommend that the ADMT should be installed on the target domain
> controller and it's better to use administrator credential of source domain
> to logon the target domain from source domain controller.
>
> Suggestion Step:
> ==================
>
> 1. As always, domain migrations are complicated tasks. Please perform
> complete backup first for recovery purposes.
>
> 2. We are able to establish a trust relationship between the two root
> domains in different forests, and then use ADMT with the following three
> wizards to migrate the group accounts, user accounts, client computers and
> file permissions:
>
> Group Account Migration Wizard
> User Account Migration Wizard
> Computer Migration Wizard
> Security Translation Wizard
>
> 3. It is recommended that we install ADMT on target domain's PDC Emulator.
> And it is recommended that we use administrator credential of source domain
> to logon the target domain from source domain controller.
>
> 4. ADMT checks its database file for information regarding the previously
> migrated user objects and then determines how to migrate user profiles and
> NTFS folders permissions when migrating computers. Therefore, it is better
> to only install one ADMT host machine.
>
> 5. The account that runs ADMT must have administrator privileges on both
> domains, and also need to be a member of the local administrators group
> when migrating computer objects.
>
> 6. It is recommended to perform the migration in the following order:
>
> Domain Global Group
> Domain Local Group
> User Account
> Computer Account
>
> 7. Please migrate the groups and users separately (do not migrate the
> associated group members when migrating the groups).
>
> During the group migration, please use the following configurations
>
> [Group Options]
> Copy group members Not Checked
> Fix membership of group Checked
>
> During the user migration, please use the following configurations:
>
> [User Options]
> Migrate associated user groups Not Checked
> Fix users'' group memberships Checked
>
> 8. You may use the Microsoft File Server Migration Toolkit to migrate the
> file server.
>
> For more references, please refer to:
>
> Microsoft File Server Migration Toolkit
> http://www.microsoft.com/windowsserv...ocs/msfsc.mspx
>
> How to establish trusts with a Windows NT-based domain in Windows Server
> 2003
> http://support.microsoft.com/kb/325874
>
> Hope it helps. Thanks.
>
> David Shen
> Microsoft Online Partner Support
>
>

[David Shen [MSFT]]

Hello Alan,

Thanks for your reply. For your concern about the administrator credential
when you perform AD migration, here are some information which will be
helpful for you.

Analysis and Suggestion:
======================

Before you migrate a Windows NT 4.0 domain to a Windows Server 2003-based
domain, the following domain and security configurations are required.

Please note:
Windows NT 4.0 Service Pack 4 or later should be installed, and that the
target domain is a Windows Server 2003-based domain in native mode.

Trusts
1. Configure the source domain to trust the target domain.
2. Configure the target domain to trust the source domain.

Groups
1. Add the Domain Admins global group from the source domain to the
Administrators local group in the target domain.
2. Add the Domain Admins global group from the target domain to the
Administrators local group in the source domain.
3. Create a new local group in the source domain called Source Domain $$$.
Please note: There must be no members in this group.
4. There is no need to create an account with the same name and password
in each domain.

I would like to suggest you use administrator credential of source domain
to logon the target domain from source domain controller.

Auditing
1. Enable auditing for the success and failure of user and group
management on the source domain.
2. Enable auditing for the success and failure of Audit account management
on the target domain in the Default Domain Controllers policy.

Registry
On the PDC in the source domain, add the TcpipClientSupport:REG_DWORD:0x1
value to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Administrative Shares
Administrative shares should exist on the domain controller in the target
domain on which you run ADMT, and on any computers on which an agent must
be dispatched.

User Rights
We need to log on to the computer on which you run ADMT with an account
that has the following permissions:
1. Domain Administrator rights in the target domain.
2. A member of the Administrators group in the source domain.
3. Administrator rights on each computer that you migrate.
4. Administrator rights on each computer on which you translate security.

You will have the appropriate rights when you log on to the PDC that is the
FSMO role holder in the target domain with the "Source Domain
\Administrator" account, assuming that the "Source Domain\Domain
Administrators" group is a member of the Administrators group on each
computer.

Reference:
==============

How to configure the Active Directory Migration Tool to migrate user
passwords from a Windows NT 4.0 domain to a Windows Server 2003 domain
http://support.microsoft.com/kb/832221

Hope it helps. Thanks.

David Shen
Microsoft Online Partner Support

[David Shen [MSFT]]

Hello Alan,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions. Please feel free to respond to the newsgroups if I can assist
further.

David Shen
Microsoft Online Partner Support

[Alan]

Thanks for the feedback David. I was off with tonsillitis at the back end of
last week but hope to give your suggestions a try today.

Cheers

Alan

"David Shen [MSFT]" wrote:

> Hello Alan,
>
> How's everything going?
>
> I'm wondering if the suggestion has helped or if you have any further
> questions. Please feel free to respond to the newsgroups if I can assist
> further.
>
> David Shen
> Microsoft Online Partner Support
>
>

[Alan]

Hi David

The group admin changes you suggested allowed me to perform the migration
but only if I loged on as an Admin of the Target domain. I still received
the original error when logging on as an admin in the Source domain.

Thanks for your help

Alan

"David Shen [MSFT]" wrote:

> Hello Alan,
>
> How's everything going?
>
> I'm wondering if the suggestion has helped or if you have any further
> questions. Please feel free to respond to the newsgroups if I can assist
> further.
>
> David Shen
> Microsoft Online Partner Support
>
>

[David Shen [MSFT]]

Hello Alan,

Thanks for your feedback.

For this AD migration issue, I would like to confirm with that if the
original error message as followed when you logon as an admin in the source
domain to perform group migration.

[Object Migration Section]

2008-03-03 16:47:47 Starting Account Replicator.
2008-03-03 16:47:50 ERR2:7816 Cannot determine if source object
'WinNT://NT4DOM/NT4Group' matches an object in the target forest or domain.
The handle is invalid.
2008-03-03 16:47:50 ERR2:7301 Failed to migrate source object 'NT4Group' to
domain 'w2k3.com'. The target object could not be created. hr=0x80070006
The handle is invalid.
2008-03-03 16:47:50 Operation completed.

If so, here is some information for you reference.

Suggestion:
============

1. Please perform the AD migration on the PDC of Windows NT4 domain, that
means you log on as the domain admin in the source domain.

2. Add the following registry key to the Source Domain Controller that ADMT
was pointed to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

DWORD: TCIPClientSupport = 1

3. Reboot the Domain Controller.

4. Restart the ADMT migration process as my previous post suggest.

After that, please check whether the error message will reoccur.

I look forward to your reply and thank you for your time.

David Shen
Microsoft Online Partner Support

[David Shen [MSFT]]

Hello Alan,

How's everything going?

I'm wondering if the suggestion has helped or if you have any further
questions. Please feel free to respond to the newsgroups if I can assist
further.

David Shen
Microsoft Online Partner Support

[Milomir]

I had exactly same problem. It was solved when I installed another ADMT tool
on the target DC. The tool is using SQL Server on another computer. Then I
logged on to this DC with domain admin account from the source domain and I
was able to migrate users, groups, computers and translate profiles with no
errors.

Milomir