More ADMT errprs during SID migration

[Mark]

This is what I've done:
I've established and verified two way trust
I'm logged in as Administrator on Target Domain (2003)
I've added Target domain admin group to local admin group on Source domain
(NT)
I've enabled auditing on both domains
I've created a Registry Dword for TcpipClientSupport
I've delegated to Administrator on 2003 permission to crate user and group
objects on the container I'm migrating to

When I try to run test migration I'm getting the following error on the
screen after I select SID migration :

Could not verify auditing and TcpipClientSupport on domains. Will not be
able to migrate SID's. Access is denied.

According to KB #322970 this indicated that the user doesn't have enough
permissions in one or both domains.
I'm using Administrator account which has Full Admin permissions in both
Domains?

What am I missing? - Mark

[Bob Qin [MSFT]]

Hi Mark,

Thanks for your posting here.

What is the result if you logon target domain DC as the source domain
administrator?

Are there any members in the <Source Domain>$$$ group on the NT domains?

Did you restart DCs after you modified the registry?

I would like to suggest that you open the registry on the WinNT PDC and
make sure that the LOCAL SERVICE group have Read - Allow permissions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Note: you need to run regedt32.exe on Windows NT computer to modify
registry permission.

Then try to perform migration again.

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Mark" <markschindler@mitchellgold.com>
Subject: More ADMT errprs during SID migration
Date: Tue, 9 Nov 2004 11:22:57 -0500
Newsgroups: microsoft.public.windows.server.migration


This is what I've done:
I've established and verified two way trust
I'm logged in as Administrator on Target Domain (2003)
I've added Target domain admin group to local admin group on Source
domain
(NT)
I've enabled auditing on both domains
I've created a Registry Dword for TcpipClientSupport
I've delegated to Administrator on 2003 permission to crate user and
group
objects on the container I'm migrating to

When I try to run test migration I'm getting the following error on
the
screen after I select SID migration :

Could not verify auditing and TcpipClientSupport on domains. Will not
be
able to migrate SID's. Access is denied.

According to KB #322970 this indicated that the user doesn't have
enough
permissions in one or both domains.
I'm using Administrator account which has Full Admin permissions in
both
Domains?

What am I missing? - Mark

[Mark]

Bob - thanks for your reply. Here are the answers:
> What is the result if you logon target domain DC as the source domain
> administrator?

I get the same tools and access as AD Domain admin (target admin)

> Are there any members in the <Source Domain>$$$ group on the NT domains?
There are no members - group is empty

> Did you restart DCs after you modified the registry?
Yes I did
I'll follow your other suggestion -
Here are few more observations:
ADMT should create (domainname$$$) group if one doesn't exist as well as it
should modify registry for TcpipClientSupport - since my original setup
didn't work I've deleted the Group and Registry entry - restarted and try to
run ADMT again to see if it will crete those entries - it didn't. I got the
same error as before which according to MS KB 322970 indicates that Account
which I'm using doesn't have all permissions needed. I did check and
rechecked the permissions and looks to me like all are correct.
I'm going to create a new user called Migrator add him to Admin Group on
Target Domain than add him to Admin Group on source domain - log in as him
to target DC and try to run ADMT again.
If you see anyhting else I'm missing please advise - Mark

"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:cBgAdwxxEHA.2544@cpmsftngxa10.phx.gbl...
> Hi Mark,
>
> Thanks for your posting here.
>
> What is the result if you logon target domain DC as the source domain
> administrator?
>
> Are there any members in the <Source Domain>$$$ group on the NT domains?
>
> Did you restart DCs after you modified the registry?
>
> I would like to suggest that you open the registry on the WinNT PDC and
> make sure that the LOCAL SERVICE group have Read - Allow permissions
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
>
> Note: you need to run regedt32.exe on Windows NT computer to modify
> registry permission.
>
> Then try to perform migration again.
>
> Have a nice day!
>
> Regards,
> Bob Qin
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> From: "Mark" <markschindler@mitchellgold.com>
> Subject: More ADMT errprs during SID migration
> Date: Tue, 9 Nov 2004 11:22:57 -0500
> Newsgroups: microsoft.public.windows.server.migration
>
>
> This is what I've done:
> I've established and verified two way trust
> I'm logged in as Administrator on Target Domain (2003)
> I've added Target domain admin group to local admin group on Source
> domain
> (NT)
> I've enabled auditing on both domains
> I've created a Registry Dword for TcpipClientSupport
> I've delegated to Administrator on 2003 permission to crate user and
> group
> objects on the container I'm migrating to
>
> When I try to run test migration I'm getting the following error on
> the
> screen after I select SID migration :
>
> Could not verify auditing and TcpipClientSupport on domains. Will not
> be
> able to migrate SID's. Access is denied.
>
> According to KB #322970 this indicated that the user doesn't have
> enough
> permissions in one or both domains.
> I'm using Administrator account which has Full Admin permissions in
> both
> Domains?
>
> What am I missing? - Mark
>
>
>
>

[Mark]

Bob
When you say Local Service needs to have Read permission - do you mean Local
System - if that's the case my System account has Full Controll -

Mark

"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:cBgAdwxxEHA.2544@cpmsftngxa10.phx.gbl...
> Hi Mark,
>
> Thanks for your posting here.
>
> What is the result if you logon target domain DC as the source domain
> administrator?
>
> Are there any members in the <Source Domain>$$$ group on the NT domains?
>
> Did you restart DCs after you modified the registry?
>
> I would like to suggest that you open the registry on the WinNT PDC and
> make sure that the LOCAL SERVICE group have Read - Allow permissions
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
>
> Note: you need to run regedt32.exe on Windows NT computer to modify
> registry permission.
>
> Then try to perform migration again.
>
> Have a nice day!
>
> Regards,
> Bob Qin
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> From: "Mark" <markschindler@mitchellgold.com>
> Subject: More ADMT errprs during SID migration
> Date: Tue, 9 Nov 2004 11:22:57 -0500
> Newsgroups: microsoft.public.windows.server.migration
>
>
> This is what I've done:
> I've established and verified two way trust
> I'm logged in as Administrator on Target Domain (2003)
> I've added Target domain admin group to local admin group on Source
> domain
> (NT)
> I've enabled auditing on both domains
> I've created a Registry Dword for TcpipClientSupport
> I've delegated to Administrator on 2003 permission to crate user and
> group
> objects on the container I'm migrating to
>
> When I try to run test migration I'm getting the following error on
> the
> screen after I select SID migration :
>
> Could not verify auditing and TcpipClientSupport on domains. Will not
> be
> able to migrate SID's. Access is denied.
>
> According to KB #322970 this indicated that the user doesn't have
> enough
> permissions in one or both domains.
> I'm using Administrator account which has Full Admin permissions in
> both
> Domains?
>
> What am I missing? - Mark
>
>
>
>

[Mark]

I've created new user on Target Domain added him to Domain Admin group -
then added him to Local Admin group on Source domain - logged in as him in
Target domain started ADMT and got the same message as before:
Could not verify auditing and TcpipClientSupport on domains. Will not be
able to migrate Sid's. Access is denied.

I'm trying to migrate just one user - if that's how the rest of my migration
and upgrade to Exchange 2003 will go I may as well kill myself now (just
kidding) - Mark

"Mark" <markschindler@mitchellgold.com> wrote in message
news:O66ChhnxEHA.2580@TK2MSFTNGP10.phx.gbl...
> This is what I've done:
> I've established and verified two way trust
> I'm logged in as Administrator on Target Domain (2003)
> I've added Target domain admin group to local admin group on Source domain
> (NT)
> I've enabled auditing on both domains
> I've created a Registry Dword for TcpipClientSupport
> I've delegated to Administrator on 2003 permission to crate user and group
> objects on the container I'm migrating to
>
> When I try to run test migration I'm getting the following error on the
> screen after I select SID migration :
>
> Could not verify auditing and TcpipClientSupport on domains. Will not be
> able to migrate SID's. Access is denied.
>
> According to KB #322970 this indicated that the user doesn't have enough
> permissions in one or both domains.
> I'm using Administrator account which has Full Admin permissions in both
> Domains?
>
> What am I missing? - Mark
>

[Bob Qin [MSFT]]

Hi Mark,

Please check the RestrictAnonymous setting on the Windows 2003 Domain
Controller under the following registry key:

HKLM\system\CurrentControlSet\Control\Lsa

Please make sure that the RestrictAnonymous registry value is set to 0.

If the problem still persists, please install ADMT on another DC in Windows
2003 domain and try to migrate again.

What is the result?

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

[Mark]

Bob

The registry setting you mentioned is set correctly.
I've been workin on this with MS and they can't figure it out either. What
we did find out is that if I login to 2003 Domain with NT Admin account
migration tool is working fine. I'm using that login and hope for the best.
Appreciate your input - Mark


"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:nWR%23Ci%23xEHA.1884@cpmsftngxa10.phx.gbl...
> Hi Mark,
>
> Please check the RestrictAnonymous setting on the Windows 2003 Domain
> Controller under the following registry key:
>
> HKLM\system\CurrentControlSet\Control\Lsa
>
> Please make sure that the RestrictAnonymous registry value is set to 0.
>
> If the problem still persists, please install ADMT on another DC in
> Windows
> 2003 domain and try to migrate again.
>
> What is the result?
>
> Regards,
> Bob Qin
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
>
>

[Bob Qin [MSFT]]

Hi Mark,

Thanks for your update.

In fact, it is recommended to logon the target domain DC as the source
domain administrator account and perform migration. It will avoid some
unexpected issue.

Here are some documents that may be helpful.

HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration
http://support.microsoft.com/?id=325851

Domain Migration Cookbook
<http://www.microsoft.com/technet/pro...deploy/cookboo
k/cookintr.asp>

Restructuring Windows NT 4.0 Domains to an Active Directory Forest
http://www.microsoft.com/resources/d...003/all/deploy
guide/en-us/dssbg_rent_overview.asp

Planning Migration from Windows NT to Windows 2000
<http://www.microsoft.com/technet/tre...chnet/prodtech
nol/ad/windows2000/plan/migntw2k.asp>

Thank you again for using our newsgroup!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Mark" <markschindler@mitchellgold.com>
Subject: Re: More ADMT errprs during SID migration
Date: Thu, 11 Nov 2004 09:57:56 -0500
Newsgroups: microsoft.public.windows.server.migration


Bob

The registry setting you mentioned is set correctly.
I've been workin on this with MS and they can't figure it out either.
What
we did find out is that if I login to 2003 Domain with NT Admin
account
migration tool is working fine. I'm using that login and hope for the
best.
Appreciate your input - Mark


"Bob Qin [MSFT]" <bobqin@online.microsoft.com> wrote in message
news:nWR%23Ci%23xEHA.1884@cpmsftngxa10.phx.gbl...
> Hi Mark,
>
> Please check the RestrictAnonymous setting on the Windows 2003
Domain
> Controller under the following registry key:
>
> HKLM\system\CurrentControlSet\Control\Lsa
>
> Please make sure that the RestrictAnonymous registry value is set
to 0.
>
> If the problem still persists, please install ADMT on another DC in
> Windows
> 2003 domain and try to migrate again.
>
> What is the result?
>
> Regards,
> Bob Qin
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your
newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
>
>

[JeffG2583]

I realize this is a very old post, but it's the first one to come up on a google search of this error so I thought I'd give my $0.02 on it. Here's what I did to fix this error, between 2 Server 2008 forests...

First, install SQL Express 2008 SP1 using the account you intend to use for migration, and make sure you add the account when the time comes during the SQL setup. I use Administrator because I'm using remote desktop and it was a huge pain to get a non-administrator account to work.

Now, go to ADUC on your target server and add the local Administrator account to the Domain Admins group.

Go to ADUC on your source server and browse to Builtin\Administrators group. Add a member to this group and change the location to point to your target domain so you can see those accounts. Choose Domain Admins from that forest and add. I restarted both servers just to make sure there was nothing crazy and also checked the forest trust and the time on both machines. When I tried changing both groups from one server, I would get a weird Access Denied message.

Now, when you go to migrate (in my case) a test security group, you should get past this error. You just need to log on to the target server with that domain's administrator account to run ADMT. Also one other thing to note is I disabled UAC on both servers but am not sure if this was required or not. I had read in several other places this was needed but didn't test it both ways.

I hope this helps someone else having a similar issue...