Results 1 to 14 of 14

Thread: ADMT password migration between 2 2003 servers using Version 3.0

  1. #1
    Craig B Guest

    ADMT password migration between 2 2003 servers using Version 3.0

    All the help I have been finding is on ADMT v2 which doesn't seem to match up
    well. Ran the PWDmig.msi install file on the source server and rebooted also
    started the PES servcie with user account not local system. Created and
    installed pes key as well. I changed the reg key allowpassword export as
    well and rebooted the server.

    Looking at Version 2 page KB 322981 I see a much different setup procedure.
    This migration is for 2 2003 Forests already connected via trust.

    I can sucessfully migrate accounts and groups but not when i try to use the
    Password export service.
    Constantly get "Unable to establish a session with the password export
    server. Access is denied"

    I haven't been able to find much in the way of articles on V3 of the ADMT
    tool and the help in the tool itself is much different than what i am finding
    for v2.

    Anyone know articles or tips?

    Thanks

  2. #2
    Vincent Xu [MSFT] Guest

    RE: ADMT password migration between 2 2003 servers using Version 3.0

    Hi ,

    Some thoughts:

    1. Turn off all network firewall.
    2. Enable SID history by running :
    netdom trust trusted_domain /domain:trusting_domain /enablesidhistory:yes

    Check the results.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
    >>Thread-Topic: ADMT password migration between 2 2003 servers using

    Version 3.0
    >>thread-index: AccBxNwBdlpKplkiQkKCw6pfJhzeHw==
    >>X-WBNR-Posting-Host: 12.149.99.25
    >>From: =?Utf-8?B?Q3JhaWcgQg==?= <CraigB@discussions.microsoft.com>
    >>Subject: ADMT password migration between 2 2003 servers using Version 3.0
    >>Date: Mon, 6 Nov 2006 08:59:01 -0800
    >>Lines: 21
    >>Message-ID: <9F1ADFF3-F37E-4FBD-89AC-E0213E300B44@microsoft.com>
    >>MIME-Version: 1.0
    >>Content-Type: text/plain;
    >> charset="Utf-8"
    >>Content-Transfer-Encoding: 7bit
    >>X-Newsreader: Microsoft CDO for Windows 2000
    >>Content-Class: urn:content-classes:message
    >>Importance: normal
    >>Priority: normal
    >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    >>Newsgroups: microsoft.public.windows.server.migration
    >>Path: TK2MSFTNGXA01.phx.gbl
    >>Xref: TK2MSFTNGXA01.phx.gbl

    microsoft.public.windows.server.migration:25389
    >>NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    >>X-Tomcat-NG: microsoft.public.windows.server.migration
    >>
    >>All the help I have been finding is on ADMT v2 which doesn't seem to

    match up
    >>well. Ran the PWDmig.msi install file on the source server and rebooted

    also
    >>started the PES servcie with user account not local system. Created and
    >>installed pes key as well. I changed the reg key allowpassword export

    as
    >>well and rebooted the server.
    >>
    >>Looking at Version 2 page KB 322981 I see a much different setup

    procedure.
    >>This migration is for 2 2003 Forests already connected via trust.
    >>
    >>I can sucessfully migrate accounts and groups but not when i try to use

    the
    >>Password export service.
    >>Constantly get "Unable to establish a session with the password export
    >>server. Access is denied"
    >>
    >>I haven't been able to find much in the way of articles on V3 of the ADMT
    >>tool and the help in the tool itself is much different than what i am

    finding
    >>for v2.
    >>
    >>Anyone know articles or tips?
    >>
    >>Thanks
    >>



  3. #3
    Craig B Guest

    RE: ADMT password migration between 2 2003 servers using Version 3.0

    I had already turned off the Windows firewall as a troubleshooting test but I
    did enable Sid History still get same error. Would I need to reboot the
    source server after enabling sid history??

    "Craig B" wrote:

    > All the help I have been finding is on ADMT v2 which doesn't seem to match up
    > well. Ran the PWDmig.msi install file on the source server and rebooted also
    > started the PES servcie with user account not local system. Created and
    > installed pes key as well. I changed the reg key allowpassword export as
    > well and rebooted the server.
    >
    > Looking at Version 2 page KB 322981 I see a much different setup procedure.
    > This migration is for 2 2003 Forests already connected via trust.
    >
    > I can sucessfully migrate accounts and groups but not when i try to use the
    > Password export service.
    > Constantly get "Unable to establish a session with the password export
    > server. Access is denied"
    >
    > I haven't been able to find much in the way of articles on V3 of the ADMT
    > tool and the help in the tool itself is much different than what i am finding
    > for v2.
    >
    > Anyone know articles or tips?
    >
    > Thanks


  4. #4
    Vincent Xu [MSFT] Guest

    RE: ADMT password migration between 2 2003 servers using Version 3.0

    Hi,

    Please paste the entire ADMT log.

    thanks.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
    >>Thread-Topic: ADMT password migration between 2 2003 servers using

    Version 3.0
    >>thread-index: AccCfvCf1kcEpD7BSqCS4Jen7JmLoA==
    >>X-WBNR-Posting-Host: 12.149.99.25
    >>From: =?Utf-8?B?Q3JhaWcgQg==?= <CraigB@discussions.microsoft.com>
    >>References: <9F1ADFF3-F37E-4FBD-89AC-E0213E300B44@microsoft.com>
    >>Subject: RE: ADMT password migration between 2 2003 servers using Version

    3.0
    >>Date: Tue, 7 Nov 2006 07:11:02 -0800
    >>Lines: 27
    >>Message-ID: <C43C884E-0DCB-4C7C-A219-22324086B37B@microsoft.com>
    >>MIME-Version: 1.0
    >>Content-Type: text/plain;
    >> charset="Utf-8"
    >>Content-Transfer-Encoding: 7bit
    >>X-Newsreader: Microsoft CDO for Windows 2000
    >>Content-Class: urn:content-classes:message
    >>Importance: normal
    >>Priority: normal
    >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    >>Newsgroups: microsoft.public.windows.server.migration
    >>Path: TK2MSFTNGXA01.phx.gbl
    >>Xref: TK2MSFTNGXA01.phx.gbl

    microsoft.public.windows.server.migration:25393
    >>NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    >>X-Tomcat-NG: microsoft.public.windows.server.migration
    >>
    >>I had already turned off the Windows firewall as a troubleshooting test

    but I
    >>did enable Sid History still get same error. Would I need to reboot the
    >>source server after enabling sid history??
    >>
    >>"Craig B" wrote:
    >>
    >>> All the help I have been finding is on ADMT v2 which doesn't seem to

    match up
    >>> well. Ran the PWDmig.msi install file on the source server and

    rebooted also
    >>> started the PES servcie with user account not local system. Created and
    >>> installed pes key as well. I changed the reg key allowpassword export

    as
    >>> well and rebooted the server.
    >>>
    >>> Looking at Version 2 page KB 322981 I see a much different setup

    procedure.
    >>> This migration is for 2 2003 Forests already connected via trust.
    >>>
    >>> I can sucessfully migrate accounts and groups but not when i try to use

    the
    >>> Password export service.
    >>> Constantly get "Unable to establish a session with the password export
    >>> server. Access is denied"
    >>>
    >>> I haven't been able to find much in the way of articles on V3 of the

    ADMT
    >>> tool and the help in the tool itself is much different than what i am

    finding
    >>> for v2.
    >>>
    >>> Anyone know articles or tips?
    >>>
    >>> Thanks

    >>



  5. #5
    Craig B Guest

    RE: ADMT password migration between 2 2003 servers using Version 3

    I will paste the log but I don't believe it will be much help. They don't
    appear to update unless I get all the way through the migration process. They
    are dated 11-1 which is when i first tested sucessfully moving a user account
    but did not try to migrate passwords. They haven't been updated since I have
    been trying to migrate passwords



    2006-11-01 14:36:01 Unable to store default excluded system properties in
    database. Unspecified error (0x80004005)
    2006-11-01 14:36:01 The following system properties will be excluded:
    2006-11-01 14:36:01
    mail,proxyAddresses,altRecipient,altRecipientBL,attributeCertificate,
    2006-11-01 14:36:01
    attributeCertificateAttribute,audio,authOrig,authOrigBL,autoReply,
    2006-11-01 14:36:01
    autoReplyMessage,businessRoles,carLicense,dLMemDefault,dLMemRejectPerms,
    2006-11-01 14:36:01
    dLMemRejectPermsBL,dLMemSubmitPerms,dLMemSubmitPermsBL,dLMemberRule,
    2006-11-01 14:36:01
    deletedItemFlags,delivContLength,delivExtContTypes,deliverAndRedirect,
    2006-11-01 14:36:01
    deliveryMechanism,departmentNumber,dnQualifier,employeeNumber,employeeType,
    2006-11-01 14:36:01
    enabledProtocols,expirationTime,extensionAttribute1,extensionAttribute10,
    2006-11-01 14:36:01
    extensionAttribute11,extensionAttribute12,extensionAttribute13,
    2006-11-01 14:36:01
    extensionAttribute14,extensionAttribute15,extensionAttribute2,
    2006-11-01 14:36:01
    extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribute6,
    2006-11-01 14:36:01
    extensionAttribute7,extensionAttribute8,extensionAttribute9,extensionData,
    2006-11-01 14:36:01
    fen-UM-AllowChargecodeOverride,fen-UM-AllowCoversheetOverride,
    2006-11-01 14:36:01 fen-UM-AllowSMSTemplateOverride,fen-UM-AllowedToSendFax,
    2006-11-01 14:36:01
    fen-UM-AllowedToSendFaxInt,fen-UM-AllowedToSendSms,fen-UM-AllowedToSendSmsInt,
    2006-11-01 14:36:01
    fen-UM-AllowedToSendStx,fen-UM-AllowedToSendTlx,fen-UM-Chargecode,
    2006-11-01 14:36:01
    fen-UM-Coversheet,fen-UM-Fileformat,fen-UM-MaxSplittedSms,fen-UM-MessageLimit,
    2006-11-01 14:36:01
    fen-UM-MessageLimitPeriod,fen-UM-SMSTemplate,fen-UM-SystemAddress,folderPathname,
    2006-11-01 14:36:01
    formData,forwardingAddress,gecos,gidNumber,heuristics,hideDLMembership,homeMDB,
    2006-11-01 14:36:01
    homeMTA,homePostalAddress,houseIdentifier,importedFrom,internetEncoding,
    2006-11-01 14:36:01
    ipHostNumber,jpegPhoto,kMServer,labeledURI,language,languageCode,
    2006-11-01 14:36:01
    logRolloverInterval,loginShell,mAPIRecipient,mDBOverHardQuotaLimit,
    2006-11-01 14:36:01
    mDBOverQuotaLimit,mDBStorageQuota,mDBUseDefaults,mailNickname,memberUid,
    2006-11-01 14:36:01
    monitoredConfigurations,monitoredServices,monitoringAvailabilityStyle,
    2006-11-01 14:36:01
    monitoringAvailabilityWindow,monitoringCachedViaMail,monitoringCachedViaRPC,
    2006-11-01 14:36:01 monitoringMailUpdateInterval,monitoringMailUpdateUnits,
    2006-11-01 14:36:01
    monitoringRPCUpdateInterval,monitoringRPCUpdateUnits,msDFSR-ComputerReferenceBL,
    2006-11-01 14:36:01
    msDFSR-MemberReferenceBL,msDS-ObjectReferenceBL,msDS-SourceObjectDN,
    2006-11-01 14:36:01
    msExchADCGlobalNames,msExchALObjectVersion,msExchAssistantName,
    2006-11-01 14:36:01
    msExchConferenceMailboxBL,msExchControllingZone,msExchCustomProxyAddresses,
    2006-11-01 14:36:01
    msExchExchangeServerLink,msExchExpansionServerName,msExchFBURL,
    2006-11-01 14:36:01
    msExchHideFromAddressLists,msExchHomeServerName,msExchHouseIdentifier,
    2006-11-01 14:36:01
    msExchIMACL,msExchIMAPOWAURLPrefixOverride,msExchIMAddress,
    2006-11-01 14:36:01
    msExchIMMetaPhysicalURL,msExchIMPhysicalURL,msExchIMVirtualServer,
    2006-11-01 14:36:01
    msExchInconsistentState,msExchLabeledURI,msExchMailboxFolderSet,
    2006-11-01 14:36:01
    msExchMailboxGuid,msExchMailboxSecurityDescriptor,msExchMailboxUrl,
    2006-11-01 14:36:01 msExchMasterAccountSid,msExchOmaAdminExtendedSettings,
    2006-11-01 14:36:01
    msExchOmaAdminWirelessEnable,msExchOriginatingForest,msExchPfRootUrl,
    2006-11-01 14:36:01
    msExchPoliciesExcluded,msExchPoliciesIncluded,msExchPolicyEnabled,
    2006-11-01 14:36:02
    msExchPolicyList,msExchPolicyOptionList,msExchPreviousAccountSid,
    2006-11-01 14:36:02
    msExchProxyCustomProxy,msExchQueryBaseDN,msExchRecipLimit,
    2006-11-01 14:36:02
    msExchRequireAuthToSendTo,msExchResourceGUID,msExchResourceProperties,
    2006-11-01 14:36:02
    msExchTUIPassword,msExchTUISpeed,msExchTUIVolume,msExchUnmergedAttsPt,
    2006-11-01 14:36:02
    msExchUseOAB,msExchUserAccountControl,msExchVoiceMailboxID,
    2006-11-01 14:36:02
    msRTCSIP-ArchivingEnabled,msRTCSIP-FederationEnabled,msRTCSIP-HomeServer,
    2006-11-01 14:36:02
    msRTCSIP-HomeServerString,msRTCSIP-InternetAccessEnabled,msRTCSIP-IsMaster,
    2006-11-01 14:36:02
    msRTCSIP-OriginatorSid,msRTCSIP-PrimaryHomeServer,msRTCSIP-PrimaryUserAddress,
    2006-11-01 14:36:02
    msRTCSIP-TargetHomeServer,msRTCSIP-UserEnabled,msRTCSIP-UserExtension,
    2006-11-01 14:36:02
    msSFU30Aliases,msSFU30Name,msSFU30NisDomain,msSFU30PosixMember,
    2006-11-01 14:36:02
    msSFU30PosixMemberOf,networkAddress,nisMapName,oOFReplyToOriginator,otherMailbox,
    2006-11-01 14:36:02
    pOPCharacterSet,pOPContentFormat,personalPager,photo,preferredLanguage,
    2006-11-01 14:36:02
    promoExpiration,protocolSettings,publicDelegates,publicDelegatesBL,
    2006-11-01 14:36:02
    registeredAddress,replicatedObjectVersion,replicationSensitivity,
    2006-11-01 14:36:02
    replicationSignature,reportToOriginator,reportToOwner,roomNumber,secretary,
    2006-11-01 14:36:02
    securityProtocol,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,
    2006-11-01 14:36:02
    shadowMax,shadowMin,shadowWarning,submissionContLength,supportedAlgorithms,
    2006-11-01 14:36:02
    targetAddress,telephoneAssistant,textEncodedORAddress,trackingLogPathName,type,
    2006-11-01 14:36:02
    uid,uidNumber,unauthOrig,unauthOrigBL,unixHomeDirectory,unixUserPassword,
    2006-11-01 14:36:02 unmergedAtts,userPKCS12,userSMIMECertificate,
    2006-11-01 14:36:02 x500uniqueIdentifier

    [Settings Section]
    Task: User Migration (2)
    ADMT Console
    User: **********
    Computer: 1forestroot.c****.local (1FORESTROOT)
    Domain: conferon.local (*****)
    OS: Microsoft Windows Server 2003 5.2 (3790) Service Pack 1
    Source Domain
    Name: e******.com (*****GE)
    DC: bruno.e*******.com (BRUNO)
    OS: Windows Server 2003 5.2 (3790) Service Pack 1
    OU:
    Target Domain
    Name: c*****.local (*******)
    DC: 1forestroot.c*****n.local (1FORESTROOT)
    OS: Windows Server 2003 5.2 (3790) Service Pack 1
    OU: LDAP://***.local/OU=Restrict Software Test,DC=c***n,DC=local
    Intra-Forest: No
    Password Option: Generate passwords, only for new objects = No
    Password File: 'C:\WINNT\ADMT\Logs\passwords.txt'
    Migrate Security Identifiers: No
    Update Rights: Yes
    Translate Roaming Profiles: No
    Fix group membership: Yes
    Conflict Option: Ignore
    Source Disable Option: Leave source account
    Source Expiration: Do not expire source account
    Target Disable Option: Set target same as source
    Migrate groups: Yes
    Update Migrated Objects: No
    Migrate service accounts: Yes

    [Object Migration Section]
    2006-11-01 14:36:03 Starting Account Replicator.
    2006-11-01 14:36:14 CN=test\, craig - Created
    2006-11-01 14:36:15 WRN1:7857 Could not copy following properties for
    'CN=test\, craig'.
    2006-11-01 14:36:15 showInAddressBook = CN=Default Global Address
    List,CN=All Global Address Lists,CN=Address Lists
    Container,CN=expocard,CN=Microsoft
    Exchange,CN=Services,CN=Configuration,DC=e*****ge,DC=com, ... A constraint
    violation occurred.
    2006-11-01 14:36:15 lastLogonTimestamp = 128067954806684595 The server is
    unwilling to process the request.
    2006-11-01 14:36:16 CN=test\, craig - Strong password generated.
    2006-11-01 14:36:18 CN=Test Global Group - Created
    2006-11-01 14:36:22 Processing group membership for CN=Test Global Group.
    2006-11-01 14:36:23 LDAP://1forestroot.****.local/CN=test\,
    craig,OU=Restrict Software Test,DC=****n,DC=local added.
    2006-11-01 14:36:27 Updated user rights for CN=test\, craig
    2006-11-01 14:36:27 Updated user rights for CN=Test Global Group
    2006-11-01 14:36:27 Operation completed.

    This is the log showing a sucessful user and group migration without
    migrating passwords. I put *** in the domain names myself



    "Vincent Xu [MSFT]" wrote:

    > Hi,
    >
    > Please paste the entire ADMT log.
    >
    > thanks.
    >
    >
    > Best regards,
    >
    > Vincent Xu
    > Microsoft Online Partner Support
    >
    > ======================================================
    > Get Secure! - www.microsoft.com/security
    > ======================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others
    > may learn and benefit from this issue.
    > ======================================================
    > This posting is provided "AS IS" with no warranties,and confers no rights.
    > ======================================================
    >
    >
    >
    > --------------------
    > >>Thread-Topic: ADMT password migration between 2 2003 servers using

    > Version 3.0
    > >>thread-index: AccCfvCf1kcEpD7BSqCS4Jen7JmLoA==
    > >>X-WBNR-Posting-Host: 12.149.99.25
    > >>From: =?Utf-8?B?Q3JhaWcgQg==?= <CraigB@discussions.microsoft.com>
    > >>References: <9F1ADFF3-F37E-4FBD-89AC-E0213E300B44@microsoft.com>
    > >>Subject: RE: ADMT password migration between 2 2003 servers using Version

    > 3.0
    > >>Date: Tue, 7 Nov 2006 07:11:02 -0800
    > >>Lines: 27
    > >>Message-ID: <C43C884E-0DCB-4C7C-A219-22324086B37B@microsoft.com>
    > >>MIME-Version: 1.0
    > >>Content-Type: text/plain;
    > >> charset="Utf-8"
    > >>Content-Transfer-Encoding: 7bit
    > >>X-Newsreader: Microsoft CDO for Windows 2000
    > >>Content-Class: urn:content-classes:message
    > >>Importance: normal
    > >>Priority: normal
    > >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    > >>Newsgroups: microsoft.public.windows.server.migration
    > >>Path: TK2MSFTNGXA01.phx.gbl
    > >>Xref: TK2MSFTNGXA01.phx.gbl

    > microsoft.public.windows.server.migration:25393
    > >>NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    > >>X-Tomcat-NG: microsoft.public.windows.server.migration
    > >>
    > >>I had already turned off the Windows firewall as a troubleshooting test

    > but I
    > >>did enable Sid History still get same error. Would I need to reboot the
    > >>source server after enabling sid history??
    > >>
    > >>"Craig B" wrote:
    > >>
    > >>> All the help I have been finding is on ADMT v2 which doesn't seem to

    > match up
    > >>> well. Ran the PWDmig.msi install file on the source server and

    > rebooted also
    > >>> started the PES servcie with user account not local system. Created and
    > >>> installed pes key as well. I changed the reg key allowpassword export

    > as
    > >>> well and rebooted the server.
    > >>>
    > >>> Looking at Version 2 page KB 322981 I see a much different setup

    > procedure.
    > >>> This migration is for 2 2003 Forests already connected via trust.
    > >>>
    > >>> I can sucessfully migrate accounts and groups but not when i try to use

    > the
    > >>> Password export service.
    > >>> Constantly get "Unable to establish a session with the password export
    > >>> server. Access is denied"
    > >>>
    > >>> I haven't been able to find much in the way of articles on V3 of the

    > ADMT
    > >>> tool and the help in the tool itself is much different than what i am

    > finding
    > >>> for v2.
    > >>>
    > >>> Anyone know articles or tips?
    > >>>
    > >>> Thanks
    > >>

    >
    >


  6. #6
    Vincent Xu [MSFT] Guest

    RE: ADMT password migration between 2 2003 servers using Version 3

    Hi,

    This is a quick note to let you know that I am researching your issue and
    will get back to you as soon as possible. I appreciate your patience.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
    >>Thread-Topic: ADMT password migration between 2 2003 servers using

    Version 3
    >>thread-index: AccDPO3MyJVGyt2fTJWxB8KH3IL30w==
    >>X-WBNR-Posting-Host: 12.149.99.21
    >>From: =?Utf-8?B?Q3JhaWcgQg==?= <CraigB@discussions.microsoft.com>
    >>References: <9F1ADFF3-F37E-4FBD-89AC-E0213E300B44@microsoft.com>

    <C43C884E-0DCB-4C7C-A219-22324086B37B@microsoft.com>
    <45$sdMwAHHA.3912@TK2MSFTNGXA01.phx.gbl>
    >>Subject: RE: ADMT password migration between 2 2003 servers using Version

    3
    >>Date: Wed, 8 Nov 2006 05:51:02 -0800
    >>Lines: 275
    >>Message-ID: <136DB77F-1C10-4149-8BC8-316D3B6DB3E0@microsoft.com>
    >>MIME-Version: 1.0
    >>Content-Type: text/plain;
    >> charset="Utf-8"
    >>Content-Transfer-Encoding: 7bit
    >>X-Newsreader: Microsoft CDO for Windows 2000
    >>Content-Class: urn:content-classes:message
    >>Importance: normal
    >>Priority: normal
    >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    >>Newsgroups: microsoft.public.windows.server.migration
    >>Path: TK2MSFTNGXA01.phx.gbl
    >>Xref: TK2MSFTNGXA01.phx.gbl

    microsoft.public.windows.server.migration:25402
    >>NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    >>X-Tomcat-NG: microsoft.public.windows.server.migration
    >>
    >>I will paste the log but I don't believe it will be much help. They don't
    >>appear to update unless I get all the way through the migration process.

    They
    >>are dated 11-1 which is when i first tested sucessfully moving a user

    account
    >>but did not try to migrate passwords. They haven't been updated since I

    have
    >>been trying to migrate passwords
    >>
    >>
    >>
    >>2006-11-01 14:36:01 Unable to store default excluded system properties in
    >>database. Unspecified error (0x80004005)
    >>2006-11-01 14:36:01 The following system properties will be excluded:
    >>2006-11-01 14:36:01
    >> mail,proxyAddresses,altRecipient,altRecipientBL,attributeCertificate,
    >>2006-11-01 14:36:01
    >> attributeCertificateAttribute,audio,authOrig,authOrigBL,autoReply,
    >>2006-11-01 14:36:01
    >> autoReplyMessage,businessRoles,carLicense,dLMemDefault,dLMemRejectPerms,
    >>2006-11-01 14:36:01
    >> dLMemRejectPermsBL,dLMemSubmitPerms,dLMemSubmitPermsBL,dLMemberRule,
    >>2006-11-01 14:36:01
    >> deletedItemFlags,delivContLength,delivExtContTypes,deliverAndRedirect,
    >>2006-11-01 14:36:01
    >>

    deliveryMechanism,departmentNumber,dnQualifier,employeeNumber,employeeType,
    >>2006-11-01 14:36:01
    >> enabledProtocols,expirationTime,extensionAttribute1,extensionAttribute10,
    >>2006-11-01 14:36:01
    >> extensionAttribute11,extensionAttribute12,extensionAttribute13,
    >>2006-11-01 14:36:01
    >> extensionAttribute14,extensionAttribute15,extensionAttribute2,
    >>2006-11-01 14:36:01
    >>

    extensionAttribute3,extensionAttribute4,extensionAttribute5,extensionAttribu
    te6,
    >>2006-11-01 14:36:01
    >>

    extensionAttribute7,extensionAttribute8,extensionAttribute9,extensionData,
    >>2006-11-01 14:36:01
    >> fen-UM-AllowChargecodeOverride,fen-UM-AllowCoversheetOverride,
    >>2006-11-01 14:36:01

    fen-UM-AllowSMSTemplateOverride,fen-UM-AllowedToSendFax,
    >>2006-11-01 14:36:01
    >>

    fen-UM-AllowedToSendFaxInt,fen-UM-AllowedToSendSms,fen-UM-AllowedToSendSmsIn
    t,
    >>2006-11-01 14:36:01
    >> fen-UM-AllowedToSendStx,fen-UM-AllowedToSendTlx,fen-UM-Chargecode,
    >>2006-11-01 14:36:01
    >>

    fen-UM-Coversheet,fen-UM-Fileformat,fen-UM-MaxSplittedSms,fen-UM-MessageLimi
    t,
    >>2006-11-01 14:36:01
    >>

    fen-UM-MessageLimitPeriod,fen-UM-SMSTemplate,fen-UM-SystemAddress,folderPath
    name,
    >>2006-11-01 14:36:01
    >>

    formData,forwardingAddress,gecos,gidNumber,heuristics,hideDLMembership,homeM
    DB,
    >>2006-11-01 14:36:01
    >> homeMTA,homePostalAddress,houseIdentifier,importedFrom,internetEncoding,
    >>2006-11-01 14:36:01
    >> ipHostNumber,jpegPhoto,kMServer,labeledURI,language,languageCode,
    >>2006-11-01 14:36:01
    >> logRolloverInterval,loginShell,mAPIRecipient,mDBOverHardQuotaLimit,
    >>2006-11-01 14:36:01
    >> mDBOverQuotaLimit,mDBStorageQuota,mDBUseDefaults,mailNickname,memberUid,
    >>2006-11-01 14:36:01
    >> monitoredConfigurations,monitoredServices,monitoringAvailabilityStyle,
    >>2006-11-01 14:36:01
    >>

    monitoringAvailabilityWindow,monitoringCachedViaMail,monitoringCachedViaRPC,
    >>2006-11-01 14:36:01

    monitoringMailUpdateInterval,monitoringMailUpdateUnits,
    >>2006-11-01 14:36:01
    >>

    monitoringRPCUpdateInterval,monitoringRPCUpdateUnits,msDFSR-ComputerReferenc
    eBL,
    >>2006-11-01 14:36:01
    >> msDFSR-MemberReferenceBL,msDS-ObjectReferenceBL,msDS-SourceObjectDN,
    >>2006-11-01 14:36:01
    >> msExchADCGlobalNames,msExchALObjectVersion,msExchAssistantName,
    >>2006-11-01 14:36:01
    >>

    msExchConferenceMailboxBL,msExchControllingZone,msExchCustomProxyAddresses,
    >>2006-11-01 14:36:01
    >> msExchExchangeServerLink,msExchExpansionServerName,msExchFBURL,
    >>2006-11-01 14:36:01
    >> msExchHideFromAddressLists,msExchHomeServerName,msExchHouseIdentifier,
    >>2006-11-01 14:36:01
    >> msExchIMACL,msExchIMAPOWAURLPrefixOverride,msExchIMAddress,
    >>2006-11-01 14:36:01
    >> msExchIMMetaPhysicalURL,msExchIMPhysicalURL,msExchIMVirtualServer,
    >>2006-11-01 14:36:01
    >> msExchInconsistentState,msExchLabeledURI,msExchMailboxFolderSet,
    >>2006-11-01 14:36:01
    >> msExchMailboxGuid,msExchMailboxSecurityDescriptor,msExchMailboxUrl,
    >>2006-11-01 14:36:01

    msExchMasterAccountSid,msExchOmaAdminExtendedSettings,
    >>2006-11-01 14:36:01
    >> msExchOmaAdminWirelessEnable,msExchOriginatingForest,msExchPfRootUrl,
    >>2006-11-01 14:36:01
    >> msExchPoliciesExcluded,msExchPoliciesIncluded,msExchPolicyEnabled,
    >>2006-11-01 14:36:02
    >> msExchPolicyList,msExchPolicyOptionList,msExchPreviousAccountSid,
    >>2006-11-01 14:36:02
    >> msExchProxyCustomProxy,msExchQueryBaseDN,msExchRecipLimit,
    >>2006-11-01 14:36:02
    >> msExchRequireAuthToSendTo,msExchResourceGUID,msExchResourceProperties,
    >>2006-11-01 14:36:02
    >> msExchTUIPassword,msExchTUISpeed,msExchTUIVolume,msExchUnmergedAttsPt,
    >>2006-11-01 14:36:02
    >> msExchUseOAB,msExchUserAccountControl,msExchVoiceMailboxID,
    >>2006-11-01 14:36:02
    >> msRTCSIP-ArchivingEnabled,msRTCSIP-FederationEnabled,msRTCSIP-HomeServer,
    >>2006-11-01 14:36:02
    >>

    msRTCSIP-HomeServerString,msRTCSIP-InternetAccessEnabled,msRTCSIP-IsMaster,
    >>2006-11-01 14:36:02
    >>

    msRTCSIP-OriginatorSid,msRTCSIP-PrimaryHomeServer,msRTCSIP-PrimaryUserAddres
    s,
    >>2006-11-01 14:36:02
    >> msRTCSIP-TargetHomeServer,msRTCSIP-UserEnabled,msRTCSIP-UserExtension,
    >>2006-11-01 14:36:02
    >> msSFU30Aliases,msSFU30Name,msSFU30NisDomain,msSFU30PosixMember,
    >>2006-11-01 14:36:02
    >>

    msSFU30PosixMemberOf,networkAddress,nisMapName,oOFReplyToOriginator,otherMai
    lbox,
    >>2006-11-01 14:36:02
    >> pOPCharacterSet,pOPContentFormat,personalPager,photo,preferredLanguage,
    >>2006-11-01 14:36:02
    >> promoExpiration,protocolSettings,publicDelegates,publicDelegatesBL,
    >>2006-11-01 14:36:02
    >> registeredAddress,replicatedObjectVersion,replicationSensitivity,
    >>2006-11-01 14:36:02
    >>

    replicationSignature,reportToOriginator,reportToOwner,roomNumber,secretary,
    >>2006-11-01 14:36:02
    >> securityProtocol,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,
    >>2006-11-01 14:36:02
    >>

    shadowMax,shadowMin,shadowWarning,submissionContLength,supportedAlgorithms,
    >>2006-11-01 14:36:02
    >>

    targetAddress,telephoneAssistant,textEncodedORAddress,trackingLogPathName,ty
    pe,
    >>2006-11-01 14:36:02
    >> uid,uidNumber,unauthOrig,unauthOrigBL,unixHomeDirectory,unixUserPassword,
    >>2006-11-01 14:36:02 unmergedAtts,userPKCS12,userSMIMECertificate,
    >>2006-11-01 14:36:02 x500uniqueIdentifier
    >>
    >>[Settings Section]
    >>Task: User Migration (2)
    >>ADMT Console
    >> User: **********
    >> Computer: 1forestroot.c****.local (1FORESTROOT)
    >> Domain: conferon.local (*****)
    >> OS: Microsoft Windows Server 2003 5.2 (3790) Service Pack

    1
    >>Source Domain
    >> Name: e******.com (*****GE)
    >> DC: bruno.e*******.com (BRUNO)
    >> OS: Windows Server 2003 5.2 (3790) Service Pack 1
    >> OU:
    >>Target Domain
    >> Name: c*****.local (*******)
    >> DC: 1forestroot.c*****n.local (1FORESTROOT)
    >> OS: Windows Server 2003 5.2 (3790) Service Pack 1
    >> OU: LDAP://***.local/OU=Restrict Software Test,DC=c***n,DC=local
    >>Intra-Forest: No
    >>Password Option: Generate passwords, only for new objects = No
    >>Password File: 'C:\WINNT\ADMT\Logs\passwords.txt'
    >>Migrate Security Identifiers: No
    >>Update Rights: Yes
    >>Translate Roaming Profiles: No
    >>Fix group membership: Yes
    >>Conflict Option: Ignore
    >>Source Disable Option: Leave source account
    >>Source Expiration: Do not expire source account
    >>Target Disable Option: Set target same as source
    >>Migrate groups: Yes
    >>Update Migrated Objects: No
    >>Migrate service accounts: Yes
    >>
    >>[Object Migration Section]
    >>2006-11-01 14:36:03 Starting Account Replicator.
    >>2006-11-01 14:36:14 CN=test\, craig - Created
    >>2006-11-01 14:36:15 WRN1:7857 Could not copy following properties for
    >>'CN=test\, craig'.
    >>2006-11-01 14:36:15 showInAddressBook = CN=Default Global Address
    >>List,CN=All Global Address Lists,CN=Address Lists
    >>Container,CN=expocard,CN=Microsoft
    >>Exchange,CN=Services,CN=Configuration,DC=e*****ge,DC=com, ... A

    constraint
    >>violation occurred.
    >>2006-11-01 14:36:15 lastLogonTimestamp = 128067954806684595 The server

    is
    >>unwilling to process the request.
    >>2006-11-01 14:36:16 CN=test\, craig - Strong password generated.
    >>2006-11-01 14:36:18 CN=Test Global Group - Created
    >>2006-11-01 14:36:22 Processing group membership for CN=Test Global Group.
    >>2006-11-01 14:36:23 LDAP://1forestroot.****.local/CN=test\,
    >>craig,OU=Restrict Software Test,DC=****n,DC=local added.
    >>2006-11-01 14:36:27 Updated user rights for CN=test\, craig
    >>2006-11-01 14:36:27 Updated user rights for CN=Test Global Group
    >>2006-11-01 14:36:27 Operation completed.
    >>
    >>This is the log showing a sucessful user and group migration without
    >>migrating passwords. I put *** in the domain names myself
    >>
    >>
    >>
    >>"Vincent Xu [MSFT]" wrote:
    >>
    >>> Hi,
    >>>
    >>> Please paste the entire ADMT log.
    >>>
    >>> thanks.
    >>>
    >>>
    >>> Best regards,
    >>>
    >>> Vincent Xu
    >>> Microsoft Online Partner Support
    >>>
    >>> ======================================================
    >>> Get Secure! - www.microsoft.com/security
    >>> ======================================================
    >>> When responding to posts, please "Reply to Group" via your newsreader

    so
    >>> that others
    >>> may learn and benefit from this issue.
    >>> ======================================================
    >>> This posting is provided "AS IS" with no warranties,and confers no

    rights.
    >>> ======================================================
    >>>
    >>>
    >>>
    >>> --------------------
    >>> >>Thread-Topic: ADMT password migration between 2 2003 servers using
    >>> Version 3.0
    >>> >>thread-index: AccCfvCf1kcEpD7BSqCS4Jen7JmLoA==
    >>> >>X-WBNR-Posting-Host: 12.149.99.25
    >>> >>From: =?Utf-8?B?Q3JhaWcgQg==?= <CraigB@discussions.microsoft.com>
    >>> >>References: <9F1ADFF3-F37E-4FBD-89AC-E0213E300B44@microsoft.com>
    >>> >>Subject: RE: ADMT password migration between 2 2003 servers using

    Version
    >>> 3.0
    >>> >>Date: Tue, 7 Nov 2006 07:11:02 -0800
    >>> >>Lines: 27
    >>> >>Message-ID: <C43C884E-0DCB-4C7C-A219-22324086B37B@microsoft.com>
    >>> >>MIME-Version: 1.0
    >>> >>Content-Type: text/plain;
    >>> >> charset="Utf-8"
    >>> >>Content-Transfer-Encoding: 7bit
    >>> >>X-Newsreader: Microsoft CDO for Windows 2000
    >>> >>Content-Class: urn:content-classes:message
    >>> >>Importance: normal
    >>> >>Priority: normal
    >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    >>> >>Newsgroups: microsoft.public.windows.server.migration
    >>> >>Path: TK2MSFTNGXA01.phx.gbl
    >>> >>Xref: TK2MSFTNGXA01.phx.gbl
    >>> microsoft.public.windows.server.migration:25393
    >>> >>NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
    >>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
    >>> >>
    >>> >>I had already turned off the Windows firewall as a troubleshooting

    test
    >>> but I
    >>> >>did enable Sid History still get same error. Would I need to reboot

    the
    >>> >>source server after enabling sid history??
    >>> >>
    >>> >>"Craig B" wrote:
    >>> >>
    >>> >>> All the help I have been finding is on ADMT v2 which doesn't seem

    to
    >>> match up
    >>> >>> well. Ran the PWDmig.msi install file on the source server and
    >>> rebooted also
    >>> >>> started the PES servcie with user account not local system. Created

    and
    >>> >>> installed pes key as well. I changed the reg key allowpassword

    export
    >>> as
    >>> >>> well and rebooted the server.
    >>> >>>
    >>> >>> Looking at Version 2 page KB 322981 I see a much different setup
    >>> procedure.
    >>> >>> This migration is for 2 2003 Forests already connected via trust.
    >>> >>>
    >>> >>> I can sucessfully migrate accounts and groups but not when i try to

    use
    >>> the
    >>> >>> Password export service.
    >>> >>> Constantly get "Unable to establish a session with the password

    export
    >>> >>> server. Access is denied"
    >>> >>>
    >>> >>> I haven't been able to find much in the way of articles on V3 of

    the
    >>> ADMT
    >>> >>> tool and the help in the tool itself is much different than what i

    am
    >>> finding
    >>> >>> for v2.
    >>> >>>
    >>> >>> Anyone know articles or tips?
    >>> >>>
    >>> >>> Thanks
    >>> >>
    >>>
    >>>

    >>



  7. #7
    Sean Murphy Guest

    Re: ADMT password migration between 2 2003 servers using Version 3.0

    Hi Craig,

    I do a lot of migrations and have experienced the same problem.
    Everytime it's been because I missed some simple detail.

    First, just to make sure it doesn't cause an issue, I always add
    Everyone and Authenticated Users to the Pre-Windows 2000 Compatible
    Access Group. You can remove these when you are finished with your
    migration.

    Then, install ADMT on a server in the TARGET domain.

    At the command line use the ADMT command to create the key:
    admt key /option:create /sourcedomain: SourceDomain
    /keyfile:KeyFilePath /keypassword:{password|*}

    I always save the key in the PES directory, then share that directory.

    Now, on your SOURCE DC map a drive to the \\TARGET_ADMT_Server\PES
    directory
    Run PWDMig.MSI and enter your keypassword (if you created one)
    After the installation, reboot and start the PES Service

    When you migrate a user using ADMT, select "Migrate Password" and it
    should ask for the "Password migration source DC"
    Be sure to select the DC where you installed PES

    Hope this helps.

    Regards,

    Sean Murphy
    Technical Architect
    Ensynch, Inc
    Whatever IT Takes


  8. #8
    Craig B Guest

    Re: ADMT password migration between 2 2003 servers using Version 3

    I did most of this except the Pre Windows 2000 group part you mentioned so I
    will try that and test again

    "Sean Murphy" wrote:

    > Hi Craig,
    >
    > I do a lot of migrations and have experienced the same problem.
    > Everytime it's been because I missed some simple detail.
    >
    > First, just to make sure it doesn't cause an issue, I always add
    > Everyone and Authenticated Users to the Pre-Windows 2000 Compatible
    > Access Group. You can remove these when you are finished with your
    > migration.
    >
    > Then, install ADMT on a server in the TARGET domain.
    >
    > At the command line use the ADMT command to create the key:
    > admt key /option:create /sourcedomain: SourceDomain
    > /keyfile:KeyFilePath /keypassword:{password|*}
    >
    > I always save the key in the PES directory, then share that directory.
    >
    > Now, on your SOURCE DC map a drive to the \\TARGET_ADMT_Server\PES
    > directory
    > Run PWDMig.MSI and enter your keypassword (if you created one)
    > After the installation, reboot and start the PES Service
    >
    > When you migrate a user using ADMT, select "Migrate Password" and it
    > should ask for the "Password migration source DC"
    > Be sure to select the DC where you installed PES
    >
    > Hope this helps.
    >
    > Regards,
    >
    > Sean Murphy
    > Technical Architect
    > Ensynch, Inc
    > Whatever IT Takes
    >
    >


  9. #9
    Craig B Guest

    RE: ADMT password migration between 2 2003 servers using Version 3.0

    Finally able to work on this again. I confirmed that Everyone and
    Authenticated users were part of the Pre Windows 2000 Group. Still getting
    the same error.

    2 things i did different, i didn't bother to put a password on the PES file
    but i dont' think that should matter. Also for the PES service I am using a
    account in the TARGET domain wasn't sure if maybe that should be the Source
    Domain.

    "Craig B" wrote:

    > All the help I have been finding is on ADMT v2 which doesn't seem to match up
    > well. Ran the PWDmig.msi install file on the source server and rebooted also
    > started the PES servcie with user account not local system. Created and
    > installed pes key as well. I changed the reg key allowpassword export as
    > well and rebooted the server.
    >
    > Looking at Version 2 page KB 322981 I see a much different setup procedure.
    > This migration is for 2 2003 Forests already connected via trust.
    >
    > I can sucessfully migrate accounts and groups but not when i try to use the
    > Password export service.
    > Constantly get "Unable to establish a session with the password export
    > server. Access is denied"
    >
    > I haven't been able to find much in the way of articles on V3 of the ADMT
    > tool and the help in the tool itself is much different than what i am finding
    > for v2.
    >
    > Anyone know articles or tips?
    >
    > Thanks


  10. #10
    Vincent Xu [MSFT] Guest

    RE: ADMT password migration between 2 2003 servers using Version 3.0

    Hi,

    Thanks for the knowledge sharing.

    Have a good day!


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================

  11. #11
    Sean Murphy Guest

    Re: ADMT password migration between 2 2003 servers using Version 3.0

    Hi Craig,

    The PES Service is running on your SOURCE domain controller and the
    service account should be in the same domain. Also, you don't need a
    password on you .pes file..

    Sorry for the delay, I misread your original post and the subsequent
    reply that made it look as though you had this working now.

    Regards,
    Sean Murphy
    Ensynch, Inc
    Whatever IT Takes

  12. #12
    Craig B Guest

    RE: ADMT password migration between 2 2003 servers using Version 3.0

    Blast I was really hoping that was it. I changed the service account to the
    to an account in the Source domain ( a domain admin just to remove any
    permission problems) restarted the sevice and tried again same exact error.

    I have made sure the pre windows 2000 security group has the everyone and
    authenticated users, turned off the local firewall and all the other tips in
    here.

  13. #13
    Join Date
    Jul 2011
    Posts
    2

    Re: ADMT password migration between 2 2003 servers using Version 3.0

    May I be so bold as to suggest that this tool just simply does not work for a great many people? Have you done a google search for admt problems? Have you read through their 128 page word doc on how to do this? Have you read the readme, most of which is all the crap that can go wrong?? Really Microsoft???

    This authentication issue is widespread, and unresolved on virtually every tech forum and blog I have come across. Even with everything set up exactly as MS tells you, AND after changing all the extra stuff you find on the forums that Microsoft did NOT tell you, the SID migration still will not work. Access is denied. How can two servers that trust each other deny access?? Why? What is the point to a trust if that doesn't fix it?

    On both servers I can log in with an account from the other. Trusts work? Damn right they do! Access still denied? Damn right it is. Do you want to know what the real problem with ADMT is? Microsoft screwed it up when they wrote it and they are not all that inclined to fix it. If it works for some they are perfectly happy. If I could get away from all things Microsoft and still have centralized logon management, I would jump on it yesterday.

  14. #14
    Join Date
    Jan 2012
    Posts
    1

    Re: ADMT password migration between 2 2003 servers using Version 3.0

    I has the same problem using admt 3.2 for migrating users from Windows 2003 R2 to Windows 2008 R2.

    To resolve the issue I used a domain admin user from the target domain to run the PES service in the source domain. And the happy new...
    It worked fine!

Similar Threads

  1. ADMT PC will not restart after migration
    By Spuddly77 in forum Windows Server Help
    Replies: 1
    Last Post: 03-02-2012, 07:04 PM
  2. More ADMT errprs during SID migration
    By Mark in forum Windows Server Help
    Replies: 8
    Last Post: 13-01-2012, 01:59 AM
  3. ADMT-security translation and user migration
    By suganthik in forum Active Directory
    Replies: 1
    Last Post: 22-05-2011, 01:00 AM
  4. ADMT V3 migration errors.
    By MS in forum Windows Server Help
    Replies: 5
    Last Post: 18-05-2010, 11:39 AM
  5. Computer Migration, w2003-w2003, ADMT v3
    By Francisco Vaz in forum Windows Server Help
    Replies: 4
    Last Post: 23-01-2008, 08:35 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,638,766,049.87530 seconds with 17 queries