Announcement

Collapse
No announcement yet.

Local profile migration problem with ADMT

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Local profile migration problem with ADMT

    I'm having a problem with migrating local user profiles on a winxp pro machine. I have sucessfully migrated a test user and groups from my NT4 domain to AD , and the next step as I understand the process is to migrate the profiles (local not roaming).
    I run the security translation wizard and follow the settings here: http://technet.microsoft.com/en-us/l.../cc773340.aspx

    When I start the migration it passes the pre migration check and starts the migration proper but then seem to hang. After a few minutes if I select the winxp box in the wizard and click on agent detail it reports that the Agent Progress "Completed with Errors". But the agent is showing as "running" in the main admt window. There seems to be no way to stop the agent from here without ending the task.

    If I logon to the winxp box I find that the machine has been renamed to "no." but this account is not a member of either source or destination domains.(I have not migrated the machine account to the destination domain yet).
    I then have to logon as the local admin and rejoin the machine to the source domain (having deleted the account from the source domain first).

    If I then reboot and logon as my source domain test account I find that the account has not migrated ie it is still associated with 'source domain\test user'.

    I've been though this loop about half a dozen times now and I have no clue why this is going on. No errors are reported in the event log on the xp box. The admt service logs 12 events the last of which is :

    Started job: {5D5D16AE-0863-4351-9EC6-F3399E98E499}

    I can connect to remote registry on the xp box using the account (dest domain domain admin) I'm running admt as , proving that the account is a local admin of the xp box.

    The big picture is that I'm trying to move users from an NT4 domain to join an existing AD domain which already has another group of users from a daughter company.

    Any help greatly appreciated.

    Mike

  • #2
    Re: Local profile migration problem with ADMT

    two things.
    1) you could always look at the log files generated on the ADMT folder on the server that is running the ADMT.
    2) security translation has to be done after successfully migrating the user and after you Migrate the machine/PC, only then you run the security migration wizard.
    now as you mentioned (not sure if that is the case) you have duplicate account names on both of the domains?
    if so the account was not migrated, hence Security translation would fail.

    Comment


    • #3
      Re: Local profile migration problem with ADMT

      Thanks for the reply, there's nothing useful on the server where I'm running the admt , the last thing in the log is :
      2008-11-25 09:55:57 Started job: PC0102 000027_PC0102 {5D5D16AE-0863-4351-9EC6-F3399E98E499}
      as per the event log on the target machine.

      Following this technet article http://technet.microsoft.com/en-us/l.../cc781932.aspx I should be doing user/groups then profiles then machine accounts....is there are consenus that machines are better migrated before profiles?

      In answer to your last parahraph, once I have done the user account migration I have duplicate users on both domains,and I can log in as either on workstations.

      Has anyone got any info on the services that are required for the admt agent to run?

      Mike

      Comment


      • #4
        Re: Local profile migration problem with ADMT

        Originally posted by 4262mikeb View Post
        is there are consenus that machines are better migrated before profiles?
        Are we talking about local user profiles or roaming profiles?

        Originally posted by 4262mikeb View Post
        In answer to your last parahraph, once I have done the user account migration I have duplicate users on both domains,and I can log in as either on workstations.
        I wasn't referring to duplicates after migration, I was referring that if you had a User account under the name of "user01" in the old domain and you have the same user account name "user01" on the new domain even b4 you tried the migration, then you try migrating the user, that would fail/or not - depends on what you picked.

        Originally posted by 4262mikeb View Post
        Has anyone got any info on the services that are required for the admt agent to run?
        please elaborate

        Comment


        • #5
          Re: Local profile migration problem with ADMT

          Originally posted by Akila View Post
          Are we talking about local user profiles or roaming profiles?
          Local profiles

          Originally posted by Akila View Post
          I wasn't referring to duplicates after migration, I was referring that if you had a User account under the name of "user01" in the old domain and you have the same user account name "user01" on the new domain even b4 you tried the migration, then you try migrating the user, that would fail/or not - depends on what you picked.
          No there are no duplicate names before the migration

          Originally posted by Akila View Post
          please elaborate
          I discovered I needed the remote registry service enabled (it wasn't) and thought there might be others that aren't being flagged up in the event log.

          Might moveuser.exe be a better way to do what I need to do?

          Mike

          Comment


          • #6
            Re: Local profile migration problem with ADMT

            in your case you must migrate the Machine before you run a security translation for migration User Profiles.

            Comment


            • #7
              Re: Local profile migration problem with ADMT

              ok will try that method

              Mike

              Comment


              • #8
                Re: Local profile migration problem with ADMT

                Originally posted by Akila View Post
                in your case you must migrate the Machine before you run a security translation for migration User Profiles.
                Ok so I tried migrating the machine account then followed up with migrating the local profile using the security migration wizard and I got the same result as per the OP except that now the machine is trying to rename itself to no.target domain .

                (This time I tried running the wizard with credentials of the domain admin for the source domain.)

                Feel like I'm getting some sort of special treatment here

                Mike

                Comment


                • #9
                  Re: Local profile migration problem with ADMT

                  please follow the procedure I wrote
                  http://forums.petri.com/showthread.php?t=26101
                  after that tell me exactly step by step what you trying to do (tell me everything including user logon to the ADMT , where it is installed , etc).

                  Comment


                  • #10
                    Re: Local profile migration problem with ADMT

                    First off the proceedure doen't quite apply because the source domain is NT4 but in light of the proceedure here is what I've done:
                    for info:
                    On source domain there is only a PDC
                    On the target domain there are 2 DC, w2k and w2k3

                    1. The target DC has DNS installed and working.
                    2. The target DC has a secondary zone for the source domain DNS.
                    3. Can't be done on NT4 (DC isn't running DNS anyway)
                    4. I have verified using nslookup that I can get the IP of the source domain DC (and other hosts) on the target domain DC.
                    5. There is a 2 way trust between target and source domains. This has been in place for years and works fine.
                    6. I have checked that SID filtering is disabled on the target DC. Don't know if I need to do this on the source domain..?
                    7. registry key “AllowPasswordExport” to DWORD 1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA on the Source Domain DC is set
                    8. Not applicable - NT4
                    9. Going to run ADMT as target domain "admin" account on target DC (w2k3)
                    10. target domain "admin" is a domain administrator
                    11. ADMT installed on target domain DC (w2k3)
                    12. target "domain admins" and target "admin" and source "domain admins" and source "administrator" added to built in administrators group on target DC (w2k3)
                    13. target "domain admins" and target "admin" added to local administrators group on source DC
                    14. target "admin" user is admin for domain and built in administrators group. Couldn't find a "migrate SID history" permission to set? target "admin" has full control of domain and all OU's
                    15. "Audit Account Management" is set to Audit both Success & Failure
                    16. group sourcedomain$$$ created on source domain
                    17. created PD key
                    18. moved pes key to source DC
                    19. installed PES on source DC

                    Not quite as per your instructions but pretty close and I can migrate users and groups without problems so I don't think much if anything is wrong with the steps above.

                    Then I migrated my test user account and all the groups that the user is a member of to the target domain without any problems.

                    Then I tried to migrate the local profile of the test user on a winxp machine and thats where I'm stuck as per the original post.

                    I've subsequently run admt on the target domain DC as the source domain "administrator" account and tried to migrate the profile, this has the same effect as the OP.

                    I'm wondering if this has more to do with the xp box than admt and server/domain setup.

                    Mike

                    Comment


                    • #11
                      Re: Local profile migration problem with ADMT

                      I am not quite sure about migration from NT4 , since I did not read the Procedure document on that , neither I tried it before.
                      Since NT4 is not based on DNS , then the DNS swapping is not really helpful.

                      What error do you get?

                      what you should try and doing is work your way with WINS.
                      on the ADMT server configure both the wins server of the source domain and target domain in it's TCP/IP settings.
                      The question is are those clients from the NT4 domain have in their TCP/IP settings a DNS server configured to be using? and if so what DNS server it uses?
                      what you could try are few things.
                      1) configure a client to be using the DNS server of the target domain
                      and see if it regersters it's record there, then try migrating it.
                      2) if that doesn't work, try and enter in the Target domain WINS the client WINS entry manually (static record) and see if you could migrate it.
                      3) those XPs that are on the Source domain , what is their DNS suffix? you could see it in IPCONFIG or in the propeties of my computer -> computer name.
                      if it is other then your target domain zone then what you could do is create that zone in your DNS and see if the client regesters there.
                      4) the last thing to eliminate a DNS resolving problem between the ADMT server/Client is by adding in the hosts file on both machines the IPs of both client and the ADMT server.

                      the last thing you should notice is, that when you run the program (ADMT) you should run it with a target Admin User and not the Source Admin user, during the computer/security wizard you would be asked to enter the Source Admin User, only do it that way , not the other way around.
                      Last edited by Akila; 4th December 2008, 14:00.

                      Comment


                      • #12
                        Re: Local profile migration problem with ADMT

                        Originally posted by Akila View Post
                        during the computer/security wizard you would be asked to enter the Source Admin User, only do it that way , not the other way around.
                        Should you be asked for the source admin user each and every time you run the security wizard or do the credentials get cached once you've run the wizard once? I haven't been asked for the credentials on my recent attempts...

                        Mike

                        Comment


                        • #13
                          Re: Local profile migration problem with ADMT

                          every time, no caching.

                          Comment


                          • #14
                            Re: Local profile migration problem with ADMT

                            I'm pretty sure I've got this cracked, possibly inevitably is was a DNS problem. I'll elaborate just in case there is anyone else left on the planet migrating an NT4 domain..

                            I have 2 target DCs , one in the US and one local to my office in the UK. I was forcing ADMT to use the local one for obvious reasons. When I removed this restriction and let admt use which ever dc it wanted I got some error messages which got me moving in the right direction.

                            Firstly:
                            ERR2:7711 Unable to retrieve the DNS hostname for the migrated computer 'PC0102'. The ADSI property cannot be found in the property cache.

                            Fixed by changing DHCP to use local AD DC as first dns server. DHCP was handing out DNS servers which were working fine for the NT4 domain but of course they're not much use for dynamic DNS needed for AD. I also changed the reverse IP secondary zone for the local IP network to be AD integrated.
                            This change also got ADMT working correctly against the local DC because I think the reverse DNS for the local DC had been broken.

                            Then I got:
                            ERR3:7194 Could not open input file C:\Program Files\OnePointDomainAgent\Accounts000037.txt

                            Fixed by deleting HKLM\Software\Microsoft\ADMT on the machine I was trying migrate profiles on.

                            Then it worked.

                            except for 1 error per profile like:

                            WRN1:7644 Unable to translate Microsoft Installer related registry keys

                            It would be nice to fix this so I have a completely clean migration, but this issue doesn't seem to be affecting the usablility of the migrated profile...so far.

                            Mike

                            Comment


                            • #15
                              Re: Local profile migration problem with ADMT

                              thanks for sharing

                              Comment

                              Working...
                              X