No announcement yet.

Active Directory Migration Tool : Password Service Error

  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Migration Tool : Password Service Error

    New Environment:

    Forest 01 with 1 domain: dev.x.tld

    Forest 02 with 3 domains: x.tld, prod.x.tld, and office.x.tld

    All domain controllers are Windows 2008 R2 , but office is at functional level Windows 2003 (because we'll be importing some Windows 2003 servers in the near future)

    An inter-forest 2-way trust relationship exists between dev and office. The original plan was to join dev.x.tld to the x.tld forest last night, but then I discovered that wasn't going to be as trivial as I thought, and migrating user accounts to office is more important right now.

    I am trying to migrate accounts from dev to office using Active Directory Migration Tool (ADMT) 3.2 . ADMT Database is SQL Server Express 2008 SP2.

    Password Export Server (PES) service is installed on , using a PES key generated on

    PES service logs on with office\admt credentials , a service account I created for ADMT.

    office\admt is a member of Domain Admins in office.x.tld, and (Built In) Administrators in dev.x.tld

    When I try to migrate a user account and password from dev to office -- explicitly setting dcd01 as source DC and dco01 as target DC, and not just using the "any domain controller" options) -- I get the following error:
    Unable to establish a session with the password export server.
    The source password export server and the target server do not have the same encryption key for the source domain.
    The account I am using is a Domain Admin in dev, and member of (Built In) Administrators in office.

    I am at wit's end, as it took my all afternoon just to figure out some "bad password" errors when trying to install PES (for some strange reason, using the NETBIOS domain name instead of the DNS domain name to generate the key worked. It must be an undocumented feature), and resolve all sorts of other issues to get this far.

    I created another server in dev to run ADMT on, so I could make office\admt a local administrator on that server and log in with the office\admt account. However, even as a local administrator, office\admt cannot open Active Directory Migration Tools (see screen shot below):
    Active Directory Migration Tool
    Unable to check for failed actions. DBManager.IManageDB.1 :
    Cannot open database "ADMT" requested by the login. The login failed.
    Yet it works fine when I log in as myself.

    I have no idea what else to try at this point.

    That I'm here at 8:00 pm on Saturday night, after working on this for the past 8 hours, gives you an idea of how desperate I have become.
    Attached Files
    Last edited by Robert R.; 17th April 2011, 03:35.

  • #2
    Re: Active Directory Migration Tool : Password Service Error

    After stepping back for a day and starting with a (somewhat) clear head, I found something useful (emphasis in original):
    9. This is the step that’s not in the instructions – even though the password encyption file was supplied during the installation of the ADMT Password Migration DLL, it still needs to be imported manually on the PDC Emulator, by shelling out to a command prompt and entering the following commands:

    cd %systemroot%\ADMT
    admt key /option:import /sourcedomain:<em>domainname</em> /keyfile:<em>filename</em>.pes
    Sure enough, it's not in the instructions. And for some reason, Mark Wilson's blog was the first result from Google this afternoon, but wasn't even in the top 20 last night. Or maybe I'm just getting old and forgetful.

    Unfortunately, I get the following error
    c:\admt>admt key /option:import /sourcedomain:dev /keyfile:admtkeyx.pes

    Unable to import key. The specified network password is not correct. (0x80070056)
    Last edited by Robert R.; 18th April 2011, 05:13.


    • #3
      Re: Active Directory Migration Tool : Password Service Error

      Hi Robert,

      I was scratching my head for hours over the same problem!! Finally able to fix it..

      This is what I did...

      I installed
      -ADMT 3.1 on a "Target Domain Controller"
      -ADMT Password Migration DLL 3.1 on a Target Domain Controller

      On the Target Domain Controller I created a .pes file with a password included

      example (DomainA is a source domain and DomainB is a target domain)

      in this case I created the key file on path C:\

      >admt key /opt:create /kf:c:\domaina.pes /pwd:Pa$$w0rd

      Next Step...

      ***Copy the key file which was just created to the Source Domain Controller

      Install ADMT Password Migration DLL 3.1 on a SOURCE DOMAIN Controller

      While installing Password Migration DLL 3.1 it will ask for .pes file --> just point to the path that store domainA.pes file

      + Specify Target Domain's Administrator account to run Password Export Server Service instead of a Local System Account (Trust relationship between the two domains is required, Hope you're aware of this otherwise you won't see Administrator account of the target domain)

      Nevertheless..... you still need to IMPORT the key file to Password Migration Server,, Don't ask me why,,,

      so go back to %systemdrive%/admt of the Source Domain Controller...and

      admt key /opt:import / /kf:c:\domainA.pes pwd:Pa$$word

      and that's it....

      please let me know if this helps..
      Last edited by Kevin_BKK; 24th April 2011, 09:53.


      • #4
        Re: Active Directory Migration Tool : Password Service Error

        sorry,,, the page just giving the smile icon,,, it should read

        >admt key /opt:create /kf:c:\domaina.pes /pwd:Pa$$w0rd


        >admt key /opt:import / /kf:c:\domainA.pes /pwd:Pa$$w0rd