Domain Migrations between Windows 2003 and Windows 2008R2 forest to forest
Hello,
see the following blog from Santhosh about using ADMT:
http://www.sivarajan.com/admt.htmlBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
July 17th, 2011 10:14am
I am preforming a domain migration from Windows 2003 to Windows 2008R2. I have setup and configured the domain trust. I have setup and configured ADMT 3.2 and password migrator. I have sid history enabled and sid filtering disabled.
However here are the issues that I am encountering!
1. When I migrate the users to the target domain it forces a password change and also will not allow for access to the old domain.
2. No matter what I do the Windows 7 machines will not migrate. I get random failures from can find the admin$ share to errors around the the netlogon and workstation services not running. The firewall services is not running and there
are not other firewall services on the machine. If I just connect to the machine with
\\machinename\admin$ it works just fine. I am at a loss.
Any helpPreston Thornhill
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2011 12:01pm
Already looked at this and preformed these functions but it did not resolve the issue.Preston Thornhill
July 17th, 2011 9:19pm
Hi,
Please make sure that the migration account has the required privileges on both domains and check the following list.
Checklist: Performing an Intraforest Migration
http://technet.microsoft.com/en-us/library/cc974337(WS.10).aspx
Regards,
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
tnmff@microsoft.com .Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2011 12:17am
Did this did not resolve the issue/Preston Thornhill
July 18th, 2011 2:21pm
>>> will not allow for access to the old domain.
What do you mean by that?
Did you verify the SID History? Are you getting any error message when you access the resources in the source domain?>
>>> the Windows 7 machines will not migrate
Please post the error message from ADMT log file here.
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX
Blogs - http://blogs.sivarajan.com/
Articles - http://www.sivarajan.com/publications.html
Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
This posting is provided AS IS with no warranties,and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
July 18th, 2011 3:17pm
Here are the logs
Settings Section]
Task: User Migration (28)
ADMT Console
User: FENTON\administrator
Computer: FENTON-AD-02.fenton.ad (FENTON-AD-02)
Domain: fenton.ad (FENTON)
OS: Windows Server 2008 R2 Datacenter 6.1 (7601) Service Pack 1
Source Domain
Name: aeis.com (AEIS)
DC: stlad01.aeis.com (STLAD01)
OS: Windows Server 2003 5.2 (3790) Service Pack 2
OU:
Target Domain
Name: fenton.ad (FENTON)
DC: FENTON-AD-02.fenton.ad (FENTON-AD-02)
OS: Windows Server 2008 R2 Datacenter 6.1 (7601) Service Pack 1
OU: LDAP://fenton.ad/OU=Users,OU=Information Technology,OU=Fenton,DC=fenton,DC=ad
Intra-Forest: No
Password Option: Copy passwords, only for new objects = No
Password Export Server: stlad01.aeis.com
Migrate Security Identifiers: Yes
Update Rights: Yes
Translate Roaming Profiles: Yes
Fix group membership: Yes
Conflict Option: Merge, rights = No, members = No, move objects = Yes
Source Disable Option: Leave source account
Source Expiration: Do not expire source account
Target Disable Option: Set target same as source
Migrate groups: Yes
Update Migrated Objects: Yes
Migrate service accounts: Yes
[Object Migration Section]
2011-07-20 18:35:43 Starting Account Replicator.
2011-07-20 18:35:43 WRN1:7372 ADMT does not process BUILTIN accounts or change the membership of BUILTIN groups (Administrators, etc.). Skipping
LDAP://aeis.com/CN=Schema Admins,CN=Users,DC=aeis,DC=com
2011-07-20 18:35:43 WRN1:7372 ADMT does not process BUILTIN accounts or change the membership of BUILTIN groups (Administrators, etc.). Skipping
LDAP://aeis.com/CN=Enterprise Admins,CN=Users,DC=aeis,DC=com
2011-07-20 18:35:43 CN=Thornhill\, Preston - Created
2011-07-20 18:35:43 SID for AEIS\pthornhi added to the SID History of FENTON\pthornhi
2011-07-20 18:35:44 WRN1:7561 ADMT could not migrate some properties for this object type (user) due to schema mismatches. Please refer to the Schema Section in the migration log for a complete listing. The Schema Section will be available once
object migration is complete.
2011-07-20 18:35:44 WRN1:7857 Could not copy following properties for 'CN=Thornhill\, Preston'.
2011-07-20 18:35:44 showInAddressBook = CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=AEIS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=aeis,DC=com, ... A constraint violation occurred.
2011-07-20 18:35:44 CN=Thornhill\, Preston - Password Copied.
2011-07-20 18:35:45 ERR2:7566 Unable to move object CN=Domain Admins,CN=Users,DC=fenton,DC=ad to OU=Users,OU=Information Technology,OU=Fenton,DC=fenton,DC=ad. This is most likely due to a conflicting relative distinguished name (RDN). There is a naming
violation.
2011-07-20 18:35:45 ERR2:7301 Failed to migrate source object 'Domain Admins' to domain 'fenton.ad'. The target object could not be created. hr=0x80072037 There is a naming violation.
2011-07-20 18:35:45 WRN1:7372 ADMT does not process BUILTIN accounts or change the membership of BUILTIN groups (Administrators, etc.). Skipping
LDAP://aeis.com/CN=Schema Admins,CN=Users,DC=aeis,DC=com
2011-07-20 18:35:45 WRN1:7372 ADMT does not process BUILTIN accounts or change the membership of BUILTIN groups (Administrators, etc.). Skipping
LDAP://aeis.com/CN=Enterprise Admins,CN=Users,DC=aeis,DC=com
2011-07-20 18:35:45 WRN1:7372 ADMT does not process BUILTIN accounts or change the membership of BUILTIN groups (Administrators, etc.). Skipping
LDAP://aeis.com/CN=Administrators,CN=Builtin,DC=aeis,DC=com
2011-07-20 18:35:45 Granting privilege SeServiceLogonRight to pthornhi
2011-07-20 18:35:45 Updated user rights for CN=Thornhill\, Preston
2011-07-20 18:35:45 Operation completed.
Preston Thornhill
July 20th, 2011 7:45pm
>>2011-07-20 18:35:43 WRN1:7372 ADMT does not process BUILTIN
accounts or change the membership of BUILTIN groups (Administrators, etc.). Skipping
You can’t migrate built-in groups using ADMT.
>>2011-07-20 18:35:44 WRN1:7561 ADMT could not migrate some properties
for this object type (user) due to schema mismatches. Please refer to the Schema Section in the migration log for a complete listing. The Schema Section will be available once object migration is complete.
You have some types of Schema mismatch,
you need to exclude those attributes. Refer ADMT guide for info
>>2011-07-20 18:35:45 ERR2:7566 Unable to move object CN=Domain
Admins,CN=Users,DC=fenton,DC=ad to OU=Users,OU=Information Technology,OU=Fenton,DC=fenton,DC=ad
You can’t migrate Domain Admins.
Why are you trying to migrate Domain Admins?
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX
Blogs - http://blogs.sivarajan.com/
Articles - http://www.sivarajan.com/publications.html
Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
This posting is provided AS IS with no warranties,and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2011 8:20pm
Thats fine I will reduce amount of groups I migrate. But this would not cause the issue that I am having?Preston Thornhill
July 20th, 2011 10:28pm
Hi,
I would like to confirm what is the current situation after reducing amount of groups? If there is anything that I can do for you, please
do not hesitate to let me know, and I will be happy to help.
Regards,
Arthur Li
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2011 3:15am