| Author | Messages | |
AD000001431
Posts:0
 | | 12/16/2005 12:59 PM |
| I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd | | | |
| bdesmond
Posts:368
| | 12/16/2005 1:37 AM |
| Is there a firewall between the target DC and the PDC with the PES on it?
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Lloyd Williams
Sent: Thursday, December 15, 2005
7:58 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Interforest
Password Migration
I am using ADMT v3.0 to migrate users from one 2000/2003
forest to another 2003 forest. I have no trouble migrating users however I
cannot migrate passwords. I have the password migration service installed on
the PDC of the source domain. I have generated a key in the target domain, then
used it in the source domain during the installation of the Password Migration
Service. When I use ADMT to migrate the password I get "unable to
establish a session with the password export server. Access is denied"
I have the password export service on the source machine
running as the administrator on the target machine.
The trusts seem to verify OK, anyone have any idea?
Thanks
Lloyd | | | |
| AD000001431
Posts:0
| | 12/16/2005 2:08 AM |
| No there was a local firewall
on both but I disabled them as part of the troubleshooting
process
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Brian DesmondSent: Thu 12/15/2005 8:35 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Is
there a firewall between the target DC and the PDC with the PES on
it?
Thanks,Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Lloyd
WilliamsSent: Thursday,
December 15, 2005 7:58 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from
one 2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on the target
machine.
The trusts seem to verify OK, anyone have
any idea?
Thanks
Lloyd | | | |
| AD000001431
Posts:0
| | 12/16/2005 3:55 AM |
| Thanks for the reply. Yes this is the document that I am
using as my guide to do this.
The only part I am not sure about is the part that says the
"users must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain
Admin from one domain to the Domain Administrators group in the other
domain.
If you go into Active Directory Users and Computers to add
accounts to Domain Admins the only location you are given is that
domain.
So I am assuming that the necessary right come from
creating the trust relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1
appropriate rights to Domain 2
Thanks
Lloyd
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, December 16, 2005 4:40 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| AD000001431
Posts:0
| | 12/16/2005 4:26 AM |
| Another possible place where I may be messing up is for
my domain I have a domain policy that disables "Network Server Digitally sign
communications"
and disables "digitally encrypt secure data channels",
As I have many different clients on the network, NT Mac 2000 etc and I have
seems these digitally sign/ encrypt setting can block communications. As the
password migration requires encryption do I need to re-enable these
features"
Lloyd
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 10:50 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Thanks for the reply. Yes this is the document that I am
using as my guide to do this.
The only part I am not sure about is the part that says the
"users must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain
Admin from one domain to the Domain Administrators group in the other
domain.
If you go into Active Directory Users and Computers to add
accounts to Domain Admins the only location you are given is that
domain.
So I am assuming that the necessary right come from
creating the trust relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1
appropriate rights to Domain 2
Thanks
Lloyd
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, December 16, 2005 4:40 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| ZJORZ
Posts:100
| | 12/16/2005 7:05 AM |
| No. That domain wide
authentication thing you mention is called selective authentication. Although
the selection you made is OK, that is not what you need in this case to get
admin permissions on the source domain. To read more about selective
authentication see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx
Another
thing...
On the outgoing trust (source
--> target) sidfiltering is enabled by default if the trusts was created on a
W2KSP4 DC or higher (it is disabled by default if the trust was created on a
W2KSP3 DC or earlier
For more info
see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx
If you want to use sidhistory
then sid filtering will have impact on that. Disable it for the moment you use
sidhistory if it is enabled
To use an account that has full
admin rights on both source and target environment (to migrate users, groups,
computers, etc.) you can:
(1) add target domain admins to
source domain administrators and add SID of source domain admins to sidhistory
of target domain admins
(2) Create a domain local group
in the source domain. With restricted groups add that domain local group to the
local administrators group of all computers where you need admin permissions.
Add target domain admins to source domain administrators and
the previously created domain local group
NOTE: to be able to created
domain local groups in the source env. that source domain must at least have
windows 2000 native
To use an account that has full admin rights on both source and target
environment (to migrate only users and groups and passwords) you
can:
(1) add target domain admins to source domain
administrators
for the rest just follow: http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 16:50To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Thanks for the reply. Yes this is the document that I am
using as my guide to do this.
The only part I am not sure about is the part that says the
"users must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain
Admin from one domain to the Domain Administrators group in the other
domain.
If you go into Active Directory Users and Computers to add
accounts to Domain Admins the only location you are given is that
domain.
So I am assuming that the necessary right come from
creating the trust relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1
appropriate rights to Domain 2
Thanks
Lloyd
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, December 16, 2005 4:40 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| GuidoG
Posts:58
| | 12/16/2005 8:02 AM |
| The account used by the PES does NOT have to have
adminstrative credentials in the target domain! It can be a simple domain
user from the source domain. The difference with the previous PES version is,
that now you don't need to have "Everyone" added to your "Pre-Windows 2000
compatible access" group since that version of the PES was always executed
in the Local System security context on the source DC. Now that you're using a
service account it will be an "Authenticated User" even in the target domain via
the trust. Naturally, you need to have an account with administrative
rights on the source domain to install the PES service on a
DC.
The account performing the migration via ADMT must only
have administrative creds on the source domain's OU and on the target domain's
OU where you create the accounts (se he doesn't need to be a domain admin) - if
you want to use sidHistory along with this, then grant the account (obviously
via a group) the permission to "Migrate-SID-History" at the domain
level.
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Freitag, 16. Dezember 2005 16:50To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Thanks for the reply. Yes this is the document that I am
using as my guide to do this.
The only part I am not sure about is the part that says the
"users must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain
Admin from one domain to the Domain Administrators group in the other
domain.
If you go into Active Directory Users and Computers to add
accounts to Domain Admins the only location you are given is that
domain.
So I am assuming that the necessary right come from
creating the trust relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1
appropriate rights to Domain 2
Thanks
Lloyd
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, December 16, 2005 4:40 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| GuidoG
Posts:58
| | 12/16/2005 8:10 AM |
| some minor corrections/comments
- if you've created a forest trust (requires that source
and target forest running at Win2003 forest functional level), then SIDfiltering
is not enabled by default
- pls. don't add any SIDs to SIDhistory of target domain
admins group to gain rights in the source - this is not supported (at least not
via ADMT) and considered bad practise (although it can be done
technically). It is not a problem to grant appropriate rights to the
account performing the migration, without requiring domain admin rights in the
target (see my previous post).
- you can't add users from one domain to the domain admins
group of another domain.
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Freitag, 16. Dezember 2005 20:02To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
No. That domain wide
authentication thing you mention is called selective authentication. Although
the selection you made is OK, that is not what you need in this case to get
admin permissions on the source domain. To read more about selective
authentication see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx
Another
thing...
On the outgoing trust (source
--> target) sidfiltering is enabled by default if the trusts was created on a
W2KSP4 DC or higher (it is disabled by default if the trust was created on a
W2KSP3 DC or earlier
For more info
see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx
If you want to use sidhistory
then sid filtering will have impact on that. Disable it for the moment you use
sidhistory if it is enabled
To use an account that has full
admin rights on both source and target environment (to migrate users, groups,
computers, etc.) you can:
(1) add target domain admins to
source domain administrators and add SID of source domain admins to sidhistory
of target domain admins
(2) Create a domain local group
in the source domain. With restricted groups add that domain local group to the
local administrators group of all computers where you need admin permissions.
Add target domain admins to source domain administrators and
the previously created domain local group
NOTE: to be able to created
domain local groups in the source env. that source domain must at least have
windows 2000 native
To use an account that has full admin rights on both source and target
environment (to migrate only users and groups and passwords) you
can:
(1) add target domain admins to source domain
administrators
for the rest just follow: http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 16:50To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Thanks for the reply. Yes this is the document that I am
using as my guide to do this.
The only part I am not sure about is the part that says the
"users must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain
Admin from one domain to the Domain Administrators group in the other
domain.
If you go into Active Directory Users and Computers to add
accounts to Domain Admins the only location you are given is that
domain.
So I am assuming that the necessary right come from
creating the trust relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1
appropriate rights to Domain 2
Thanks
Lloyd
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, December 16, 2005 4:40 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| GuidoG
Posts:58
| | 12/16/2005 8:16 AM |
| oh, forgot to add - if you are using SID-History, you do
have to have admin rights in the source domain (either via membership of your
migration user from the target domain in local admin group of source domain, or
by entering a souce domain admin's creds when prompted to do so in
ADMT).
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Grillenmeier,
GuidoSent: Freitag, 16. Dezember 2005 20:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
The account used by the PES does NOT have to have
adminstrative credentials in the target domain! It can be a simple domain
user from the source domain. The difference with the previous PES version is,
that now you don't need to have "Everyone" added to your "Pre-Windows 2000
compatible access" group since that version of the PES was always executed
in the Local System security context on the source DC. Now that you're using a
service account it will be an "Authenticated User" even in the target domain via
the trust. Naturally, you need to have an account with administrative
rights on the source domain to install the PES service on a
DC.
The account performing the migration via ADMT must only
have administrative creds on the source domain's OU and on the target domain's
OU where you create the accounts (se he doesn't need to be a domain admin) - if
you want to use sidHistory along with this, then grant the account (obviously
via a group) the permission to "Migrate-SID-History" at the domain
level.
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Freitag, 16. Dezember 2005 16:50To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Thanks for the reply. Yes this is the document that I am
using as my guide to do this.
The only part I am not sure about is the part that says the
"users must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain
Admin from one domain to the Domain Administrators group in the other
domain.
If you go into Active Directory Users and Computers to add
accounts to Domain Admins the only location you are given is that
domain.
So I am assuming that the necessary right come from
creating the trust relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1
appropriate rights to Domain 2
Thanks
Lloyd
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, December 16, 2005 4:40 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Interforest
Password Migration
Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by, any
other party. If you are not an intended recipient then please promptly delete
this e-mail and any attachment and all copies and inform the sender. Thank
you. | | | |
| Mylo
Posts:0
| | 12/16/2005 8:21 AM |
| One other thing beyond what Jorge mentioned.... if you've Enabled
Disable [oxymoron :-)] anonymous SAM enumeration via Group Policy you're
also likely to end up with problems accessing resoures.
Regards,
Mylo
Almeida Pinto, Jorge de wrote:
No. That domain wide authentication thing you mention is called
selective authentication. Although the selection you made is OK, that
is not what you need in this case to get admin permissions on the
source domain. To read more about selective authentication see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx
Another thing...
On the outgoing trust (source --> target) sidfiltering is enabled by
default if the trusts was created on a W2KSP4 DC or higher (it is
disabled by default if the trust was created on a W2KSP3 DC or earlier
For more info see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx
If you want to use sidhistory then sid filtering will have impact on
that. Disable it for the moment you use sidhistory if it is enabled
To use an account that has full admin rights on both source and target
environment (to migrate users, groups, computers, etc.) you can:
(1) add target domain admins to source domain administrators and add
SID of source domain admins to sidhistory of target domain admins
(2) Create a domain local group in the source domain. With restricted
groups add that domain local group to the local administrators group
of all computers where you need admin permissions. Add target domain
admins to source domain administrators and the previously created
domain local group
NOTE: to be able to created domain local groups in the source env.
that source domain must at least have windows 2000 native
To use an account that has full admin rights on both source and target
environment (to migrate only users and groups and passwords) you can:
(1) add target domain admins to source domain administrators
for the rest just follow: http://support.microsoft.com/kb/326480
Cheers,
Jorge
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Lloyd Williams
*Sent:* Friday, December 16, 2005 16:50
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] Interforest Password Migration
Thanks for the reply. Yes this is the document that I am using as my
guide to do this.
The only part I am not sure about is the part that says the "users
must have administrator rights in both domains."
As far as I can see it is not possible to to add the Domain Admin from
one domain to the Domain Administrators group in the other domain.
If you go into Active Directory Users and Computers to add accounts to
Domain Admins the only location you are given is that domain.
So I am assuming that the necessary right come from creating the trust
relationship. When I created this I used the Domain wide
authentication option.
Can I assume that this gives Domain Admins in Domain1 appropriate
rights to Domain 2
Thanks
Lloyd
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Almeida
Pinto, Jorge de
*Sent:* Friday, December 16, 2005 4:40 AM
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* RE: [ActiveDir] Interforest Password Migration
Is everything configured as mentioned in
http://support.microsoft.com/kb/326480
Cheers,
Jorge
------------------------------------------------------------------------
*From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Lloyd Williams
*Sent:* Friday, December 16, 2005 01:58
*To:* ActiveDir@xxxxxxxxxxxxxxxxxx
*Subject:* [ActiveDir] Interforest Password Migration
I am using ADMT v3.0 to migrate users from one 2000/2003 forest to
another 2003 forest. I have no trouble migrating users however I
cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in
the target domain, then used it in the source domain during the
installation of the Password Migration Service. When I use ADMT to
migrate the password I get "unable to establish a session with the
password export server. Access is denied"
I have the password export service on the source machine running as
the administrator on the target machine.
The trusts seem to verify OK, anyone have any idea?
Thanks
Lloyd
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date: 15/12/2005
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001431
Posts:0
| | 12/16/2005 8:59 AM |
| I guess some progress now.
I get
Unable to establish a session with the passport export server. The
source passport server and the target passport server do not have the
same encryption key
Now I run ADMT on the source server to do the migration.
I created the key by running
Admt key /opt:create /sd:"NETBIOSNAMESOURCEDOMAIN" /kf:c: /pwd:*
On the target server
Then moving the key to the source server when I install pwdmig.exe
File.
The do the migration using administrator on the source domain PDC
Is there some other step.
Do I need to run the password migration service on the target server too
Lloyd
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| GuidoG
Posts:58
| | 12/16/2005 9:05 AM |
| nope PES is only required on the source
your install procedure sounds correct.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd Williams
Sent: Freitag, 16. Dezember 2005 21:40
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Interforest Password Migration
I guess some progress now.
I get
Unable to establish a session with the passport export server. The
source passport server and the target passport server do not have the
same encryption key
Now I run ADMT on the source server to do the migration.
I created the key by running
Admt key /opt:create /sd:"NETBIOSNAMESOURCEDOMAIN" /kf:c: /pwd:*
On the target server
Then moving the key to the source server when I install pwdmig.exe
File.
The do the migration using administrator on the source domain PDC
Is there some other step.
Do I need to run the password migration service on the target server too
Lloyd
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:100
| | 12/16/2005 9:43 AM |
| Is everything configured as
mentioned in http://support.microsoft.com/kb/326480
Cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Lloyd
WilliamsSent: Friday, December 16, 2005 01:58To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Interforest Password
Migration
I am using ADMT v3.0 to migrate users from one
2000/2003 forest to another 2003 forest. I have no trouble migrating users
however I cannot migrate passwords. I have the password migration service
installed on the PDC of the source domain. I have generated a key in the target
domain, then used it in the source domain during the installation of the
Password Migration Service. When I use ADMT to migrate the password I get
"unable to establish a session with the password export server. Access is
denied"
I have the password export service on the
source machine running as the administrator on
the target machine.
The trusts
seem to verify OK, anyone have any
idea?
Thanks
Lloyd
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| ZJORZ
Posts:100
| | 12/16/2005 11:54 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Mylo
Sent: Fri 12/16/2005 9:09 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Interforest Password Migration
One other thing beyond what Jorge mentioned.... if you've Enabled
Disable [oxymoron :-)] anonymous SAM enumeration via Group Policy you're
also likely to end up with problems accessing resoures.
Regards,
Mylo
Almeida Pinto, Jorge de wrote:
> No. That domain wide authentication thing you mention is called
> selective authentication. Although the selection you made is OK, that
> is not what you need in this case to get admin permissions on the
> source domain. To read more about selective authentication see:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx
>
> Another thing...
> On the outgoing trust (source --> target) sidfiltering is enabled by
> default if the trusts was created on a W2KSP4 DC or higher (it is
> disabled by default if the trust was created on a W2KSP3 DC or earlier
> For more info see:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx
>
> If you want to use sidhistory then sid filtering will have impact on
> that. Disable it for the moment you use sidhistory if it is enabled
>
> To use an account that has full admin rights on both source and target
> environment (to migrate users, groups, computers, etc.) you can:
> (1) add target domain admins to source domain administrators and add
> SID of source domain admins to sidhistory of target domain admins
> (2) Create a domain local group in the source domain. With restricted
> groups add that domain local group to the local administrators group
> of all computers where you need admin permissions. Add target domain
> admins to source domain administrators and the previously created
> domain local group
>
> NOTE: to be able to created domain local groups in the source env.
> that source domain must at least have windows 2000 native
>
> To use an account that has full admin rights on both source and target
> environment (to migrate only users and groups and passwords) you can:
> (1) add target domain admins to source domain administrators
>
> for the rest just follow: http://support.microsoft.com/kb/326480
>
> Cheers,
> Jorge
> ------------------------------------------------------------------------
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Lloyd Williams
> *Sent:* Friday, December 16, 2005 16:50
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Interforest Password Migration
>
> Thanks for the reply. Yes this is the document that I am using as my
> guide to do this.
>
> The only part I am not sure about is the part that says the "users
> must have administrator rights in both domains."
> As far as I can see it is not possible to to add the Domain Admin from
> one domain to the Domain Administrators group in the other domain.
> If you go into Active Directory Users and Computers to add accounts to
> Domain Admins the only location you are given is that domain.
> So I am assuming that the necessary right come from creating the trust
> relationship. When I created this I used the Domain wide
> authentication option.
> Can I assume that this gives Domain Admins in Domain1 appropriate
> rights to Domain 2
>
> Thanks
> Lloyd
>
> ------------------------------------------------------------------------
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Almeida
> Pinto, Jorge de
> *Sent:* Friday, December 16, 2005 4:40 AM
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* RE: [ActiveDir] Interforest Password Migration
>
> Is everything configured as mentioned in
> http://support.microsoft.com/kb/326480
>
> Cheers,
> Jorge
>
> ------------------------------------------------------------------------
> *From:* ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] *On Behalf Of *Lloyd Williams
> *Sent:* Friday, December 16, 2005 01:58
> *To:* ActiveDir@xxxxxxxxxxxxxxxxxx
> *Subject:* [ActiveDir] Interforest Password Migration
>
> I am using ADMT v3.0 to migrate users from one 2000/2003 forest to
> another 2003 forest. I have no trouble migrating users however I
> cannot migrate passwords. I have the password migration service
> installed on the PDC of the source domain. I have generated a key in
> the target domain, then used it in the source domain during the
> installation of the Password Migration Service. When I use ADMT to
> migrate the password I get "unable to establish a session with the
> password export server. Access is denied"
> I have the password export service on the source machine running as
> the administrator on the target machine.
> The trusts seem to verify OK, anyone have any idea?
>
> Thanks
> Lloyd
>
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender. Thank you.
>
>------------------------------------------------------------------------
>
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date: 15/12/2005
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
|
|