Discussion:
More ADMT errprs during SID migration
(too old to reply)
Mark
2004-11-09 16:22:57 UTC
Permalink
This is what I've done:
I've established and verified two way trust
I'm logged in as Administrator on Target Domain (2003)
I've added Target domain admin group to local admin group on Source domain
(NT)
I've enabled auditing on both domains
I've created a Registry Dword for TcpipClientSupport
I've delegated to Administrator on 2003 permission to crate user and group
objects on the container I'm migrating to

When I try to run test migration I'm getting the following error on the
screen after I select SID migration :

Could not verify auditing and TcpipClientSupport on domains. Will not be
able to migrate SID's. Access is denied.

According to KB #322970 this indicated that the user doesn't have enough
permissions in one or both domains.
I'm using Administrator account which has Full Admin permissions in both
Domains?

What am I missing? - Mark
Bob Qin [MSFT]
2004-11-10 11:55:07 UTC
Permalink
Hi Mark,

Thanks for your posting here.

What is the result if you logon target domain DC as the source domain
administrator?

Are there any members in the <Source Domain>$$$ group on the NT domains?

Did you restart DCs after you modified the registry?

I would like to suggest that you open the registry on the WinNT PDC and
make sure that the LOCAL SERVICE group have Read - Allow permissions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Note: you need to run regedt32.exe on Windows NT computer to modify
registry permission.

Then try to perform migration again.

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Mark" <***@mitchellgold.com>
Subject: More ADMT errprs during SID migration
Date: Tue, 9 Nov 2004 11:22:57 -0500
Newsgroups: microsoft.public.windows.server.migration


This is what I've done:
I've established and verified two way trust
I'm logged in as Administrator on Target Domain (2003)
I've added Target domain admin group to local admin group on Source
domain
(NT)
I've enabled auditing on both domains
I've created a Registry Dword for TcpipClientSupport
I've delegated to Administrator on 2003 permission to crate user and
group
objects on the container I'm migrating to

When I try to run test migration I'm getting the following error on
the
screen after I select SID migration :

Could not verify auditing and TcpipClientSupport on domains. Will not
be
able to migrate SID's. Access is denied.

According to KB #322970 this indicated that the user doesn't have
enough
permissions in one or both domains.
I'm using Administrator account which has Full Admin permissions in
both
Domains?

What am I missing? - Mark
Mark
2004-11-10 14:05:48 UTC
Permalink
Post by Bob Qin [MSFT]
What is the result if you logon target domain DC as the source domain
administrator?
I get the same tools and access as AD Domain admin (target admin)
Post by Bob Qin [MSFT]
Are there any members in the <Source Domain>$$$ group on the NT domains?
There are no members - group is empty
Post by Bob Qin [MSFT]
Did you restart DCs after you modified the registry?
Yes I did
I'll follow your other suggestion -
Here are few more observations:
ADMT should create (domainname$$$) group if one doesn't exist as well as it
should modify registry for TcpipClientSupport - since my original setup
didn't work I've deleted the Group and Registry entry - restarted and try to
run ADMT again to see if it will crete those entries - it didn't. I got the
same error as before which according to MS KB 322970 indicates that Account
which I'm using doesn't have all permissions needed. I did check and
rechecked the permissions and looks to me like all are correct.
I'm going to create a new user called Migrator add him to Admin Group on
Target Domain than add him to Admin Group on source domain - log in as him
to target DC and try to run ADMT again.
If you see anyhting else I'm missing please advise - Mark
Post by Bob Qin [MSFT]
Hi Mark,
Thanks for your posting here.
What is the result if you logon target domain DC as the source domain
administrator?
Are there any members in the <Source Domain>$$$ group on the NT domains?
Did you restart DCs after you modified the registry?
I would like to suggest that you open the registry on the WinNT PDC and
make sure that the LOCAL SERVICE group have Read - Allow permissions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Note: you need to run regedt32.exe on Windows NT computer to modify
registry permission.
Then try to perform migration again.
Have a nice day!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Subject: More ADMT errprs during SID migration
Date: Tue, 9 Nov 2004 11:22:57 -0500
Newsgroups: microsoft.public.windows.server.migration
I've established and verified two way trust
I'm logged in as Administrator on Target Domain (2003)
I've added Target domain admin group to local admin group on Source domain
(NT)
I've enabled auditing on both domains
I've created a Registry Dword for TcpipClientSupport
I've delegated to Administrator on 2003 permission to crate user and group
objects on the container I'm migrating to
When I try to run test migration I'm getting the following error on the
Could not verify auditing and TcpipClientSupport on domains. Will not be
able to migrate SID's. Access is denied.
According to KB #322970 this indicated that the user doesn't have enough
permissions in one or both domains.
I'm using Administrator account which has Full Admin permissions in both
Domains?
What am I missing? - Mark
Mark
2004-11-10 15:17:21 UTC
Permalink
Bob
When you say Local Service needs to have Read permission - do you mean Local
System - if that's the case my System account has Full Controll -

Mark
Post by Bob Qin [MSFT]
Hi Mark,
Thanks for your posting here.
What is the result if you logon target domain DC as the source domain
administrator?
Are there any members in the <Source Domain>$$$ group on the NT domains?
Did you restart DCs after you modified the registry?
I would like to suggest that you open the registry on the WinNT PDC and
make sure that the LOCAL SERVICE group have Read - Allow permissions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Note: you need to run regedt32.exe on Windows NT computer to modify
registry permission.
Then try to perform migration again.
Have a nice day!
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Subject: More ADMT errprs during SID migration
Date: Tue, 9 Nov 2004 11:22:57 -0500
Newsgroups: microsoft.public.windows.server.migration
I've established and verified two way trust
I'm logged in as Administrator on Target Domain (2003)
I've added Target domain admin group to local admin group on Source domain
(NT)
I've enabled auditing on both domains
I've created a Registry Dword for TcpipClientSupport
I've delegated to Administrator on 2003 permission to crate user and group
objects on the container I'm migrating to
When I try to run test migration I'm getting the following error on the
Could not verify auditing and TcpipClientSupport on domains. Will not be
able to migrate SID's. Access is denied.
According to KB #322970 this indicated that the user doesn't have enough
permissions in one or both domains.
I'm using Administrator account which has Full Admin permissions in both
Domains?
What am I missing? - Mark
Bob Qin [MSFT]
2004-11-11 12:18:08 UTC
Permalink
Hi Mark,

Please check the RestrictAnonymous setting on the Windows 2003 Domain
Controller under the following registry key:

HKLM\system\CurrentControlSet\Control\Lsa

Please make sure that the RestrictAnonymous registry value is set to 0.

If the problem still persists, please install ADMT on another DC in Windows
2003 domain and try to migrate again.

What is the result?

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Mark
2004-11-11 14:57:56 UTC
Permalink
Bob

The registry setting you mentioned is set correctly.
I've been workin on this with MS and they can't figure it out either. What
we did find out is that if I login to 2003 Domain with NT Admin account
migration tool is working fine. I'm using that login and hope for the best.
Appreciate your input - Mark
Post by Bob Qin [MSFT]
Hi Mark,
Please check the RestrictAnonymous setting on the Windows 2003 Domain
HKLM\system\CurrentControlSet\Control\Lsa
Please make sure that the RestrictAnonymous registry value is set to 0.
If the problem still persists, please install ADMT on another DC in Windows
2003 domain and try to migrate again.
What is the result?
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Bob Qin [MSFT]
2004-11-12 00:59:51 UTC
Permalink
Hi Mark,

Thanks for your update.

In fact, it is recommended to logon the target domain DC as the source
domain administrator account and perform migration. It will avoid some
unexpected issue.

Here are some documents that may be helpful.

HOW TO: Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration
http://support.microsoft.com/?id=325851

Domain Migration Cookbook
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cookboo
k/cookintr.asp>

Restructuring Windows NT 4.0 Domains to an Active Directory Forest
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/dssbg_rent_overview.asp

Planning Migration from Windows NT to Windows 2000
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
nol/ad/windows2000/plan/migntw2k.asp>

Thank you again for using our newsgroup!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Mark" <***@mitchellgold.com>
Subject: Re: More ADMT errprs during SID migration
Date: Thu, 11 Nov 2004 09:57:56 -0500
Newsgroups: microsoft.public.windows.server.migration


Bob

The registry setting you mentioned is set correctly.
I've been workin on this with MS and they can't figure it out either.
What
we did find out is that if I login to 2003 Domain with NT Admin
account
migration tool is working fine. I'm using that login and hope for the
best.
Appreciate your input - Mark
Post by Bob Qin [MSFT]
Hi Mark,
Please check the RestrictAnonymous setting on the Windows 2003
Domain
Post by Bob Qin [MSFT]
HKLM\system\CurrentControlSet\Control\Lsa
Please make sure that the RestrictAnonymous registry value is set to 0.
If the problem still persists, please install ADMT on another DC in Windows
2003 domain and try to migrate again.
What is the result?
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your
newsreader so
Post by Bob Qin [MSFT]
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Mark
2004-11-10 15:30:33 UTC
Permalink
I've created new user on Target Domain added him to Domain Admin group -
then added him to Local Admin group on Source domain - logged in as him in
Target domain started ADMT and got the same message as before:
Could not verify auditing and TcpipClientSupport on domains. Will not be
able to migrate Sid's. Access is denied.

I'm trying to migrate just one user - if that's how the rest of my migration
and upgrade to Exchange 2003 will go I may as well kill myself now (just
kidding) - Mark
Post by Mark
I've established and verified two way trust
I'm logged in as Administrator on Target Domain (2003)
I've added Target domain admin group to local admin group on Source domain
(NT)
I've enabled auditing on both domains
I've created a Registry Dword for TcpipClientSupport
I've delegated to Administrator on 2003 permission to crate user and group
objects on the container I'm migrating to
When I try to run test migration I'm getting the following error on the
Could not verify auditing and TcpipClientSupport on domains. Will not be
able to migrate SID's. Access is denied.
According to KB #322970 this indicated that the user doesn't have enough
permissions in one or both domains.
I'm using Administrator account which has Full Admin permissions in both
Domains?
What am I missing? - Mark
Loading...