ADMT local user profile migration

Discussion in 'Server Migration' started by Dipti, Aug 18, 2005.

  1. Dipti

    Dipti Guest

    I am looking for guidance to migrate local user profile.

    After couple of unsuccessful attempt to translate user
    profile via security translation wizard, I finally used computer migration
    wizard to migrate local user profile. My clients are mostly windows XP with
    some windows 2000 pro . After the profile migration when I loged into
    target domain with my XP machine, I had an error message " windows can not
    load your profile because it may be corrupted. You may be logged in using a
    temporary user profile" . Looked into the documents & setting folder. There
    are two profile folders -- one with the username.olddomain name, other is the
    username.newdomainname. Compared both, desktop icons did not show up in the
    username.newdomainname. So it is not a successful profile migration

    What is the best way to migrate 500 user profile? At this time I am working
    on test environment-- I need to resolve this issue for production domain
    migration soon.

    Thank you.
     
    Dipti, Aug 18, 2005
    #1
    1. Advertisements

  2. Hi Dipti,

    To migrate Local User Account, you need to use Computer Account Migration
    Wizard

    The detailed steps please refer to :

    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    it/78c31b1c-ccdb-4957-bac6-0aa7cd59909e.mspx>

    Note: When you perform Computer Selection or Translate Objects in the
    article as above, please add computer or translate object one by one. This
    methods are tested to work fine.

    Hope it helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Aug 19, 2005
    #2
    1. Advertisements

  3. Dipti

    mote Guest

    Where the Computers on the old domain already being used by the accounts in
    the new domain?
     
    mote, Aug 20, 2005
    #3
  4. Dipti

    Dipti Guest

    perhaps I used to wroing terminology before. What I wanted to say is profile
    used by the domain users is "local profile" not roaming profile. I seems to
    have problem with profile migration using security translation wizard, even
    though I am logging with domain admin credentails. I will run few more tests
    to make sure I am not missing something. I will kepp you posted.
     
    Dipti, Aug 23, 2005
    #4
  5. Dipti

    Dipti Guest

    I have retried security translation wizard after migarting some computers and
    users but I did not have any luck with this wizard. I am pasting the error
    message for your review.

    2005-08-24 15:16:52 Created account input file for remote agents: DCTCache.045
    2005-08-24 15:16:52 Installing agent on 1 servers
    2005-08-24 15:16:52 The Active Directory Migration Tool Agent will be
    installed on \\sbmi-xpwrkstn2.testsbmi.local
    2005-08-24 15:16:52 ERR2:7625 Unable to connect to
    \\sbmi-xpwrkstn2.testsbmi.local\ADMIN$. The machine might be down or its
    Server, Netlogon service might not be started. rc=1722 The RPC server is
    unavailable.
    2005-08-24 15:16:52 ERR2:7014 The Active Directory Migration Tool Agent
    Service on \\sbmi-xpwrkstn2.testsbmi.local did not start. See the
    application log on \\sbmi-xpwrkstn2.testsbmi.local for details.
    2005-08-24 15:16:53 All agents are installed. The dispatcher is finished.


    DCTCache :045 input file content:

    jray jray user 0 459 475
    nray nray user 0 45a 470
    test1 test1 group 0 45b 46e
    test5 test5 group 0 46b 46f
    cbell cbell user 0 46d 476
    jpop jpop user 0 46e 477



    To test the RPC connection from 2003 DC to remote workstation I ran psexec
    and was able to connect to that PC, so RPC connection is working. Netlogon,
    RPC services are running on workstation, 2003 DC, 2000DC. Since these are XP
    machine, I also made sure firewall is turned off.

    I am out of ideas now. I hope MS will look into this issue ASAP.

    Thanks.
     
    Dipti, Aug 24, 2005
    #5
  6. Dipti

    Dipti Guest

    no. Please review my latest post. I now think problem is with translation
    wizard.
     
    Dipti, Aug 24, 2005
    #6
  7. Hi Dipti,

    Regarding the error message, I'd like to provide some articles as below:

    837366 The Active Directory Migration Tool displays a "RPC server is
    http://support.microsoft.com/?id=837366

    823735 Active Directory Migration Tool Version 2 Uses the DNS Name to
    Resolve
    http://support.microsoft.com/?id=823735

    Regarding the problem you describe in the first post, I think it is a SID
    related issue. Such issue may occur if the SID doesn't match after
    migration. You cannot use the Active Directory Migration Tool (ADMT)
    version 2.0 to migrate SID History for built-in groups such as the
    Administrators group, the Users group, or the Power Users group. This
    behavior occurs because the built-in account security IDs (SIDs) are the
    same in every domain. Therefore, if you migrate these accounts to a
    destination domain, duplicate SIDs exist in the destination domain.

    However, while you cannot use ADMT version 2.0 to migrate an SID history
    for built-in groups, you can migrate an SID history by using either of the
    following
    methods:

    - Use a third-party tool such as NetIQ.
    - Use the Sidhist.vbs Visual Basic script that is included with the
    ClonePrincipal
    Windows Server 2003 Support Tool.

    Hope it helps

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Aug 25, 2005
    #7
  8. Dipti

    Dipti Guest

    Thanks for your reply. Now I know we do need to get that Hotfix described in
    837366.
     
    Dipti, Aug 25, 2005
    #8
  9. Vincent Xu [MSFT], Aug 26, 2005
    #9
  10. Dipti

    Dipti Guest

    Sorry it took me so long to reply. I was on vacation last week.
    -yes. you are right. I will download SP1 today.

    I have a concern about file server permission issues. I believe I can use
    FSMT and/or ADMT computer migration for this purposes. What I am wondering is:

    If I want to migrate usetr,computer, user profile in batches over next few
    weeks to the new domain ( 2003) and my file servers and exchange servers are
    still in old domain (windows 2000), is that going to pose problem for file
    permission and e-mail? I am going to migrate user account with SID history.
    We have two ways trust set up between the domain.


    Dipti
     
    Dipti, Sep 6, 2005
    #10
  11. Hi Dipti,

    From your description, I suspect you have migrate all user accounts and
    some clients or member server to the new domain but leave the file server
    and exchange server in the old domain.

    Please understand in such situation, you need to grant the user account in
    new domain some necessary permission in the old domain to make the
    available in the old domain. Treat them as 2 different, seperate domain.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Sep 8, 2005
    #11
  12. Dipti

    Dipti Guest

    What I want to do in my production domain is Migrating account with SID
    History (MS deployment guide in chpater 11 page 517 and onward.). I believe I
    can migrate users in small group instead of whole company wide (500) user at
    one tme. Is there a step by step guide available for migration in small
    group. There are so many unresolved issues in my test environment that I
    really worry about this production domain migration.

    I want to migrate users/computers/profile etc by department. Example, I will
    move the people work in IT from 2000 to 2003 domain first, then people in
    engineering, project, etc Purpose is to test migration success This will
    give us the opportunity to correct any problem arises with migration.

    My question is: when I migrate the users from IT department to windows
    2003 domain how is the file access/e-mail access will work for these migrated
    user. The file server and e-mail server are going to be still in 2000 domain
    which we will migrate to 2003 domain after all users are migrated to 2003
    domain.

    As I mentioned before we have two way trust set up between domain. We are
    planning to use FSMT for file server migration. ADMT and Exchange migration
    wizard for exchange 2000 server migration.

    What is the recommened method for migration? Should I migrate file
    server/exchange server before user/computer migration? Active directory
    cookbook has a snapshot (figure 2.5) which shows the following order:


    global group migration
    user migration
    idetify service account
    migrate workstation/member server ***
    migrate local profile
    migrate local group
    migrate service account
    update user right



    *** is this where we need to do file server migration and exchange server
    migration ?
     
    Dipti, Sep 8, 2005
    #12
  13. Dipti

    Dipti Guest

    I applied SP1 on 2003 server. Tried to migrate user local profile again, I am
    still getting the "RPC server unavailable" message. What is next? Account I
    am using for migration has domain admin rights.
     
    Dipti, Sep 8, 2005
    #13
  14. Hi,

    On the Source domain DC :

    1. Make sure the DHCP server service is disabled.
    2. In DNS make sure the only forwarder listed is the internal IP address
    of the Target Domain DC. To check this follow these steps:

    a. Go to Start, Programs, Administrative Tools, DNS.
    b. Right click on the servername and choose Properties.
    c. Click on the forwarders tab. The only IP listed should be the internal
    IP of the Target Domain DC.

    3. Make sure the Remote Procedure Call (RPC service) is running. The
    default settings for RPC and RPC locator services are: Automatic and
    Started.


    On the Target domain DC:

    1. Make sure the DHCP server service is running.
    2. Make sure the Remote Procedure Call (RPC) service is set to Automatic
    and running. The RPC Locator service should be set to Manual and not
    running.
    3. In DNS make sure the only IP listed in the Forwarders is the Internal
    IP address of the source domain side.
    4. Check to see if the client machines have A (host) records in DNS. If
    not, manually create host records and check the box to create the
    associated PTR record. If the host records are there check for a PTR
    record. If it is missing create it manually.

    On the Clients:

    1. Make sure the Remote Procedure Call (RPC) service is running.
    2. Make sure that File and Print Sharing is checked on the properties of
    the Local Area Connection.
    3. Make sure there is an IPC$ and Admin$ share.
    4. At a command prompt run IPConfig /release then IPConfig /renew.
    Verify that the IP address is in the same range as the Target domain DC.

    Hope it helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Sep 9, 2005
    #14
  15. Dipti

    Dipti Guest

    Thank you Vincent. I will let you know the result as soon as I get the chance
    to test.

    I have another post dated 9/8/05 in response to your answer on 9/7/05, in
    the same thread. Would you please review that post and tell me what needs to
    be done differently, if migration of user/computer etc., does happen in
    small batches. How file/exchange permission will be affecting. I sincerely
    appreciate your help.
     
    Dipti, Sep 9, 2005
    #15
  16. Hi,

    My understanding of your concern of your issue is: After you migrated part
    of the user to new domain. Wheher they can access the resource in old
    domain such as shared folder and Exchange.

    Of course the user in new domain can access the resource in old domain
    since you have build 2-way trust between them.

    Regarding the shared folder, you need to grant the permission to the user
    account in new domain.

    Regarding the exchange, you need to associate the external user account
    with the exchange server. Please refer to following article:

    322890 How to associate an external account with an existing Exchange 2000
    http://support.microsoft.com/?id=322890

    Hope it helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Sep 12, 2005
    #16
  17. Dipti

    Dipti Guest

    Sorry, it took me so long to get back to you. After a long try with ADMT 2, I
    finally downloaded the ADMT V3. I have few observation which I want to share
    with you and get some feed back.

    here is the details.:



    Question s regarding ADMT V3.

    When migrating user accounts from source to target domain using “user
    migration wizard†, I initially chose to keep the migrated accounts disabled
    in target domain, and kept it enabled in source domain.

    I also tried to “migrate password†, but kept getting the error message
    “could not connect to PES serverâ€, even though I can ping the PES server in
    source domain from Target domain DC where I am running ADMT. I chose to
    select “create complex passwordâ€.


    I migrated the local and global groups, migrated computer, user profile etc.
    using the group migration wizard, computer migration wizard

    I reran user migration once again on the same users, this time asking to
    enable accounts to target domain and disable after 30 days in source domain.


    Here are my problems:

    When I look at the AD user and computer, I see accounts are still disabled.
    I manually enable the accounts. When I try to log on to the target domain
    with the password generated by ADMT , I get the error message “access
    deniedâ€. I have to reset password manually. ( this is Ok in test domain but
    for production domain it is a big inconvenience).

    After migration, I checked the local profile (we do not use roaming
    profile). I see profiles are copied but drive mapping are not there. Also
    outlook profile did not transfer. I compared the username.newdomain folder
    with the username.olddomain folder. Seems OK.


    Now here is my test domain situation:

    I have two way trusts between domains in two forests. My file server and
    exchange servers are still in the source domain and preferably will be in
    this state for a while until I am able to migrate all users.. Given the
    situation, my question is do I need to migrate the file server and exchange
    server to the target domain for everything to work ?

    Thanks for any feed back you can provide me.
     
    Dipti, Oct 5, 2005
    #17
  18. Hi Dipti,

    Let's make the situation more clearly before we go anyfurther.

    From your post, I noticed that you are using ADMT V3 now.How about the ADMT
    V2?Did you use it successfully? As you said reran user migration once again
    on the same users and enable these account in target domain and after
    migration you found these account still disabled. Am I right? After you
    changed the password, the user account can be logged in, am I right?

    Regarding your second question, I think you need to migrate member server
    after the user profile migration is done.

    Let me know the question as above. Thanks.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Oct 7, 2005
    #18
  19. Hi Dipti,

    In addition, please open a new post to this issue and please don't forget
    the information I asked.

    thanks for cooperation.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Oct 7, 2005
    #19
  20. Dipti

    Dipti Guest

    ADMT V2 did not let me transfer local profile. That is the why I downloaded
    V3. I am opening new post with subject line: ADMTV3 Questions

    Yes, with version 3, I was able to migrate user, computer, local profile.
     
    Dipti, Oct 7, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.