ADMT2 migrating passwords problem

Discussion in 'Server Migration' started by Rocky, Aug 4, 2004.

  1. Rocky

    Rocky Guest

    Hello,

    I am trying to move user accounts from an nt4 domain to a pristine windows
    2003 domain.
    Admt2 is installed on the 2003 domain controller (the only 2003 DC in the
    domain).

    I have installed the Password Migration DLL onto the NT4 server

    I have followed MS instructions on configuring the various trust, group
    membership, registry , group policy and auditing settings on the source and
    target DCs.

    However when I try to migrate the NT4 user accounts along with their
    passwords, I run into an error immediately at the step where you specify the
    password export server and click next. I get an error box with the message
    "Unable to establish a session with the password export server. The
    authentication service is unknown.

    (I can migrate the user accounts without their original passwords but I want
    to migrate their respective passwords to simplify things).

    Before I attempted this migration, I set up a similar domain structure at
    home and the password migration worked flawlessly.

    I would greately appreciate any assistance in resolving this problem.

    Many thanks ,

    Rocky
     
    Rocky, Aug 4, 2004
    #1
    1. Advertisements

  2. Rocky

    Feng Mao Guest

    Hi Rocky,

    Thank you for posting!

    Generally speaking, such error message can be caused by one of the below
    configuration problems:

    The Password Export Server has not been configured with the Password
    Migration DLL and an encryption key for the target server.

    -or-

    The encryption key was created and installed, but ADMT is running on a
    different computer than the computer that created the encryption key.
    Password Migration encryption keys are valid per-computer instead of
    per-domain.

    As I know, you have configured the Password Migration DLL on the Password
    Export Server, please take a look at the remained configuration.

    For additional information about how to troubleshoot the password migration
    with ADMT v2, please visit the below article in Microsoft knowledge base:

    322981 How to Troubleshoot Inter-Forest Password Migration with ADMTv2
    http://support.microsoft.com/?id=322981

    Have a nice day!

    Thanks & Regards,

    Feng Mao [MSFT], MCSE
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    | From: "Rocky" <>
    | Subject: ADMT2 migrating passwords problem
    | Date: Wed, 4 Aug 2004 23:08:59 +1000
    | Lines: 32
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: dialup-243.144.221.203.acc02-geor-mor.comindico.com.au
    203.221.144.243
    | Path:
    cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
    .phx.gbl
    | Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:12637
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Hello,
    |
    | I am trying to move user accounts from an nt4 domain to a pristine windows
    | 2003 domain.
    | Admt2 is installed on the 2003 domain controller (the only 2003 DC in the
    | domain).
    |
    | I have installed the Password Migration DLL onto the NT4 server
    |
    | I have followed MS instructions on configuring the various trust, group
    | membership, registry , group policy and auditing settings on the source
    and
    | target DCs.
    |
    | However when I try to migrate the NT4 user accounts along with their
    | passwords, I run into an error immediately at the step where you specify
    the
    | password export server and click next. I get an error box with the
    message
    | "Unable to establish a session with the password export server. The
    | authentication service is unknown.
    |
    | (I can migrate the user accounts without their original passwords but I
    want
    | to migrate their respective passwords to simplify things).
    |
    | Before I attempted this migration, I set up a similar domain structure at
    | home and the password migration worked flawlessly.
    |
    | I would greately appreciate any assistance in resolving this problem.
    |
    | Many thanks ,
    |
    | Rocky
    |
    |
    |
     
    Feng Mao, Aug 5, 2004
    #2
    1. Advertisements

  3. Rocky

    Karl Weber Guest

    Hi Feng and others,

    I have the same problem as described by rocky. There occurs the same error
    message when I specify the PES. I also have followed the MS instructions.

    My Question:
    How can I determine wether the Password Migration DLL has been startet on
    the PES? Which process must have been startet and where in the registry is
    the key for that start?

    Many thanks

    Karl Weber
     
    Karl Weber, Aug 10, 2004
    #3
  4. Rocky

    Feng Mao Guest

    Hi Karl,

    As I know, the below process must be proceed on the PES.

    To install the password migration DLL:


    1. Log on as an administrator or equivalent to the computer on which ADMTv2
    is installed.

    2. At a command prompt, run the "ADMT KEY <sourcedomain><path> [* |
    password]" (without the quotation marks) command to create the password
    export key file (.pes). In this example, <sourcedomain> is the NetBIOS name
    of the source domain and <path> is the file path where the key will be
    created. The path must be local, but can point to removable media such as a
    floppy disk drive, ZIP drive, or writable CD media. If you type the
    optional password at the end of the command, ADMT protects the .pes file
    with the password. If you type the asterisk (*), ADMT prompts for a
    password, and the system will not echo it as it is typed.

    3. Move the .pes file you created in step 2 to the designated Password
    Export Server in the source domain. This can be any domain controller, but
    make sure it has a fast, reliable link to the computer that is running ADMT.

    4. Install the Password Migration DLL on the Password Export Server by
    running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on
    the Windows Server 2003 installation media, or the folder to which you
    downloaded ADMTv2 from the Internet.

    5. When you are prompted to do so, specify the path to the .pes file that
    you created in step 2. This must be a local file path.

    6. After the installation completes, you must restart the server.

    7. If you are ready to migrate passwords, modify the following registry key
    to have a DWORD value of 1. For maximum security, do not complete this step
    until you are ready to migrate.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport

    For detailed information, please visit the below articles in Microsoft
    knowledge base:

    832221 How to configure the Active Directory Migration Tool to migrate user
    http://support.microsoft.com/?id=832221

    326480 How to Use Active Directory Migration Tool Version 2 to Migrate from
    http://support.microsoft.com/?id=326480

    I hope the above information is helpful.

    Have a niee day!

    Thanks & Regards,

    Feng Mao [MSFT], MCSE
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    | From: "Karl Weber" <>
    | References: <>
    <>
    | Subject: Re: ADMT2 migrating passwords problem
    | Date: Tue, 10 Aug 2004 23:41:20 +0200
    | Lines: 16
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: pD9E5CE4F.dip.t-dialin.net 217.229.206.79
    | Path:
    cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP0
    8.phx.gbl!tk2msftngp13.phx.gbl
    | Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.migration:12927
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Hi Feng and others,
    |
    | I have the same problem as described by rocky. There occurs the same error
    | message when I specify the PES. I also have followed the MS instructions.
    |
    | My Question:
    | How can I determine wether the Password Migration DLL has been startet on
    | the PES? Which process must have been startet and where in the registry is
    | the key for that start?
    |
    | Many thanks
    |
    | Karl Weber
    |
    |
    |
    |
     
    Feng Mao, Aug 11, 2004
    #4
  5. Rocky

    Karl Weber Guest

    Hi,

    but how can I check if the Password Migration DLL is running?


    Thanks

    K. Weber

     
    Karl Weber, Aug 11, 2004
    #5
  6. Rocky

    Feng Mao Guest

    Hi Karl,

    According to my understanding, Password Migration DLL is not an application
    or service. It just replaced some system files and registry key, so that it
    enable the system to export password.

    If you experience problems on this, you may run PWDMIG.EXE under
    <W2K3SetupCD>:\I386\ADMT\PWDMIG. It will promopt you reinstall/repair and
    some other options.

    Hope it helps.

    Have a good day!

    Thanks & Regards,

    Feng Mao [MSFT], MCSE
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    | From: "Karl Weber" <>
    | References: <>
    <>
    <>
    <>
    | Subject: Re: ADMT2 migrating passwords problem
    | Date: Wed, 11 Aug 2004 11:21:49 +0200
    | Lines: 136
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    | Message-ID: <OjV#>
    | Newsgroups: microsoft.public.windows.server.migration
    | NNTP-Posting-Host: pD9548845.dip.t-dialin.net 217.84.136.69
    | Path:
    cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
    .phx.gbl
    | Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.migration:12958
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Hi,
    |
    | but how can I check if the Password Migration DLL is running?
    |
    |
    | Thanks
    |
    | K. Weber
    |
    | | > Hi Karl,
    | >
    | > As I know, the below process must be proceed on the PES.
    | >
    | > To install the password migration DLL:
    | >
    | >
    | > 1. Log on as an administrator or equivalent to the computer on which
    | ADMTv2
    | > is installed.
    | >
    | > 2. At a command prompt, run the "ADMT KEY <sourcedomain><path> [* |
    | > password]" (without the quotation marks) command to create the password
    | > export key file (.pes). In this example, <sourcedomain> is the NetBIOS
    | name
    | > of the source domain and <path> is the file path where the key will be
    | > created. The path must be local, but can point to removable media such
    as
    | a
    | > floppy disk drive, ZIP drive, or writable CD media. If you type the
    | > optional password at the end of the command, ADMT protects the .pes file
    | > with the password. If you type the asterisk (*), ADMT prompts for a
    | > password, and the system will not echo it as it is typed.
    | >
    | > 3. Move the .pes file you created in step 2 to the designated Password
    | > Export Server in the source domain. This can be any domain controller,
    but
    | > make sure it has a fast, reliable link to the computer that is running
    | ADMT.
    | >
    | > 4. Install the Password Migration DLL on the Password Export Server by
    | > running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder
    | on
    | > the Windows Server 2003 installation media, or the folder to which you
    | > downloaded ADMTv2 from the Internet.
    | >
    | > 5. When you are prompted to do so, specify the path to the .pes file
    that
    | > you created in step 2. This must be a local file path.
    | >
    | > 6. After the installation completes, you must restart the server.
    | >
    | > 7. If you are ready to migrate passwords, modify the following registry
    | key
    | > to have a DWORD value of 1. For maximum security, do not complete this
    | step
    | > until you are ready to migrate.
    | >
    | >
    |
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport
    | >
    | > For detailed information, please visit the below articles in Microsoft
    | > knowledge base:
    | >
    | > 832221 How to configure the Active Directory Migration Tool to migrate
    | user
    | > http://support.microsoft.com/?id=832221
    | >
    | > 326480 How to Use Active Directory Migration Tool Version 2 to Migrate
    | from
    | > http://support.microsoft.com/?id=326480
    | >
    | > I hope the above information is helpful.
    | >
    | > Have a niee day!
    | >
    | > Thanks & Regards,
    | >
    | > Feng Mao [MSFT], MCSE
    | > Microsoft Online Partner Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > When responding to posts, please "Reply to Group" via your newsreader so
    | > that others may learn and benefit from your issue.
    | > =====================================================
    | > This posting is provided "AS IS" with no warranties, and confers no
    | rights.
    | >
    | >
    | >
    | > --------------------
    | > | From: "Karl Weber" <>
    | > | References: <>
    | > <>
    | > | Subject: Re: ADMT2 migrating passwords problem
    | > | Date: Tue, 10 Aug 2004 23:41:20 +0200
    | > | Lines: 16
    | > | X-Priority: 3
    | > | X-MSMail-Priority: Normal
    | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    | > | Message-ID: <>
    | > | Newsgroups: microsoft.public.windows.server.migration
    | > | NNTP-Posting-Host: pD9E5CE4F.dip.t-dialin.net 217.229.206.79
    | > | Path:
    | >
    |
    cpmsftngxa06.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP0
    | > 8.phx.gbl!tk2msftngp13.phx.gbl
    | > | Xref: cpmsftngxa06.phx.gbl
    | microsoft.public.windows.server.migration:12927
    | > | X-Tomcat-NG: microsoft.public.windows.server.migration
    | > |
    | > | Hi Feng and others,
    | > |
    | > | I have the same problem as described by rocky. There occurs the same
    | error
    | > | message when I specify the PES. I also have followed the MS
    | instructions.
    | > |
    | > | My Question:
    | > | How can I determine wether the Password Migration DLL has been startet
    | on
    | > | the PES? Which process must have been startet and where in the
    registry
    | is
    | > | the key for that start?
    | > |
    | > | Many thanks
    | > |
    | > | Karl Weber
    | > |
    | > |
    | > |
    | > |
    | >
    |
    |
    |
     
    Feng Mao, Aug 12, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.