J
Jackal
Dear all,
I use ADMT to migrate the domain user accounts from NT to AD, but I
encountered a problem as follows,
Either the source domain's primary domain controller (PDC) has not been
re-started after
setting the TcpipClientSupport registry key to 1 or the PDC could not be
contacted.
But I did re-start the PDC serveral times after setting the registry key and
the PDC also replied when I
try pinging it. Any idea? The following are the brief steps I've taken to
migrate for reference,
1. Configure DNS for AD
2. Rename domain name for NT4 domain (e.g., ABC --> ABCOLD)
3. Promote DNS server to a DC with domain name "ABC" (I wish to retain
the original domain name)
4. Convert AD to native-mode
5. All the SRV records needed for AD are auto-generated in DNS
6. Pass testing by using "netdiag.exe", "dcdiag.exe", "nltest
/dsgetsite" utilities
7. Install ADMT v.2 on DC
8. Enable auditing on DC and PDC
9. Generate the password export key file (.pes) on DC ==> [admt key
SourceDomainName Path]
10. Move the .pes file to PDC
11. Create an empty Local Group with the name SourceDomain$$$ (e.g.,
ABCOLD$$$)
12. Create a registry key "TcpipClientSupport" at the following location
and set the DWORD value of "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
13. Install the ADMT Password Migration DLL and use the .pes file
created in step 9 when prompted
14. RESTART PDC
15. Change the "AllowPasswordExport" registry key value to "1" at the
following location,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
16. Start to use ADMT to migrate user accounts on DC --> Failed
BTW, the configuration for ADMT also has met the requirements as follows,
1. NT4 SP6a for source domain
2. Use 128-bit encryption
3.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous =
0
4. Add Everyone group in the "Pre-Windows 2000 Compatible Access" group
by using the command,
NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE ACCESS" EVERYONE /ADD
5. Set Read permission on "CN=Server,CN=System,DC=TargetDomain,DC={tld}"
But I'm very sure whether I did right or not in requirement no. 5. First of
all, I don't quite understand what
"DC={tld}" is (means the server name?). Second, I can only find a file-like
object named "Server" under
"System" object and I granted Full Control permission for "Pre-Windows 2000
Compatible Access" group
on it.
Of course I could migrate all the user accounts without maintaining the
SIDs, but it will cause another
problem. That is the domain users logon to the new domain (with the same
domain name) will be treated
as a new user in their PC environment. So, this is another question. Is
there any tool I can use to edit the
user account SID?
Any suggestion is highly appreciated!!
Cheers,
Jackal
I use ADMT to migrate the domain user accounts from NT to AD, but I
encountered a problem as follows,
Either the source domain's primary domain controller (PDC) has not been
re-started after
setting the TcpipClientSupport registry key to 1 or the PDC could not be
contacted.
But I did re-start the PDC serveral times after setting the registry key and
the PDC also replied when I
try pinging it. Any idea? The following are the brief steps I've taken to
migrate for reference,
1. Configure DNS for AD
2. Rename domain name for NT4 domain (e.g., ABC --> ABCOLD)
3. Promote DNS server to a DC with domain name "ABC" (I wish to retain
the original domain name)
4. Convert AD to native-mode
5. All the SRV records needed for AD are auto-generated in DNS
6. Pass testing by using "netdiag.exe", "dcdiag.exe", "nltest
/dsgetsite" utilities
7. Install ADMT v.2 on DC
8. Enable auditing on DC and PDC
9. Generate the password export key file (.pes) on DC ==> [admt key
SourceDomainName Path]
10. Move the .pes file to PDC
11. Create an empty Local Group with the name SourceDomain$$$ (e.g.,
ABCOLD$$$)
12. Create a registry key "TcpipClientSupport" at the following location
and set the DWORD value of "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
13. Install the ADMT Password Migration DLL and use the .pes file
created in step 9 when prompted
14. RESTART PDC
15. Change the "AllowPasswordExport" registry key value to "1" at the
following location,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
16. Start to use ADMT to migrate user accounts on DC --> Failed
BTW, the configuration for ADMT also has met the requirements as follows,
1. NT4 SP6a for source domain
2. Use 128-bit encryption
3.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous =
0
4. Add Everyone group in the "Pre-Windows 2000 Compatible Access" group
by using the command,
NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE ACCESS" EVERYONE /ADD
5. Set Read permission on "CN=Server,CN=System,DC=TargetDomain,DC={tld}"
But I'm very sure whether I did right or not in requirement no. 5. First of
all, I don't quite understand what
"DC={tld}" is (means the server name?). Second, I can only find a file-like
object named "Server" under
"System" object and I granted Full Control permission for "Pre-Windows 2000
Compatible Access" group
on it.
Of course I could migrate all the user accounts without maintaining the
SIDs, but it will cause another
problem. That is the domain users logon to the new domain (with the same
domain name) will be treated
as a new user in their PC environment. So, this is another question. Is
there any tool I can use to edit the
user account SID?
Any suggestion is highly appreciated!!
Cheers,
Jackal