ADMT problem and SID editing tool

J

Jackal

Dear all,
I use ADMT to migrate the domain user accounts from NT to AD, but I
encountered a problem as follows,

Either the source domain's primary domain controller (PDC) has not been
re-started after
setting the TcpipClientSupport registry key to 1 or the PDC could not be
contacted.

But I did re-start the PDC serveral times after setting the registry key and
the PDC also replied when I
try pinging it. Any idea? The following are the brief steps I've taken to
migrate for reference,

1. Configure DNS for AD
2. Rename domain name for NT4 domain (e.g., ABC --> ABCOLD)
3. Promote DNS server to a DC with domain name "ABC" (I wish to retain
the original domain name)
4. Convert AD to native-mode
5. All the SRV records needed for AD are auto-generated in DNS
6. Pass testing by using "netdiag.exe", "dcdiag.exe", "nltest
/dsgetsite" utilities
7. Install ADMT v.2 on DC
8. Enable auditing on DC and PDC
9. Generate the password export key file (.pes) on DC ==> [admt key
SourceDomainName Path]
10. Move the .pes file to PDC
11. Create an empty Local Group with the name SourceDomain$$$ (e.g.,
ABCOLD$$$)
12. Create a registry key "TcpipClientSupport" at the following location
and set the DWORD value of "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
13. Install the ADMT Password Migration DLL and use the .pes file
created in step 9 when prompted
14. RESTART PDC
15. Change the "AllowPasswordExport" registry key value to "1" at the
following location,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
16. Start to use ADMT to migrate user accounts on DC --> Failed

BTW, the configuration for ADMT also has met the requirements as follows,
1. NT4 SP6a for source domain
2. Use 128-bit encryption
3.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous =
0
4. Add Everyone group in the "Pre-Windows 2000 Compatible Access" group
by using the command,
NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE ACCESS" EVERYONE /ADD
5. Set Read permission on "CN=Server,CN=System,DC=TargetDomain,DC={tld}"

But I'm very sure whether I did right or not in requirement no. 5. First of
all, I don't quite understand what
"DC={tld}" is (means the server name?). Second, I can only find a file-like
object named "Server" under
"System" object and I granted Full Control permission for "Pre-Windows 2000
Compatible Access" group
on it.

Of course I could migrate all the user accounts without maintaining the
SIDs, but it will cause another
problem. That is the domain users logon to the new domain (with the same
domain name) will be treated
as a new user in their PC environment. So, this is another question. Is
there any tool I can use to edit the
user account SID?

Any suggestion is highly appreciated!!

Cheers,
Jackal
 
A

Aimme Lirette MSFT

Can you successfully connect to the Windows 2000 domain controller from the
NT 4.0 PDC with the following command:
net view \\2000ServerName
Ping is host name resolution, and net view will test netbios name
resolution.

NT 4.0 will want to use netbios name resolution, you can use an LMHOSTS file
to ensure proper communication between the two just to be sure, here is an
article on how to write an LMHOSTS file for domain authentication:
http://support.microsoft.com/?id=180094

Thank you,
Aimme Lirette

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Jackal said:
Dear all,
I use ADMT to migrate the domain user accounts from NT to AD, but I
encountered a problem as follows,

Either the source domain's primary domain controller (PDC) has not been
re-started after
setting the TcpipClientSupport registry key to 1 or the PDC could not be
contacted.

But I did re-start the PDC serveral times after setting the registry key and
the PDC also replied when I
try pinging it. Any idea? The following are the brief steps I've taken to
migrate for reference,

1. Configure DNS for AD
2. Rename domain name for NT4 domain (e.g., ABC --> ABCOLD)
3. Promote DNS server to a DC with domain name "ABC" (I wish to retain
the original domain name)
4. Convert AD to native-mode
5. All the SRV records needed for AD are auto-generated in DNS
6. Pass testing by using "netdiag.exe", "dcdiag.exe", "nltest
/dsgetsite" utilities
7. Install ADMT v.2 on DC
8. Enable auditing on DC and PDC
9. Generate the password export key file (.pes) on DC ==> [admt key
SourceDomainName Path]
10. Move the .pes file to PDC
11. Create an empty Local Group with the name SourceDomain$$$ (e.g.,
ABCOLD$$$)
12. Create a registry key "TcpipClientSupport" at the following location
and set the DWORD value of "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
13. Install the ADMT Password Migration DLL and use the .pes file
created in step 9 when prompted
14. RESTART PDC
15. Change the "AllowPasswordExport" registry key value to "1" at the
following location,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
16. Start to use ADMT to migrate user accounts on DC --> Failed

BTW, the configuration for ADMT also has met the requirements as follows,
1. NT4 SP6a for source domain
2. Use 128-bit encryption
3.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous =
0
4. Add Everyone group in the "Pre-Windows 2000 Compatible Access" group
by using the command,
NET LOCALGROUP "PRE-WINDOWS 2000 COMPATIBLE ACCESS" EVERYONE /ADD
5. Set Read permission on "CN=Server,CN=System,DC=TargetDomain,DC={tld}"

But I'm very sure whether I did right or not in requirement no. 5. First of
all, I don't quite understand what
"DC={tld}" is (means the server name?). Second, I can only find a file-like
object named "Server" under
"System" object and I granted Full Control permission for "Pre-Windows 2000
Compatible Access" group
on it.

Of course I could migrate all the user accounts without maintaining the
SIDs, but it will cause another
problem. That is the domain users logon to the new domain (with the same
domain name) will be treated
as a new user in their PC environment. So, this is another question. Is
there any tool I can use to edit the
user account SID?

Any suggestion is highly appreciated!!

Cheers,
Jackal
 
G

Guest

i'm trying to migrate passwords to windows 2003 from NT4 PDC and i followed article 832221. i'm getting this error
"Unable to establish a session with the password export server. Everyone is not a member of the Pre-windows 2000 Compatible Access group in the target domain

what does this error means ?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ADMT SID History error 3
ADMT Problem 1
ADMTv2 -- Password Migration problem 1
ADMT TcpipClientSupport registry key NT 4.0 to AD 3
ADMT login 3
ADMT2.0 issue - Can not migrate SID History 1
ADMT 0
ADMT Problems 1

Top