Based on my experience, this issue may occur if one or more of the
following conditions are true:
1. The PES server is not DNS client of the target domain
2. RPC Port was blocked.
Suggestions:
1. The PES server should be dns client of the target domain
2. Opened the RPC Port at the Firewall end. Installed the Password Export
Server Service at the Source domain.
For more information, please reference the following article:
How to use Active Directory Migration Tool version 2 to migrate from
Windows 2000 to Windows Server 2003
http://support.microsoft.com/kb/326480/en-us
How to Troubleshoot Inter-Forest Password Migration with ADMTv2
http://support.microsoft.com/kb/322981/en-us
Hope this helps.
Regards,
Ada Pan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
I am not getting 'PES server should be dns client of the target domain'.
How do I make this happen.
My PES server is the source(W2K) domain DC. I am running ADMT V3 on the
target(W2K3) domain.
Regarding firewall, I do not have a firewall installed.
I also tried regsvr32 winnt\system32\pwmig.dll but I get the error
'pwmig.dll was loaded, butDllRegisterServer entry point was not found'.
Any clues,
Regards
liby
"Ada Pan [MSFT]" <v-ad...@online.microsoft.com> wrote in message
news:wdMf2u15...@TK2MSFTNGXA01.phx.gbl...
Thanks for your reply.
This is Vincent who is Ada's backup.
From your description, I suspect :
1. You didn't follow the KB 326480 to install PES server before you try to
migrate the password.
2. When you try to follow the KB 326480 to install the PES server, you are
unable to register the DLL file. Am I right?
For your current situation, we have two workarounds:
1. Not to migrate the password but you can choose to generate a complex
password instead. After the user account was migrated, you can ask each
user to change the password themselves.
2. For the error message when you try to register the dll, it appears that
the dll has been altered or damaged. You can choose to download a ADMT
again and extact this dll from the package.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
>>From: "MS" <libyp...@hotmail.com>
>>References: <OapQYHv5...@TK2MSFTNGP02.phx.gbl>
<wdMf2u15...@TK2MSFTNGXA01.phx.gbl>
>>Subject: Re: ADMT V3 migration errors.
>>Date: Wed, 4 Oct 2006 11:23:13 +0300
>>Lines: 63
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
>>X-RFC2646: Format=Flowed; Original
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
>>Message-ID: <#cJ7P645...@TK2MSFTNGP02.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: 168.187.78.201
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:25204
>>X-Tomcat-NG: microsoft.public.windows.server.migration
Please understand ADMT is used to consolidate Domain structure and transfer
objects to new domain. Before you use ADMT , you must have a new,
well-prepared domain. Therefore, adprep should be already performed on the
target doamin and no need to run on source domain.
thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
>>From: "MS" <libyp...@hotmail.com>
>>References: <OapQYHv5...@TK2MSFTNGP02.phx.gbl>
<wdMf2u15...@TK2MSFTNGXA01.phx.gbl>
<#cJ7P645...@TK2MSFTNGP02.phx.gbl>
<h6wuTJR6...@TK2MSFTNGXA01.phx.gbl>
>>Subject: Re: ADMT V3 migration errors.
>>Date: Sat, 7 Oct 2006 10:40:49 +0300
>>Lines: 141
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
>>X-RFC2646: Format=Flowed; Original
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
>>Message-ID: <edzhjQe6...@TK2MSFTNGP05.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: 168.187.78.201
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:25223
>>X-Tomcat-NG: microsoft.public.windows.server.migration
I would like to suggest we check the procedure of PES setup and check how
things are working:
Part 1: PES setup.
================
When performing inter-forest migrations using ADMT v.3, we need to setup
Password Export Server (PES) service in the source domain DC and install
ADMT in the target domain DC. The two DCs share the same key to ensure the
passwords are migrated in a secure way.
The PES service can be installed on any domain controller in the source
domain that supports 128-bit encryption. ADMT v.3 provides the option to
run the PES service under the Local System account or by providing the
credentials of an authenticated user in the target domain.
Note: To improve security, run the PES service as an authenticated user in
the target domain rather than under the Local System account.
If you choose to run the PES service under the Local System account, you
must ensure that the built-in Pre-Windows 2000 Compatible Access group
contains the Everyone group in the target domain. The Everyone group will
not be in the Windows 2000 Compatible Access group if you selected
Permissions compatible only with Windows 2000 or Windows Server 2003
operating systems when you installed Active Directory in the target domain.
If the Everyone group is not in the Windows 2000 Compatible Access group,
you will receive an Access Denied error message. You must then manually add
the Everyone group to the Windows 2000 Compatible Access group to enable
support for password migration. To do this, type the following at the
command line on a target domain controller:
NET LOCALGROUP"Pre-Windows 2000 Compatible Access" Everyone /ADD
If your target domain is a Windows Server 2003 domain, you must also add
the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group.
To do this, type the following at the command line on a target domain
controller:
NET LOCALGROUP"Pre-Windows 2000 Compatible Access""ANONYMOUS LOGON" /ADD.
After this update to the Pre-Windows 2000 Compatible Access group
replicates, restart the Server service on all domain controllers in the
target domain.
The PES service installation requires an encryption key created on the
computer running ADMT in the target domain. The key must be available on a
local drive. This can be a floppy drive or a folder on the local hard disk,
but not a network mapped drive or shared folder. For security reasons, it
is best to use a floppy disk so that the key can be stored in a secure
location or reformatted after the migration is complete.
The encryption key is created by using admt key from a command line.
TASK1: To create an encryption key.
1. Log onto the computer in the target domain on which you installed ADMT
by using your ADMT migration account.
2. Open a command window and navigate to the drive on which ADMT is
installed, and at the command line, type:
ADMT KEY /option:create /sourcedomain:"source domain" /keyfile:"key file
path" /keypassword:{password|*}
The source domain can be specified as either the DNS or NetBIOS name. A
password, which provides key encryption, is optional. To protect the shared
key, type either the password or an asterisk on the command line. The
asterisk causes you to be prompted for a password that is not displayed on
the screen.
Note: To ensure maximum security, providing a password is strongly
recommended.
After you create the encryption key, configure the PES service on a domain
controller in the source domain.
TASK 2: To enable password migration on the source domain.
1. On the PES in the source domain, insert the encryption key disk.
2. In the Pwdmig directory, run Pwdmig.msi. If you set a password during
the key generation process on the domain controller in the target domain,
the Key Password Required dialog box appears. Provide the password that was
given when the key was created. Click Next.
3. Specify the account to run the PES service.
Note: To improve security, run the PES service as an authenticated user in
the target domain rather than under the Local System account.
4. After the installation completes, restart the domain controller.
5. After the domain controller restarts, start the PES service by clicking
Start, Administrative Tools, and then Services. In the details pane,
right-click Password Export Server Service and select Start.
Note: Only run the PES service when migrating passwords. Stop the PES
service after completing password migrations for maximum security.
Part 2: ADMT Side issues.
From your post, the error message occurs when performing group migration, I
would like to suggest that we:
1. Run ADMT 3.0. Choose the two DCs you used when setting up PES.
2. Migrate the groups and users separately (do not migrate the associated
members when migrating groups).
During the group migration, please use the following configurations
[Group Options]
Copy group members * Not Checked
Fix membership of group * Checked
During the user migration, please use the following configurations:
[User Options]
Migrate associated user groups * Not Checked
Fix users' group memberships * Checked
Regarding the additional Exchange issue, I would like to suggest that we
migrate the user accounts using ADMT first. After that, you can use
Exchange side tool to migrate the Exchange related information. If you
want, you can submit questions in our Exchange newsgroups such as:
microsoft.public.exchange.admin
There is more qualified pool of respondents who can give you suggestions on
the Exchange side. Meanwhile, other users who visit the newsgroups
regularly can either share their knowledge or learn from your interaction
with us.
Hope this helps!
hope this helps.. satis...@gmail.com
--
satish32244
------------------------------------------------------------------------
satish32244's Profile: http://forums.techarena.in/members/221529.htm
View this thread: http://forums.techarena.in/server-migration/599336.htm