Interforest 2003 to 2008 migration - Security Translation issue
in trying follow admt documentation “t,” first migrate users , disable account in target domain.
· our test users migrate on initial except “homemdb” , “homemta” properties expect.
· testing security translation wizard found reading additional accounts database.
translate user profiles: yes
perform pre-check only: no
[agent dispatch section]
2009-02-10 12:36:56 read 18 accounts from database migrated domain ' subdomain.domain.com' domain 'testad.domain.com'.
2009-02-10 12:36:56 created account input file remote agents: accounts000040.txt
2009-02-10 12:36:57 installing agent on 1 servers
2009-02-10 12:36:57 active directory migration tool agent installed on test-xp-vm01.subdomain.domain.com
2009-02-10 12:37:26 started job: test-xp-vm01 000040_test-xp-vm01 {c824d615-030a-4c7d-8da0-2cb14cbf24bf}
but on local machine it’s not translating user profiles?
local machine
computer: test-xp-vm01.subdomain.domain.com (test-xp-vm01)
domain: subdomain.domain.com (domain)
os: microsoft windows xp 5.1 (2600) service pack 3
2009-02-10 12:37:27 starting security translator.
2009-02-10 12:37:27 agent running in local mode.
2009-02-10 12:37:27 read 0 accounts from c:\windows\onepointdomainagent\accounts000040.txt
2009-02-10 12:37:27 securitytranslation profiles:yes recyclebin:yes translationmode:replace subdomain.domain.com testad.domain.com
2009-02-10 12:37:27 starting
2009-02-10 12:37:27 translating local machine.
2009-02-10 12:37:29 skipping a:\, rc=21 the device not ready.
2009-02-10 12:37:29 processing c:\
2009-02-10 12:37:29 processing recycle bin files , folders on c:\.
2009-02-10 12:37:29 examining: s-1-5-21-2000478354-1060284298-839522115-1003
2009-02-10 12:37:30 examining: s-1-5-21-2000478354-1060284298-839522115-500
2009-02-10 12:37:30 examining: s-1-5-21-3472900057-1418634344-751827254-500
2009-02-10 12:37:30 skipping d:\. d:\ cd-rom drive.
2009-02-10 12:37:30 profile translation automatically switches replace mode add mode if user logged on or if profile in use other reasons. in order disable switching, need set registry hklm\software\microsoft\admt\disallowfallbacktoaddinprofiletranslation (reg_dword) 1 on admt machine.
2009-02-10 12:37:30 ------account detail---------
2009-02-10 12:37:30 account detail section uses following format: accountname(ownerchanges, groupchanges, daclchanges, saclchanges).
2009-02-10 12:37:30 -----------------------------
2009-02-10 12:37:30 0 users, 0 groups
2009-02-10 12:37:30 0 accounts selected. 0 resolved, 0 unresolved.
2009-02-10 12:37:30 examined changed unchanged
2009-02-10 12:37:30 files 0 0 0
2009-02-10 12:37:30 dirs 0 0 0
2009-02-10 12:37:30 shares 0 0 0
2009-02-10 12:37:30 members 0 0 0
2009-02-10 12:37:30 user rights 0 0 0
2009-02-10 12:37:30 exchange objects 0 0 0
2009-02-10 12:37:30 containers 0 0 0
2009-02-10 12:37:30 dacls 0 0 0
2009-02-10 12:37:30 sacls 0 0 0
2009-02-10 12:37:30 examined changed no target not selected unknown
2009-02-10 12:37:30 owners 0 0 0 0 0
2009-02-10 12:37:30 groups 0 0 0 0 0
2009-02-10 12:37:30 daces 0 0 0 0 0
2009-02-10 12:37:30 saces 0 0 0 0 0
2009-02-10 12:37:30 wrote result file c:\windows\onepointdomainagent\000040_test-xp-vm01.result
2009-02-10 12:37:30 operation completed.
any ideas why we're not able translate these user profiles? meaning, after running translation wizard, migrate computer these profiles located on, login, , creates whole new local user profile.
do need migrate computer first? again according admt documentation don't. is permission issue? we're stumped.
thanks in advanced thoughts.
hi,
based on experience, may perform following steps check result:
1. disable windows firewall service on client pc going migrate.
2. reinstall "file , printer sharing microsoft networks" , "client microsoft network" on client pc.
3. disable 3rd party services clean boot
a. click start | run , type "msconfig" (no quotes) , press enter.
b. click services tab, check check box of "hide microsoft service", , click "disable all"
c. click startup tab, click "disable all"
d. click "ok" , follow instructions restart computer, after rebooting if prompt dialog of system configuration, please check check box in dialog , click "ok".
5. check name resolution source , target domain.
ping “subdomain.domain.com” , “testad.domain.com” form admt machine.
6. explicitly add domain admin running admt tool local admin group on client pc.
meanwhile, recommend perform migration in following order:
suggestion:
==========
domain global group
domain local group
user account
computer account
also, please migrate groups , users separately (do not migrate associated group members when migrating groups).
to so, during group migration, please use following configurations
[group options]
copy group members not checked
fix membership of group checked
sid history checked
during user migration, please use following configurations:
[user options]
migrate associated user groups not checked
fix users'' group memberships checked
sid history checked
for more information, may refer article:
admt v3.1 guide: migrating , restructuring active directory domains
regards,
nick gu - msft
Windows Server > Migration
Comments
Post a Comment