Interforest 2003 to 2008 migration - Security Translation issue

-

in trying follow admt documentation “t,” first migrate users , disable account in target domain.

 

·         our test users migrate on initial except “homemdb” , “homemta” properties expect.

 

·         testing security translation wizard found reading additional accounts database.

 

translate user profiles: yes

perform pre-check only: no

 

[agent dispatch section]

2009-02-10 12:36:56 read 18 accounts from database migrated domain ' subdomain.domain.com' domain 'testad.domain.com'.

2009-02-10 12:36:56 created account input file remote agents: accounts000040.txt

2009-02-10 12:36:57 installing agent on 1 servers

                                               

2009-02-10 12:36:57 active directory migration tool agent installed on test-xp-vm01.subdomain.domain.com

2009-02-10 12:37:26 started job:  test-xp-vm01 000040_test-xp-vm01 {c824d615-030a-4c7d-8da0-2cb14cbf24bf}

 

            but on local machine it’s not translating user profiles?

 

local machine

    computer:   test-xp-vm01.subdomain.domain.com (test-xp-vm01)

        domain:     subdomain.domain.com (domain)

        os:         microsoft windows xp 5.1 (2600) service pack 3

2009-02-10 12:37:27 starting security translator.

2009-02-10 12:37:27 agent running in local mode.

2009-02-10 12:37:27 read 0 accounts from c:\windows\onepointdomainagent\accounts000040.txt

2009-02-10 12:37:27 securitytranslation profiles:yes recyclebin:yes translationmode:replace subdomain.domain.com testad.domain.com

2009-02-10 12:37:27 starting

2009-02-10 12:37:27 translating local machine.

2009-02-10 12:37:29 skipping a:\, rc=21   the device not ready.

2009-02-10 12:37:29 processing c:\

2009-02-10 12:37:29 processing recycle bin files , folders on c:\.

2009-02-10 12:37:29 examining: s-1-5-21-2000478354-1060284298-839522115-1003

2009-02-10 12:37:30 examining: s-1-5-21-2000478354-1060284298-839522115-500

2009-02-10 12:37:30 examining: s-1-5-21-3472900057-1418634344-751827254-500

2009-02-10 12:37:30 skipping d:\.  d:\ cd-rom drive.

2009-02-10 12:37:30 profile translation automatically switches replace mode add mode if user logged on or if profile in use other reasons.  in order disable switching, need set registry hklm\software\microsoft\admt\disallowfallbacktoaddinprofiletranslation (reg_dword) 1 on admt machine.

2009-02-10 12:37:30 ------account detail---------

2009-02-10 12:37:30 account detail section uses following format: accountname(ownerchanges, groupchanges, daclchanges, saclchanges).

2009-02-10 12:37:30 -----------------------------

2009-02-10 12:37:30 0 users, 0 groups

2009-02-10 12:37:30 0 accounts selected.  0 resolved, 0 unresolved.

2009-02-10 12:37:30            examined        changed     unchanged

2009-02-10 12:37:30 files              0              0             0

2009-02-10 12:37:30 dirs               0              0             0

2009-02-10 12:37:30 shares             0              0             0

2009-02-10 12:37:30 members            0              0             0

2009-02-10 12:37:30 user rights        0              0             0

2009-02-10 12:37:30 exchange objects          0              0             0

2009-02-10 12:37:30 containers         0              0             0

2009-02-10 12:37:30 dacls              0              0             0

2009-02-10 12:37:30 sacls              0              0             0

2009-02-10 12:37:30            examined        changed     no target   not selected     unknown

2009-02-10 12:37:30 owners            0              0             0              0           0

2009-02-10 12:37:30 groups            0              0             0              0           0

2009-02-10 12:37:30 daces             0              0             0              0           0

2009-02-10 12:37:30 saces             0              0             0              0           0

2009-02-10 12:37:30 wrote result file c:\windows\onepointdomainagent\000040_test-xp-vm01.result

2009-02-10 12:37:30 operation completed.


any ideas why we're not able translate these user profiles?  meaning, after running translation wizard, migrate computer these profiles located on, login, , creates whole new local user profile.

do need migrate computer first? again according admt documentation don't.  is permission issue?  we're stumped.

thanks in advanced thoughts.



 

hi,

 

based on experience, may perform following steps check result:

 

1. disable windows firewall service on client pc going migrate.

 

2. reinstall "file , printer sharing microsoft networks" , "client microsoft network" on client pc.


3. disable 3rd party services clean boot

 

a. click start | run , type "msconfig" (no quotes) , press enter.

b. click services tab, check check box of "hide microsoft service", , click "disable all"

c. click startup tab, click "disable all"

d. click "ok" , follow instructions restart computer, after rebooting if prompt dialog of system configuration, please check check box in dialog , click "ok".

 

5. check name resolution source , target domain.

 

ping “subdomain.domain.com” , “testad.domain.com” form admt machine.

 

6. explicitly add domain admin running admt tool local admin group on client pc.

 

meanwhile, recommend perform migration in following order:

 

suggestion:

==========

domain global group

domain local group

user account

computer account

 

also, please migrate groups , users separately (do not migrate associated group members when migrating groups).

 

to so, during group migration, please use following configurations

 

[group options]

copy group members                            not checked              

fix membership of group                       checked  

sid history                            checked 

 

during user migration, please use following configurations:

 

[user options]

migrate associated user groups               not checked

fix users'' group memberships               checked

sid history                            checked

 

for more information, may refer article:

admt v3.1 guide: migrating , restructuring active directory domains

http://www.microsoft.com/downloads/details.aspx?familyid=6d710919-1ba5-41ca-b2f3-c11bcb4857af&displaylang=en

 

regards,

nick gu - msft


Windows Server  >  Migration



Comments

Post a Comment

Popular posts from this blog

Round Robin is killing performance on our network

-
Image
we had 2 windows 2003 domain controllers @ our data center dns , 1 domain controller @ our large remote office no dns. finished replacing 3 domain controllers windows 2012 r2 dc's, each of have dns installed , configured. we're having issues servers @ our data center resolving names using dns server @ remote office due appears round robin dns lookups. is there suggested way force servers , workstations @ data center use domain controllers @ location dns resolution , servers , workstations @ remote office use domain controller @ location dns resolution? thanks in advance assistance, dan hi dbetanco, >we're having issues servers @ our data center resolving names using dns server @ remote office due appears round robin dns lookups. round robin specific record query, example, in dns zone has 3 records: www.test.com 1.1.1.1 www.test.com 2.2.2.2 www.test.com 3.3.3.3 then if query nslookup www.test.com  three times, first time order is: 1.1....
Read more

WMI Repository 4GB limit - Win 2003 Ent Question

-
Image
hi there, i've question size limit on wmi repository (being 4gb). if isn't correct place post this, apologies , can let me know wheere post this? i've come across few servers running citrix have reached limit on wmi repository size , need install ibm director agent hw monitoring. during install getting 'out of disk space' errors entered in mofcomp.log: "(mon apr 02 04:10:36 2012.172843) : error occurred while processing item 4: (mon apr 02 04:10:36 2012.172843) : error number: 0x8004103b, facility: wmi description: out of disk space" when error number http://msdn.microsoft.com/en-us/library/windows/desktop/aa394559%28v=vs.85%29.aspx i see this: wbem_e_out_of_disk_space 2147749947 (0x8004103b) disk out of space or 4 gb limit on wmi repository (cim repository) size reached. windows xp , windows 2000/nt:   disk out of space. i'm wondering if there reason why limit set 4gb or can increase needs be? can't seem find reas...
Read more

Change home folder default permission?

-
i have searched on , can't seem find similar trying do. using windows server 2003 active directory. when create new user account on domain, use profile tab specify home directory user. when user logs in first time, active directory creates folder in specified path. working correctly. problem gives user full control on folder. has caused lot of problems because "clever" users have discovered thay can change permission on folder or subfolders beneath it. because don't want staff looking @ "sensitive" files. of course doesn't work since can take ownership of file , give myself permissions. causes trouble failed backups, inability scan these folders viruses, migration new storage etc. on occasion 1 of these users call me , ask file or folder restored, , @ point discover not have backup of files , cannot restore them. give them lecture, have on 2500 users, , can't talk them all. right have create account , login teh folder created, go take away full contr...
Read more