Interforest 2003 to 2008 migration - Security Translation issue

-

in trying follow admt documentation “t,” first migrate users , disable account in target domain.

 

·         our test users migrate on initial except “homemdb” , “homemta” properties expect.

 

·         testing security translation wizard found reading additional accounts database.

 

translate user profiles: yes

perform pre-check only: no

 

[agent dispatch section]

2009-02-10 12:36:56 read 18 accounts from database migrated domain ' subdomain.domain.com' domain 'testad.domain.com'.

2009-02-10 12:36:56 created account input file remote agents: accounts000040.txt

2009-02-10 12:36:57 installing agent on 1 servers

                                               

2009-02-10 12:36:57 active directory migration tool agent installed on test-xp-vm01.subdomain.domain.com

2009-02-10 12:37:26 started job:  test-xp-vm01 000040_test-xp-vm01 {c824d615-030a-4c7d-8da0-2cb14cbf24bf}

 

            but on local machine it’s not translating user profiles?

 

local machine

    computer:   test-xp-vm01.subdomain.domain.com (test-xp-vm01)

        domain:     subdomain.domain.com (domain)

        os:         microsoft windows xp 5.1 (2600) service pack 3

2009-02-10 12:37:27 starting security translator.

2009-02-10 12:37:27 agent running in local mode.

2009-02-10 12:37:27 read 0 accounts from c:\windows\onepointdomainagent\accounts000040.txt

2009-02-10 12:37:27 securitytranslation profiles:yes recyclebin:yes translationmode:replace subdomain.domain.com testad.domain.com

2009-02-10 12:37:27 starting

2009-02-10 12:37:27 translating local machine.

2009-02-10 12:37:29 skipping a:\, rc=21   the device not ready.

2009-02-10 12:37:29 processing c:\

2009-02-10 12:37:29 processing recycle bin files , folders on c:\.

2009-02-10 12:37:29 examining: s-1-5-21-2000478354-1060284298-839522115-1003

2009-02-10 12:37:30 examining: s-1-5-21-2000478354-1060284298-839522115-500

2009-02-10 12:37:30 examining: s-1-5-21-3472900057-1418634344-751827254-500

2009-02-10 12:37:30 skipping d:\.  d:\ cd-rom drive.

2009-02-10 12:37:30 profile translation automatically switches replace mode add mode if user logged on or if profile in use other reasons.  in order disable switching, need set registry hklm\software\microsoft\admt\disallowfallbacktoaddinprofiletranslation (reg_dword) 1 on admt machine.

2009-02-10 12:37:30 ------account detail---------

2009-02-10 12:37:30 account detail section uses following format: accountname(ownerchanges, groupchanges, daclchanges, saclchanges).

2009-02-10 12:37:30 -----------------------------

2009-02-10 12:37:30 0 users, 0 groups

2009-02-10 12:37:30 0 accounts selected.  0 resolved, 0 unresolved.

2009-02-10 12:37:30            examined        changed     unchanged

2009-02-10 12:37:30 files              0              0             0

2009-02-10 12:37:30 dirs               0              0             0

2009-02-10 12:37:30 shares             0              0             0

2009-02-10 12:37:30 members            0              0             0

2009-02-10 12:37:30 user rights        0              0             0

2009-02-10 12:37:30 exchange objects          0              0             0

2009-02-10 12:37:30 containers         0              0             0

2009-02-10 12:37:30 dacls              0              0             0

2009-02-10 12:37:30 sacls              0              0             0

2009-02-10 12:37:30            examined        changed     no target   not selected     unknown

2009-02-10 12:37:30 owners            0              0             0              0           0

2009-02-10 12:37:30 groups            0              0             0              0           0

2009-02-10 12:37:30 daces             0              0             0              0           0

2009-02-10 12:37:30 saces             0              0             0              0           0

2009-02-10 12:37:30 wrote result file c:\windows\onepointdomainagent\000040_test-xp-vm01.result

2009-02-10 12:37:30 operation completed.


any ideas why we're not able translate these user profiles?  meaning, after running translation wizard, migrate computer these profiles located on, login, , creates whole new local user profile.

do need migrate computer first? again according admt documentation don't.  is permission issue?  we're stumped.

thanks in advanced thoughts.



 

hi,

 

based on experience, may perform following steps check result:

 

1. disable windows firewall service on client pc going migrate.

 

2. reinstall "file , printer sharing microsoft networks" , "client microsoft network" on client pc.


3. disable 3rd party services clean boot

 

a. click start | run , type "msconfig" (no quotes) , press enter.

b. click services tab, check check box of "hide microsoft service", , click "disable all"

c. click startup tab, click "disable all"

d. click "ok" , follow instructions restart computer, after rebooting if prompt dialog of system configuration, please check check box in dialog , click "ok".

 

5. check name resolution source , target domain.

 

ping “subdomain.domain.com” , “testad.domain.com” form admt machine.

 

6. explicitly add domain admin running admt tool local admin group on client pc.

 

meanwhile, recommend perform migration in following order:

 

suggestion:

==========

domain global group

domain local group

user account

computer account

 

also, please migrate groups , users separately (do not migrate associated group members when migrating groups).

 

to so, during group migration, please use following configurations

 

[group options]

copy group members                            not checked              

fix membership of group                       checked  

sid history                            checked 

 

during user migration, please use following configurations:

 

[user options]

migrate associated user groups               not checked

fix users'' group memberships               checked

sid history                            checked

 

for more information, may refer article:

admt v3.1 guide: migrating , restructuring active directory domains

http://www.microsoft.com/downloads/details.aspx?familyid=6d710919-1ba5-41ca-b2f3-c11bcb4857af&displaylang=en

 

regards,

nick gu - msft


Windows Server  >  Migration



Comments

Post a Comment

Popular posts from this blog

some help on Event 540

-
does event 540 me distinguish between user , administrator access?    this event generated ypon successfull logon, logon exactly? successful logon on system?   is there other way log administrator access system using event viewer?   thank valuable response   georges hi,   as far know, cannot distinguish between user , administrator access event 540. more information, please refer to:   event id: 540 http://www.microsoft.com/technet/support/ee/transform.aspx?prodname=windows+operating+system&prodver=5.0&evtid=540&evtsrc=security&lcid=1033   events 528 , 540 http://blogs.msdn.com/b/ericfitz/archive/2004/12/09/279282.aspx   regards, bruce this posting provided "as is" no warranties, , confers no rights. please remember click "mark answer" on post helps you, , click "unmark answer" if marked post not answer question. can beneficial other community members reading thread.
Read more

WMI Repository 4GB limit - Win 2003 Ent Question

-
Image
hi there, i've question size limit on wmi repository (being 4gb). if isn't correct place post this, apologies , can let me know wheere post this? i've come across few servers running citrix have reached limit on wmi repository size , need install ibm director agent hw monitoring. during install getting 'out of disk space' errors entered in mofcomp.log: "(mon apr 02 04:10:36 2012.172843) : error occurred while processing item 4: (mon apr 02 04:10:36 2012.172843) : error number: 0x8004103b, facility: wmi description: out of disk space" when error number http://msdn.microsoft.com/en-us/library/windows/desktop/aa394559%28v=vs.85%29.aspx i see this: wbem_e_out_of_disk_space 2147749947 (0x8004103b) disk out of space or 4 gb limit on wmi repository (cim repository) size reached. windows xp , windows 2000/nt:   disk out of space. i'm wondering if there reason why limit set 4gb or can increase needs be? can't seem find reas
Read more

Event ID 1302 (error 1307) DFS replication service encountered an error while writing to the debug log file

-
Image
hello. we @ step 0 of migration frs dfsr sysvol replication on windows 2008r2 dc. every time run powershell dfsrmig / getmigrationstate says: "unable create dfsr migration log file. error 1307. all domain controllers have migrated global state 'start'. migration has reached consistent state on domain controllers. succeeded." it creates event id 1302 in "dfs replication" event log, explaining error 1307 means: "this security id may not assigned ownder of object ". i already checked space limits, quotas, permissions on c:\windows\debug according microsoft support article unable fix it. although, there new entries added dfsr00095.txt log file despite error. dfsrxxxx file has not been archived .gz format, and, beleive, contains dfsr diagnostics , events. here of latest entries: 20150908 08:47:27.867 11616 sysm  3354 migration::sysvolmigration::getsysvolreadyflag [mig] sysvol ready 20150908 08:47:27.867 11616 sysm   456 migrati
Read more