I had installed Windows 2003 Server in a new system and made the AD up. After that i wanted to migrate first my users from a Windows NT domain and i tried that through the AD migration tool (ADMT). It gives and error -- Access is denied ( Error code=5, domain = My NT Domain name ) . I would like to know what this means and also how do i know whether i have installed in native or mixed mode the windows 2003 .
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
AD User Migration Error ; HELP?
- Thread starter idsi
- Start date
xmario2013
IS-IT--Management
I got this from somewhere:
Here is what you need to do next:
1. Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
2. Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
3. Create a new local group in the source domain called Source Domain$$$ (make sure that this group has no members).
(You need to do steps 4 and 5 in order to troubleshoot every potential problem. Believe me, if you don't do this, you are going to have headaches when things are going to go wrong!)
4. Enable auditing for the success and failure of user and group management on the source domain.
5. Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
6. On the nt 4 PDC in the source domain, add the TcpipClientSupport:REG_DWORD:0x1 value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA.
7. Obviously, Administrative shares must exist on the domain controller (DC) in the target domain on which you run ADMT, as well as on any computers on which an agent will be dispatched. This is because ADMT will write information on target disks.
8. You must log on to the computer on which you run ADMT with an account that has the following rights:
Domain Administrator rights in the target domain
Is a member of the Administrators group in the source domain
Administrator rights on each computer you migrate
Administrator rights on each computer on which you translate security
Therefore, logging into the PDC that is the FSMO role holder in the target w2k domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.
That should do it!
Here is what you need to do next:
1. Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
2. Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
3. Create a new local group in the source domain called Source Domain$$$ (make sure that this group has no members).
(You need to do steps 4 and 5 in order to troubleshoot every potential problem. Believe me, if you don't do this, you are going to have headaches when things are going to go wrong!)
4. Enable auditing for the success and failure of user and group management on the source domain.
5. Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
6. On the nt 4 PDC in the source domain, add the TcpipClientSupport:REG_DWORD:0x1 value under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA.
7. Obviously, Administrative shares must exist on the domain controller (DC) in the target domain on which you run ADMT, as well as on any computers on which an agent will be dispatched. This is because ADMT will write information on target disks.
8. You must log on to the computer on which you run ADMT with an account that has the following rights:
Domain Administrator rights in the target domain
Is a member of the Administrators group in the source domain
Administrator rights on each computer you migrate
Administrator rights on each computer on which you translate security
Therefore, logging into the PDC that is the FSMO role holder in the target w2k domain with the source domain\Administrator account suffices, assuming that the source domain\Domain Administrators group belongs to each computer's Administrators group.
That should do it!
- Status
Similar threads
- Locked
- Question