Windows Server

Guest

Hi all,

I've spent the last two days trying to do a migration of users from a
windows 2003 domain to another windows 2003 domain using ADMTv2.

I prepared the trust relationships between both domains which are
created without errors. (Two-way, External).

But the behaviour is different depending on where I am testing it from:

From the source domain:
1) add the target_domain\Domain Admins group inside the Administrators
group of the source domain: WORKS OK.

And then, from the target domain:
2) doing the same as above: A window pops up asking me for
username/password before I am able to browse the objects of the other
domain (source).
(and it has to be provided with username/password of a source account.
Does not accept any target account, even when I had already done the
first step above and included target_domain\Domain Admins in the
source's Administrators group).

I tried the trust relationship using "runas /user:someone@otherdomain
cmd" in both domains and it seems to work Ok though.

I have also tried 'nlstest' and it reports no errors at all. The same
with netdom.exe.

Thanks a lot for reading all the way through here, and for any pointers
that can help me out.

Vincent Xu [MSFT] · Guest

Hi ,

For your situation, I suspect the problem is caused by the trust. So I have
following suggestion:

1. Re-build the 2-way trust by folllowing the article as below:

325874 How to establish trusts with a Windows NT-based domain in Windows
Server
http://support.microsoft.com/?id=325874

2. Validate the trust on both domains after the trust is built.

3. Take a screen shot when it prompt for username and password. You may
send me the screen shot via v-xuwen@microsoft.com

Best regards,

Vincent Xu
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx.

Newsgroup Web Interface Upgrade

Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.

Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Guest

Thanks a lot Vince!
I'll be following your instructions in the first hours of this morning.

vandresv · Guest

Vince,
I rebuilt the trust but I got the same results.

Now I am in a different phase: I changed the password of the
target_domain administrator to make it the same like the source's
administrator and created a 'forest trust'.
Now I am able to add users of the other domain to any local group
without requiring to input any authentication.

But I found another obstacle, this time with ADMT:

If I tried to migrate the password, I received the error:
'Unable to establish a session with password export server. Access is
denied'.

(I have the password migration dll, installed with the target domain
generated .pes file, according with instructions. Meaning that I have
already set to 1 the allowpasswordexport key, and the
tcpipclientsupport, and reboot the source domain controller)

I have audit enable and all I got is 3 events been logged when I try to
use the password server (from the target):

1- Special privileges assigned to new logon (success0
2-Successful Network logon
3-Fifteen to Twenty seconds after previous event I got a 'suc cess
logoff event.

Thanks a lot,

vandresv · Guest

funny I changed your name to Vince, sorry Vincent

vandresv · Guest

Solved!!!
I had selective authentication on, changed it to wide-forest
authentication and it worked!

Thanks for your help

Vincent Xu [MSFT] · Guest

Hi,

Glad to hear that your problem was resolved.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

--------------------

Trust relationship exists but still dc asks for authenticati

	Windows Server Forum Index -> Migration	All times are GMT
Page 1 of 1