none
Cannot migrate users with ADMT v3.1 - ERR3:7585.

    Question

  • I have successfully migrated users and computers using ADMT v3 on a Windows Server 2003.  However, this time around (between the same two domains as the previous using ADMT v3) I need to use ADMT v3.1 since I am migrating Vista/7 computers that will require running the Security Translation Wizard.  When testing a user migration, I get the following error:

    [Object Migration Section]

    2010-05-13 16:16:50 Starting Account Replicator.
    2010-05-13 16:16:50 ERR3:7585 The account replicator is unable to continue.   An operations error occurred.
    2010-05-13 16:16:50 Operation completed.

    This is regardless of whether migrating SID History or password.  This is a forest and domain functional level of 2003 in both domains.  I have repeatedly checked the following:

    1. DNS resolves in source and target domain
    2. Two-way trust verified both ways
    3. Target domain account is a member of the builtin Administrators group in source domain.
    4. Target domain account logged onto the ADMT server is a Domain Admin in the target domain and part of the local Administrators group on the ADMT server
    5. All DCs can communicate to RID
    6. Domain account source_domain$$$ exists without any members in source domain
    7. TcpipClientSupport key exists in the source PDC with value of 1 (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)
    8. PES installed on source DC with service turned on and registry key AllowPasswordExport set to 1 (only during migration)
    9. Auditing turned on in the source Default Domain Controllers Policy
    What am I missing?  Since I've successfully used ADMT v3, and am migrating users from and to the same domain, I don't know how v3.1 would not be working.  Is there something different about v3.1?  I have read through the User Guide...not much help in troubleshooting.
    Thursday, May 13, 2010 8:47 PM

Answers

  • I believe I found the solution.  I assumed that since our domain and forest levels are 2003 that our trust type was NT5 "UPLEVEL"; however, when I ran replmon.exe on one of the DCs, I found that it was actually NT4 "DOWNLEVEL".  Our domain was originally created on NT4, then was rebuilt to 2000 and again to 2003, but it was before my time in this company.  Once I re-created the trusts I was able to authenticate from either domain.  I should be able to use ADMT 3.1 on W2K8 at this point.
    • Marked as answer by saym Thursday, July 08, 2010 9:29 PM
    Wednesday, June 30, 2010 9:42 PM

All replies

  • I'm beginning to think that this has nothing to do with ADMT v3.1, rather that the ADMT server is running Windows 2008 in a 2003 domain environment.  I say this because when I attempted to login with the source domain account I received this error:

    "security database on the sever does not have a computer account for this workstation trust relationship."

    While I am able to add the source domain account into the local administrators group, I am not able to logon with it.

    Friday, May 14, 2010 2:21 PM
  • I think that is the issue.  Check the SPN value on this computer.  I think you are missing the SPN value for your domain.  Add SPN using ADSI edit.

    http://support.microsoft.com/default.aspx/kb/258503?p=1

     

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, May 14, 2010 4:06 PM
  • Thanks for the reply.  I have already checked the SPN, and this computer has both HOST records in ADSI.  I've also searched for any other accounts that may have been using the same name, but since this is a new name, I didn't find any duplicates.
    Saturday, May 15, 2010 4:04 PM
  • Is it possible for you to rejoin this computer to the Domain again?  It might break all your applications including ADMT.  It seems like something going on with that server.    

     

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, May 16, 2010 2:40 AM
  • Hi,

    Thanks for the post.

    I am wondering if the DC of target domain is GC. If so, please run NLTEST command on the member server performing the migration to check if it was able to find a GC. If not, please use NETDOM command to reset the Secure Channel of the Member Server with the Domain.

    Hope this helps.

    Miles

     

    Monday, May 17, 2010 5:31 AM
  • I have tried rejoined this computer to the domain, and re-installed ADMT.  No luck.
    Monday, May 17, 2010 12:59 PM
  • The target domain is not a GC.  I tried running NETDOM, and was successful in completing the reset; however, I am still unable to migrate a user.  The same error above appears.
    Monday, May 17, 2010 1:13 PM
  • Are you still getting the “security database on the sever does not have a computer account for this workstation trust relationship” error message?

    http://portal.sivarajan.com/2010/05/workstation-trust-relationship-issue.html

    Where did you install the ADMT?  Make sure ADMT server is in your target domain. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, May 17, 2010 7:18 PM
  • Yes, still getting that error message when attempting to logon to the ADMT server with a source domain account.  However, the ADMT server is joined to the target domain.  Again, the SPN value on this computer has been verified that it is correct.
    Monday, May 17, 2010 7:45 PM
  • logon to the ADMT server with a source domain account >>>

    Follow these instructions to create and configure account.

    http://portal.sivarajan.com/2010/04/admt-service-account-permission-and.html

    logon to the ADMT server using the target account not source account. 

    Did you install this server?  Did you copy the image?  If so, did you sysprep before you join it to the domain?


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, May 17, 2010 11:26 PM
  • Forget about ADMT for now.  I think there is something going on with the server itself not ADMT.   If you are using a server image, make sure to Sysprep before you join the server to the Domain.  Test everything before you install ADMT. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, May 17, 2010 11:42 PM
  • I appreciate your help.  I've actually already done this as well.  My target domain account is a member of the source domain Administrators group.  ADMT 3.1 was installed on a fresh install of Server 2008.  Like I mentioned in my original post, I've already successfully migrated users and computers using ADMTv3 in the same source and target domains, so I know that my setup is correct.  However, when I try to use ADMT v3.1 on a Server 2008 joined to the target domain, the migration fails.  I only mentioned the logon error because I think it is related to the ADMT error (ERR3:7585). 
    Tuesday, May 18, 2010 4:31 AM
  • So you are getting the “workstation trust relationship” error only after you install ADMT?

    Also, are you coping the server image?  Or was it a new install?


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, May 18, 2010 9:21 PM
  • No.  I noticed this happens on all of our Windows Server 2008 servers, Vista SP1, and Windows 7.  ADMT was installed on a new server.  We did not use an image.
    Friday, May 21, 2010 4:06 PM
  • Yes. That is the reason I was suspecting SPN issues.  You don’t see this issue on Windows XP machines.    Do you have any DNS related issues?


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, May 23, 2010 3:25 AM
  • No issues with DNS.  I am able to successfully communicate with both domains via NetBios, FQDN, and IP.  The SPN record shows both HOST records (HOST/servername, HOST/servername.target.domain).
    Tuesday, May 25, 2010 3:24 PM
  • hi saym.Is there any update on this issue? I have the same problem ,admt can migrate several object and sudddenly gets this error message.
    Tuesday, June 08, 2010 9:34 PM
  • hi , any comment?  in my case I have the same error and ADMT is installed in a win2008 server .. please help--- the strange here is that this does not happend in a server with 2003 and admt 3.0... I had to installe the 3.1 because with the 3.0 is not possible to migrate vista machine,.. hovewer now Iam having this issue--

    Tuesday, June 08, 2010 10:32 PM
  • I have not found a solution yet.  I double checked DNS records for all of our DCs, and found they were correct.  I had to resort to using ADMT 3.0 and manually move vista/7 computers to the target domain.  Luckily, we only have a handful for this particular group.  I know there will be many more for the next one.  I would really appreciate some help.
    Wednesday, June 09, 2010 1:46 PM
  • I believe I found the solution.  I assumed that since our domain and forest levels are 2003 that our trust type was NT5 "UPLEVEL"; however, when I ran replmon.exe on one of the DCs, I found that it was actually NT4 "DOWNLEVEL".  Our domain was originally created on NT4, then was rebuilt to 2000 and again to 2003, but it was before my time in this company.  Once I re-created the trusts I was able to authenticate from either domain.  I should be able to use ADMT 3.1 on W2K8 at this point.
    • Marked as answer by saym Thursday, July 08, 2010 9:29 PM
    Wednesday, June 30, 2010 9:42 PM
  • That was it.  ADMT3.1 works on W2K8 now.
    Thursday, July 08, 2010 9:28 PM